Identity Theft Prevention Program Policy
Approved by Executive Council on July 7, 2009
|Policy Number||Policy Owner|
|10009.1||Library and Information Technology Services|
This Identity Theft Prevention Program ("Program") was developed pursuant to a SUNY policy adopted by the Board of Trustees on May 12, 2009 in order to comply with the Federal Trade Commission's Red Flags Rule (16 CFR 681.2). The purpose of this Program is to prevent frauds committed by the misuse of identifying information (i.e. identity theft).
2.0 Revision History
3.0 Units and Persons Affected
All SUNY Plattsburgh staff members designated as Information Stewards or Responsible Staff.
The Program will identify accounts maintained by the College which may be susceptible to fraud (hereinafter "Covered Accounts").
- Student Accounts
- Student/Faculty E-mail Accounts
- Financial Aid Account
- Banner Accounts
- Student Record Accounts
- Student BannerWeb Accounts
- Personnel Records
- Patient Accounts
- Center for Neurobehavioral Health
- Speech and Hearing Clinic
The Program will identify possible indications of Identity Theft activity associated with those accounts (hereinafter “Red Flags”)
- Address Discrepancies
- Presentation of suspicious documents
- Photograph or physical description on ID not consistent with the appearance of the person presenting the ID
- Personal identifying information provided is not consistent with information on file
- Notification from individual that ID for Covered Account has been stolen
- Notification from individual, law enforcement or service provider of unusual activity related to a Covered Account
- Notification from a credit bureau of fraudulent activity
- Request for information about a Covered Account from an individual who cannot be verified as having authorization to receive the information
- Number of failed attempt to access an electronic account has exceeded acceptable level
- Unusual or suspicious activity related to the account
- Social Security number cannot be verified
- Criminal background check on new employee or volunteer is not clear
The Program will devise methods to detect such activity
- Obtain information verifying identity for new accounts
- Authenticate transactions for existing account owners
- Picture ID
- User code/password
- Monitor transaction activity
- Verify validity of change of address
The Program will respond appropriately when such activity is detected
- Deny changes to Covered Account until individual’s identity is established through acceptable means
- Freeze and/or reset password for the Covered Account
- Notify the individual to change his/her password
- Contact individual to resolve conflict and verify information
- Notify appropriate Vice President about discrepancy in applicant’s information
- Deny release of information until authorization of individual requesting information can be completed
- Refuse non-emergency treatment until client’s identity and insurance information has been verified
- Determine no response is warranted
- Recommend that the individual file a complaint with University Police
- Notify SUNY Central
The Program will include the following administrative protocols
- Designate a senior level employee as Program Administrator
- The President has designated the Dean of Library & Information Technology Services as Program Administrator to oversee administration of this Program.
- The Program Administrator may designate additional staff of the College to undertake responsibility for training personnel, monitoring service providers, and updating the Program, all under the supervision of the Program Administrator.
- The Program will identify responsible staff associated with each Covered Account
- The Program will identify service providers performing activities related to Covered
Accounts and ensure that they are contractually required to maintain an adequate identity
theft prevention and to monitor such service providers as appropriate
- College Auxiliary Services
The Program will provide for training of Responsible Staff
The Program will be reviewed annually or in response to changing or emerging threats and to determine if additional Covered Accounts exist.
The Program will allow for campus and System-based internal control mechanisms, including Auditors, Controllers and Compliance Officers, to have authority and responsibility for monitoring compliance with this policy and campus-specific programs.
- Account - A relationship established with an institution by a student, employee, or other person to obtain educational, medical, or financial services.
- Covered Account - An account that permits multiple transactions or poses a reasonably foreseeable risk of being used to promote an identity theft.
- Information Steward - An individual that has responsibility for making classification and control decisions regarding use of information maintained by their area
- Responsible Staff - Personnel, based on title, who regularly work with Covered Accounts and are responsible for performing the day-to-day application of the Program to a specific Covered Account by detecting and responding to Red Flags
- Red Flag - A pattern, practice, or specific activity that indicates the possible existence of identity theft.
- Incident Response - The manual and automated procedures used to respond to reported network intrusions (real or suspected); network failures and errors; Red Flags; and other undesirable events.
- Service Provider - A contractor to the College engaged to perform an activity in connection with a Covered Account.
- Identity Theft - A fraud committed or attempted using the identifying information of another person without authority.
- The President shall be responsible for implementing and sustaining an Identity Theft Program (Program)
- The Program Administrator shall ensure that all records relevant to the Program are maintained and available for inspection.
- Information Stewards of areas identified as having Covered Accounts shall be responsible for
- Maintaining records identifying and training Responsible Staff
- Maintaining records identifying Red Flags and the appropriate responses for Covered Accounts in their area
- Maintaining records reflecting instances of known or attempted identity theft and the responses to those instances
- The Assistant to the VP for Administration shall be responsible for identifying contracts with service providers that perform activities related to Covered Accounts
- Responsible Staff will comply with this policy and report any Red Flags to the Information Steward of their area.
- Covered accounts will be identified by
- Surveying all departments on an annual basis to determine whether or not they collect, maintain or share information that could be used to promote an identity theft
- Reviewing contracts with new service providers
- The College will maintain accounts with Computer Emergency Response Team (CERT), NYS Cyber Security and SUNY Information Security Office for notification of new risks
Please contact the Dean of Library and Information Technology Services for a list of departmental information stewards.