Approved by Executive Council: April 13, 2009
Posted: April 28, 2009
Revised: November 16, 2015
Policy Topic: Information Technology
Administering Offices: Finance; Division of Information Technology
I. PROGRAM ADOPTION
As a best practice and using as a guide the Federal Trade Commission’s (“FTC”) Red Flags Rule, implementing Section 114 of the Fair and Accurate Credit Transactions Act of 2003 Western Carolina University (“University”) developed this Identity Theft Prevention Program (“Program”). This Program was developed with oversight and approval of the University Board of Trustees. After consideration of the size and complexity of the University’s operations and account systems, and the nature and scope of the University’s activities, the University Board of Trustees determined that this Program was appropriate for the University, and therefore approved this Program on June 5, 2009.
The purpose of the Program is to detect, prevent and mitigate identity theft in connection with any covered account. This program envisions the creation of policies and procedures in order to achieve these goals.
“Covered Account” means (i) any account that constitutes a continuing financial relationship or is designed to permit multiple payments or transactions, including Perkins Loans, FFEL loans (Stafford loans and PLUS loans), student emergency loans, and any other student accounts and loans administered by the University; and (ii) any other account the University offers or maintains for which there is a reasonably foreseeable risk to holders of the account or to the safety and soundness of the University from Identity Theft.
“Identifying Information” means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including, but not limited to: name; address; telephone number; social security number; date of birth; government-issued driver’s license or identification number; alien registration number; government passport number; employer or taxpayer identification number; individual identification number; computer’s Internet Protocol address; or bank or other financial account routing code.
“Identity Theft” means a fraud committed or attempted using the Identifying Information of another person without authority.
“Program Administrator” means the individual designated in this document with primary responsibility for oversight of the Program.
“Red Flag” means a pattern, practice, alert or specific activity that indicates the possible existence of Identity Theft.
“Service Provider” means a person or entity that provides a service directly to the University.
A. Identification of Covered Accounts
The University shall periodically determine whether it offers or maintains Covered Accounts. Such determination shall take into consideration the following: (i) the methods utilized to open and close Covered Accounts; (ii) methods utilized to access Covered Accounts; and (iii) previous history with Identity Theft.
B. Identification of Red Flags
In order to identify relevant Red Flags, the University considers the types of Covered Accounts it offers or maintains, the methods it provides to open its Covered Accounts, the methods it provides to access its Covered Accounts, and its previous experiences with Identity Theft. Red Flags may be detected while implementing existing account opening and servicing procedures such as: individual identification, caller authentication, third party authorization, and address changes.
The University identifies the following Red Flags in each of the listed categories:
1. Notifications and Warnings from Consumer Reporting Agencies
- Report of fraud accompanying a credit report;
- Notice or report from a credit agency of a credit freeze on an applicant;
- Notice or report from a credit agency of an active duty alert for an applicant;
- Receipt of a notice of address discrepancy in response to a credit report request; and
- Indication from a credit report of activity that is inconsistent with an applicant’s usual pattern or activity.
2. Suspicious Documents
- Identification document or card that appears to be forged, altered or inauthentic;
- Identification document or card on which a person’s photograph or physical description is not consistent with the person presenting the document;
- Other document with information that is not consistent with existing individual information; and
- Application for service that appears to have been altered or forged.
3. Suspicious Personal Identifying Information
- Identifying Information presented that is inconsistent with other information the individual provides (e.g., inconsistent birth dates);
- Identifying Information presented that is inconsistent with other sources of information (e.g., an address not matching an address on a loan application);
- Identifying Information presented that is the same as information shown on other applications that were found to be fraudulent;
- Identifying Information presented that is consistent with fraudulent activity (e.g., an invalid phone number or fictitious billing address);
- Social Security number presented that is the same as one given by another individual;
- An address or phone number presented that is the same as that of another person;
- A person fails to provide complete personal Identifying Information on an application when reminded to do so; and
- A person’s Identifying Information is not consistent with the information that is on file for the individual.
4. Suspicious Covered Account Activity
- Change of address for an account followed by a request to change the individual’s name;
- Payments stop on an otherwise consistently up-to-date account;
- Account used in a way that is not consistent with prior use;
- Mail sent to the individual is repeatedly returned as undeliverable;
- Notice to the University that an individual is not receiving mail sent by the University;
- Notice to the University that an account has unauthorized activity;
- Breach in the University’s computer system security; and
- Unauthorized access to or use of individual account information.
