Administrative Overview

Academic Policies

Administrative Policies

Employee Policies

SUNY Plattsburgh
Identity Theft Prevention Program Policy

Approved by Executive Council 7/7/09

 Purpose
 
This Identity Theft Prevention Program ("Program") was developed pursuant to a SUNY policy adopted by the Board of Trustees on May 12, 2009 in order to comply with the Federal Trade Commission's Red Flags Rule (16 CFR 681.2). The purpose of this Program is to prevent frauds committed by the misuse of identifying information (i.e. identity theft). 
 
Persons Affected
All Plattsburgh State staff members designated as Information Stewards or Responsible Staff.
 
Policy
 
The Program will identify accounts maintained by the College which may be susceptible to fraud (hereinafter "Covered Accounts").
Student Accounts
Student/Faculty E-mail Accounts
Financial Aid Accounts
Banner Accounts
Student Record Accounts
Student BannerWeb Accounts
Personnel Records
Patient Accounts 
Alzheimer’s Disease Assistance Center
Neuropsychology Clinic
Traumatic Brain Injury
Speech and Hearing

The Program will identify possible indications of Identity Theft activity associated with those accounts (hereinafter “Red Flags”)
Address Discrepancies
Presentation of suspicious documents
Photograph or physical description on ID not consistent with the appearance of the person presenting the ID
Personal identifying information provided is not consistent with information on file
Notification from individual that ID for Covered Account has been stolen
Notification from individual, law enforcement or service provider of unusual activity related to a Covered Account
Notification from a credit bureau of fraudulent activity
Request for information about a Covered Account from an individual who cannot be verified as having authorization to receive the information
Number of failed attempt to access an electronic account has exceeded acceptable level
Unusual or suspicious activity related to the account
Social Security number cannot be verified
Criminal background check on new employee or volunteer is not clear 
  
The Program will devise methods to detect such activity
Obtain information verifying identity for new accounts
Authenticate transactions for existing account owners
Picture ID
User code/password
Monitor transaction activity
Verify validity of change of address
 
The Program will respond appropriately when such activity is detected
Deny changes to Covered Account until individual’s identity is established through acceptable means
Freeze and/or reset password for the Covered Account
Notify the individual to change his/her password
Contact individual to resolve conflict and verify information
Notify appropriate Vice President about discrepancy in applicant’s information
Deny release of information until authorization of individual requesting information can be completed
Refuse non-emergency treatment until client’s identity and insurance information has been verified
Determine no response is warranted
Recommend that the individual file a complaint with University Police
Notify SUNY Central
 
The Program will include the following administrative protocols
Designate a senior level employee as Program Administrator
The President has designated the Dean of Library & Information Services as Program Administrator to oversee administration of this Program.
The Program Administrator may designate additional staff of the College to undertake responsibility for training personnel, monitoring service providers, and updating the Program, all under the supervision of the Program Administrator.
The Program will identify responsible staff associated with each Covered Account
The Program will identify service providers performing activities related to Covered Accounts and ensure that they are contractually required to maintain an adequate identity theft prevention and to monitor such service providers as appropriate
College Auxiliary Services
Paetec
The Program will provide for training of Responsible Staff 
The Program will be reviewed annually or in response to changing or emerging threats and to determine if additional Covered Accounts exist. 
The Program will allow for campus and System-based internal control mechanisms, including Auditors, Controllers and Compliance Officers, to have authority and responsibility for monitoring compliance with this policy and campus-specific programs. 
 
Definitions
Account - A relationship established with an institution by a student, employee, or other person to obtain educational, medical, or financial services.
Covered Account - An account that permits multiple transactions or poses a reasonably foreseeable risk of being used to promote an identity theft.
Information Steward - An individual that has responsibility for making classification and      control decisions regarding use of information maintained by their area
Responsible Staff - Personnel, based on title, who regularly work with Covered Accounts and are responsible for performing the day-to-day application of the Program to a specific Covered Account by detecting and responding to Red Flags  
Red Flag - A pattern, practice, or specific activity that indicates the possible existence of identity theft.
Incident Response - The manual and automated procedures used to respond to reported network intrusions (real or suspected); network failures and errors; Red Flags; and other undesirable events.
Service Provider - A contractor to the College engaged to perform an activity in connection with a Covered Account.
Identity Theft - A fraud committed or attempted using the identifying information of another person without authority.                   .
 
Responsibilities
The President shall be responsible for implementing and sustaining an Identity Theft Program (Program)
The Program Administrator shall ensure that all records relevant to the Program are maintained and available for inspection.
Information Stewards of areas identified as having Covered Accounts shall be responsible for
Maintaining records identifying and training Responsible Staff
Maintaining records identifying Red Flags and the appropriate responses for Covered Accounts in their area
Maintaining records reflecting instances of known or attempted identity theft and the responses to those instances
The Assistant VP for Administration shall be responsible for identifying contracts with service providers that perform activities related to Covered Accounts
Responsible Staff will comply with this policy and report any Red Flags to the Information Steward of their area.
 
Procedures
Covered accounts will be identified by
Surveying all departments on an annual basis to determine whether or not they collect, maintain or share information that could be used to promote an identity theft
Reviewing contracts with new service providers
The College will maintain accounts with Computer Emergency Response Team (CERT), NYS Cyber Security and SUNY Information Security Office for notification of new risks
 
Documents
Departments and Information Stewards.xls

 

Contact Information

For more information about Administrative Policies approved by Executive Council, please contact:

Sean Brian Dermody
Assistant to the Vice President for Administration
Management Services Office
Office: Kehoe 710-11
Phone: (518) 564-2539
Fax: (518) 564-2540
Email: dermodsb@plattsburgh.edu