Identity Theft Prevention Program Policy

The Program will identify accounts maintained by the College which may be susceptible to fraud (hereinafter "Covered Accounts").

• Student Accounts
• Student/Faculty E-mail Accounts
• Financial Aid Account
• Banner Accounts
• Student Record Accounts
• Student BannerWeb Accounts
• Personnel Records
• Patient Accounts 
  • Center for Neurobehavioral Health
  • Speech and Hearing Clinic

The Program will identify possible indications of Identity Theft activity associated with those accounts (hereinafter “Red Flags”)

• Address Discrepancies
• Presentation of suspicious documents
• Photograph or physical description on ID not consistent with the appearance of the person presenting the ID
• Personal identifying information provided is not consistent with information on file
• Notification from individual that ID for Covered Account has been stolen
• Notification from individual, law enforcement or service provider of unusual activity related to a Covered Account
• Notification from a credit bureau of fraudulent activity
• Request for information about a Covered Account from an individual who cannot be verified as having authorization to receive the information
• Number of failed attempt to access an electronic account has exceeded acceptable level
• Unusual or suspicious activity related to the account
• Social Security number cannot be verified
• Criminal background check on new employee or volunteer is not clear 

The Program will devise methods to detect such activity

• Obtain information verifying identity for new accounts
• Authenticate transactions for existing account owners
• Picture ID
• User code/password
• Monitor transaction activity
• Verify validity of change of address

The Program will respond appropriately when such activity is detected

• Deny changes to Covered Account until individual’s identity is established through acceptable means
• Freeze and/or reset password for the Covered Account 
• Notify the individual to change his/her password
• Contact individual to resolve conflict and verify information
• Notify appropriate Vice President about discrepancy in applicant’s information
• Deny release of information until authorization of individual requesting information can be completed
• Refuse non-emergency treatment until client’s identity and insurance information has been verified
• Determine no response is warranted
• Recommend that the individual file a complaint with University Police
• Notify SUNY Central

The Program will include the following administrative protocols

• Designate a senior level employee as Program Administrator
• The President has designated the Director of Information Technology Services as Program Administrator to oversee administration of this Program.
• The Program Administrator may designate additional staff of the College to undertake responsibility for training personnel, monitoring service providers, and updating the Program, all under the supervision of the Program Administrator.
• The Program will identify responsible staff associated with each Covered Account
• The Program will identify service providers performing activities related to Covered Accounts and ensure that they are contractually required to maintain an adequate identity theft prevention and to monitor such service providers as appropriate
  • College Auxiliary Services
  • Paetec

The Program will provide for training of Responsible Staff 

The Program will be reviewed annually or in response to changing or emerging threats and to determine if additional Covered Accounts exist. 

The Program will allow for campus and System-based internal control mechanisms, including Auditors, Controllers and Compliance Officers, to have authority and responsibility for monitoring compliance with this policy and campus-specific programs. 

Please contact the Director of Information Technology Services for a list of departmental information stewards.