5. Alerts from Others
- Notice to the University from an individual, Identity Theft victim, law enforcement or other person that the University has opened or is maintaining a fraudulent account for a person engaged in Identity Theft.
C. Detection of Red Flags
1. Student Enrollment
In order to detect any of the Red Flags identified above associated with the enrollment of a student, University personnel shall take the following steps to obtain and verify the identity of the person opening the account:
- Require certain Identifying Information such as name, date of birth, academic records, home address or other identification; and
- Verify the individual’s identity at time of issuance of individual identification card (review of driver’s license or other government-issued photo identification).
2. Existing Accounts
In order to detect any of the Red Flags identified above for an existing Covered Account, University personnel shall take the following steps to monitor transactions on an account:
- Verify the identification of individuals if they request information (in person, via telephone, via facsimile, via email);
- Verify the validity of requests to change billing addresses by mail or email and provide the individual a reasonable means of promptly reporting incorrect billing address changes; and
- Verify changes in banking information given for billing and payment purposes.
3. Consumer (“Credit”) Report Requests
In order to detect any of the Red Flags identified above for an employment or volunteer position for which a credit or background report is sought, the University’s Office of Human Resources personnel shall take the following steps to assist in identifying address discrepancies:
- Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency; and
- In the event that a notice of an address discrepancy is received from a consumer reporting agency, verify that the credit report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency an address for the applicant that the University has reasonably confirmed is accurate.
D. Response to Red Flags / Prevention and Mitigation of Identity Theft
In the event University personnel detect any identified Red Flags, such personnel shall immediately notify the Program Administrator who may take or cause to be taken any one or more of the following steps, depending on their determination of the degree of risk posed by the Red Flag:
1. Prevent and Mitigate Fraudulent Account Activity
- Immediately notify the Data Security and Stewardship Committee and/or the Computer Security Incident Response Team as may be appropriate;
- Complete or oversee additional authentication to determine whether the attempted transaction was fraudulent or authentic, and determine appropriate steps to take;
- Continue to monitor a Covered Account for evidence of Identity Theft;
- Notify the individual who is the subject of fraudulent account activity;
- Change any passwords, security codes or other security devices that permit access to Covered Accounts;
- Cancel the transaction;
- Refuse to open a new Covered Account;
- Close an existing Covered Account;
- Provide the individual with a new individual identification number, if feasible;
- Notify and cooperate with law enforcement as may be appropriate;
- File or assist in filing a Suspicious Activity Report (“SAR”) with the Financial Crimes Enforcement Network, United States Department of the Treasury; or
- Determine that no response is warranted under the particular circumstances.
2. Protect Individual Identifying Information
In order to further prevent the likelihood of Identity Theft occurring with respect to Covered Accounts, the University will take the following steps with respect to its internal operating procedures to protect individual Identifying Information:
- Ensure that the University website is secure or provide clear notice that the website is not secure;
- Ensure complete and secure destruction of paper and electronic records containing confidential Identifying Information when such records no longer need to be maintained, subject to and in accordance with the UNC General Records Retention and Disposition Schedule (2007); http://www.wcu.edu/WebFiles/PDFs/IT_UNC_Records_Retention_Disposition_UNCGenSch14062007with_bkmarks.pdf
- Ensure that office computers with access to Covered Accounts and confidential Identifying Information are password protected and are used and maintained in accordance with all applicable University policies;
- Ensure compliance with University policies regarding passwords; http://www.wcu.edu/WebFiles/WordDocs/Password_Policy_Final_8_17_08.doc
- Ensure that mobile computing devices are password protected and encrypted, if possible, and locked in a secure location when not in use;
- Avoid the collection and use of Social Security numbers, except as expressly permitted by the North Carolina Identity Theft Protection Act;
- Ensure the security of the physical facilities that contain confidential Identifying Information;
- Ensure that transmission of information is limited and encrypted when necessary or desirable;
- Ensure computer virus protection is up to date; and
- Collect and maintain only the types and amount of confidential Identifying Information necessary for University business purposes, consistent with University policies and directives regarding the collection, maintenance, use, and disclosure of Social Security numbers.
3. Additional Identity Theft Prevention Measures
Each employee and contractor performing work for the University will use the following best practices:
- File cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with Identifying Information will be locked when not in use.
- External hard drives, flash drives, storage discs and any other electronic storage media containing Identifying Information will be secured in a locked room, drawer or cabinet when not in use.
- Storage rooms containing documents with Identifying Information will be locked at the end of each workday or when unsupervised.
- Desks, workstations, work areas, printers, scanners, and fax machines will be cleared of all documents containing Identifying Information when not in use.
- Printers, copiers, scanners, and fax machines used to make images containing Identifying Information will be located in secure areas (i.e., where there is no public traffic).
- Whiteboards, dry-erase boards, writing tablets, and other writing surfaces in common shared work areas will be erased, removed, or shredded when not in use.
- When documents containing Identifying Information are discarded, they will be placed inside a locked shred bin or immediately shredded using a mechanical cross cut shredding device. Locked shred bins are labeled “Confidential paper shredding and recycling.”
- Computing devices and all data storage devices are decommissioned consistent with all applicable University policies and procedures.
4. Related Policies and Procedures
This Program incorporates by reference the following internal policies and procedures:
- Gramm-Leach-Bliley Act Financial Information Security Plan, appended hereto as Appendix A
- University IT Division Password Policy
- University Policy #97, Data Security and Stewardship Policy
- University Policy #95, Data Network Security and Management
- University Policy #93, Electronic Email Policy
- University Policy #52, Use of Computers and Data Communications
IV. PROGRAM ADMINISTRATION
Responsibility for oversight of the development, implementation, and administration of this Program lies with the Chief Information Officer (the Program Administrator), who also serves as Chair of the Data Security and Stewardship Committee. Program implementation and administration shall be assigned to the Data Security and Stewardship Committee. The Program Administrator shall be responsible for reviewing the reports referenced in Paragraph C below. Program compliance may be reviewed from time to time by the University Internal Auditor. The Program Administrator shall have the responsibility and authority to approve material revisions to this Program as may be necessary from time to time, consistent with Paragraph E below.
B. Staff Training
University employees responsible for implementing the Program shall be trained under the direction of the Program Administrator in the detection of Red Flags and the responsive steps to be taken when a Red Flag is detected.
Departments maintaining Covered Accounts shall report to the Program Administrator at least annually on compliance with this Program. The report shall address matters such as the effectiveness of the policies and procedures of the University in addressing the risk of Identity Theft in connection with the opening of Covered Accounts and with respect to existing Covered Accounts; Service Provider arrangements; significant incidents involving Identity Theft and the University’s response; and recommendations for material changes to the Program.
D. Service Provider Arrangements
In the event the University engages a Service Provider to perform an activity in connection with one or more Covered Accounts, the University will take the following steps to ensure the Service Provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of Identity Theft.
- Require, by signed contract, that Service Providers have such policies and procedures in place; and
- Require, by signed contract, that Service Providers review the University’s Program and report any Red Flags to the Program Administrator.
E. Program Review and Updates
The Program Administrator shall review and update this Program periodically to reflect changes in risks to individuals and the University from Identity Theft. In doing so, the Program Administrator shall consider the University’s experiences with Identity Theft situations, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in the University’s business arrangements with other entities.
Appendix A - Western Carolina University, Gramm-Leach-Bliley Act
Financial Information Security Plan
It is Western Carolina University (WCU) policy to ensure the integrity, security, and confidentiality of student financial information as required by implementing regulations of the Gramm-Leach-Bliley Act (GLBA).
“Covered data and information” for purposes of this plan includes student financial information, as defined below, required to be protected under GLBA. Additionally, WCU, as a matter of policy and other legal and contractual obligations, includes in this definition any credit card information received in the course of business by WCU, whether or not such credit card information is covered by GLBA. Covered data includes data maintained in any media.
“Student financial information” is that information obtained by WCU from a student (sometimes also referred to as the “customer”) in the process of offering a financial product or service, or such information provided to WCU by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.
2. Covered WCU Offices
The following WCU offices and activities are covered for purposes of this plan:
- Athletics – administration of student athlete scholarships
- One Stop – administration of emergency loans and access to student financial data
- Controller – administration of student loans and access to student financial data
- Student Accounts/Perkins Loan Office - administration of student loans and access to student financial data
- WCU Cashier - access to student financial data
- Financial Aid Office – administration of student loans (FFEL/Stafford loans and PLUS loans) and Pell grants and access to student financial data
- Office of Legal Counsel - access to student financial data
- Office of Internal Audit - access to student financial data
- Division of Information Technology - access to student financial data
- Associate Vice Chancellor for Finance - access to student financial data
3. Designation of GLBA Security Plan Coordinators
The Systems Accountant in the Division of Administration and Finance and the Systems Analyst in the Division of Information Technology are designated as co-GLBA Security Plan Coordinators. These individuals are responsible for overseeing the implementation and oversight of this plan, in conjunction with the WCU Data Security and Stewardship Committee.
4. Risk Identification and Assessment
The managers of each covered office, with the assistance of the GLBA Security Plan Coordinators and the Division of Information Technology, shall conduct an initial assessment of existing computer systems security, threats, and vulnerabilities. Covered offices shall also conduct an initial risk assessment relative to covered data and information maintained in non-electronic media. The initial risk assessment must identify and assess external and internal risks to the security, confidentiality, and integrity of covered data and information that could result in the unauthorized disclosure, use, alteration, destruction or other compromise of such information.
Covered offices, with the assistance of the GLBA Security Plan Coordinators, shall
establish procedures for identifying, assessing, addressing, monitoring, and documenting
such risks. Such procedures should be consistent with existing university procedures
pertaining to data security, including relevant parts of the HIPAA Security Policies,
the Division of Information Technology Policy Handbook, and University Policies 52
(Policy on the Use of Computers and Data Communications), 67 (Personal Computers),
95 (Data Network Security and Management), and 97 (Data Security and Stewardship Policy).
Following the initial risk assessment, risk assessments shall be conducted on a routine and periodic basis. Such assessments shall monitor and evaluate the sufficiency of any administrative, technical, and physical safeguards put in place to mitigate system risks. Security systems shall be regularly tested and modified when necessary. Compliance with this plan will be periodically reviewed by Internal Audit.
5. Security of Information Systems
Access to WCU information systems and covered data and information is limited to those employees who have a business reason to know such information. Each employee is assigned a user name and password consistent with existing policies regarding information access management and personnel management. Covered data and information, specifically including account numbers, account balances, and transactional information, are available only to WCU employees in the covered offices listed above.
WCU will take reasonable and appropriate measures to ensure that all covered data and information is secure, and to safeguard the integrity of data in storage and transmission consistent with existing Division of Information Technology policies and procedures. When commercially reasonable, encryption technology will be utilized for both storage and transmission. All covered data and information will be maintained on servers that are behind WCU’s firewalls, and all firewall software and hardware maintained by the Division of Information Technology will be kept current.
6. Detection, Prevention, Response to Information Systems Intrusions
WCU will maintain effective technical systems to prevent, detect, and respond to attacks, intrusions, and other information system failures. Such systems shall be developed in accordance with existing policies pertaining to malicious software and acceptable use, data security risk analysis, information security audits, business continuity, data backup and retention, and facility and equipment security. Such systems may include: maintaining and implementing current anti-virus software; obtaining and installing current patches and corrections to software vulnerabilities; maintaining appropriate filtering or firewall technologies, alerting those with access to covered data and information of security threats; and backing up data regularly and storing back up data off site. The GLBA Security Plan Coordinators shall work with Internal Audit to periodically review compliance with this plan and the sufficiency of detection and monitoring activities.
7. Employee Training and Management
Safeguards for the security of covered data and information include the management and training of employees who are authorized to access such information. WCU has adopted comprehensive policies regarding information security training and personnel management/sanction, which are referenced in paragraph 4 above. The GLBA Security Plan Coordinators will work with the Data Security and Stewardship Committee and Human Resources to ensure that appropriate training is provided to all employees who have access to covered data and information. Training will include education on this plan and all other relevant information security policies and procedures.
8. Physical Safeguards
The physical security of electronic covered data and information shall be ensured
by limiting access to only those employees who have a business reason to know such
information. Additionally, pursuant to university information security policies, system
and network equipment and other physical assets are locked, alarmed, and monitored.
Electronic media containing covered data and information shall be maintained and disposed
of in accordance with existing policies pertaining to record retention and media handling
Loan files, account information, and other paper documents are kept in file cabinets, rooms or vaults that are locked each night. Only authorized employees know combinations and the location of keys. Paper documents that contain covered data and information shall be maintained in accordance with existing policies pertaining to record retention and shall be shredded at the time of disposal.
9. Selection and Oversight of Contractors/Service Providers
In the ordinary course of business, WCU may from time to time appropriately share covered data and information with third parties. The university will take reasonable steps to select and retain appropriate service providers, and shall require by contract that such providers maintain safeguards for the security, confidentiality, and integrity of covered data and information that they receive.