Identity Theft Prevention Program
Approved by Executive Council: April 13, 2009
Posted: April 28, 2009
Revised: November 16, 2015
Policy Topic: Information Technology
Administering Offices: Finance; Division of Information Technology
I. PROGRAM ADOPTION
As a best practice and using as a guide the Federal Trade Commission’s (“FTC”) Red
Flags Rule, implementing Section 114 of the Fair and Accurate Credit Transactions
Act of 2003 Western Carolina University (“University”) developed this Identity Theft
Prevention Program (“Program”). This Program was developed with oversight and approval
of the University Board of Trustees. After consideration of the size and complexity
of the University’s operations and account systems, and the nature and scope of the
University’s activities, the University Board of Trustees determined that this Program
was appropriate for the University, and therefore approved this Program on June 5,
The purpose of the Program is to detect, prevent and mitigate identity theft in connection
with any covered account. This program envisions the creation of policies and procedures
in order to achieve these goals.
“Covered Account” means (i) any account that constitutes a continuing financial relationship or is
designed to permit multiple payments or transactions, including Perkins Loans, FFEL
loans (Stafford loans and PLUS loans), student emergency loans, and any other student
accounts and loans administered by the University; and (ii) any other account the
University offers or maintains for which there is a reasonably foreseeable risk to
holders of the account or to the safety and soundness of the University from Identity
“Identifying Information” means any name or number that may be used, alone or in conjunction with any other
information, to identify a specific person, including, but not limited to: name; address;
telephone number; social security number; date of birth; government-issued driver’s
license or identification number; alien registration number; government passport number;
employer or taxpayer identification number; individual identification number; computer’s
Internet Protocol address; or bank or other financial account routing code.
“Identity Theft” means a fraud committed or attempted using the Identifying Information of another
person without authority.
“Program Administrator” means the individual designated in this document with primary responsibility for
oversight of the Program.
“Red Flag” means a pattern, practice, alert or specific activity that indicates the possible
existence of Identity Theft.
“Service Provider” means a person or entity that provides a service directly to the University.
A. Identification of Covered Accounts
The University shall periodically determine whether it offers or maintains Covered
Accounts. Such determination shall take into consideration the following: (i) the
methods utilized to open and close Covered Accounts; (ii) methods utilized to access
Covered Accounts; and (iii) previous history with Identity Theft.
B. Identification of Red Flags
In order to identify relevant Red Flags, the University considers the types of Covered
Accounts it offers or maintains, the methods it provides to open its Covered Accounts,
the methods it provides to access its Covered Accounts, and its previous experiences
with Identity Theft. Red Flags may be detected while implementing existing account
opening and servicing procedures such as: individual identification, caller authentication,
third party authorization, and address changes.
The University identifies the following Red Flags in each of the listed categories:
1. Notifications and Warnings from Consumer Reporting Agencies
- Report of fraud accompanying a credit report;
- Notice or report from a credit agency of a credit freeze on an applicant;
- Notice or report from a credit agency of an active duty alert for an applicant;
- Receipt of a notice of address discrepancy in response to a credit report request;
- Indication from a credit report of activity that is inconsistent with an applicant’s
usual pattern or activity.
2. Suspicious Documents
- Identification document or card that appears to be forged, altered or inauthentic;
- Identification document or card on which a person’s photograph or physical description
is not consistent with the person presenting the document;
- Other document with information that is not consistent with existing individual information;
- Application for service that appears to have been altered or forged.
3. Suspicious Personal Identifying Information
- Identifying Information presented that is inconsistent with other information the
individual provides (e.g., inconsistent birth dates);
- Identifying Information presented that is inconsistent with other sources of information
(e.g., an address not matching an address on a loan application);
- Identifying Information presented that is the same as information shown on other applications
that were found to be fraudulent;
- Identifying Information presented that is consistent with fraudulent activity (e.g.,
an invalid phone number or fictitious billing address);
- Social Security number presented that is the same as one given by another individual;
- An address or phone number presented that is the same as that of another person;
- A person fails to provide complete personal Identifying Information on an application
when reminded to do so; and
- A person’s Identifying Information is not consistent with the information that is
on file for the individual.
4. Suspicious Covered Account Activity
- Change of address for an account followed by a request to change the individual’s
- Payments stop on an otherwise consistently up-to-date account;
- Account used in a way that is not consistent with prior use;
- Mail sent to the individual is repeatedly returned as undeliverable;
- Notice to the University that an individual is not receiving mail sent by the University;
- Notice to the University that an account has unauthorized activity;
- Breach in the University’s computer system security; and
- Unauthorized access to or use of individual account information.
5. Alerts from Others
- Notice to the University from an individual, Identity Theft victim, law enforcement
or other person that the University has opened or is maintaining a fraudulent account
for a person engaged in Identity Theft.
C. Detection of Red Flags
1. Student Enrollment
In order to detect any of the Red Flags identified above associated with the enrollment
of a student, University personnel shall take the following steps to obtain and verify
the identity of the person opening the account:
- Require certain Identifying Information such as name, date of birth, academic records,
home address or other identification; and
- Verify the individual’s identity at time of issuance of individual identification
card (review of driver’s license or other government-issued photo identification).
2. Existing Accounts
In order to detect any of the Red Flags identified above for an existing Covered Account,
University personnel shall take the following steps to monitor transactions on an
- Verify the identification of individuals if they request information (in person, via
telephone, via facsimile, via email);
- Verify the validity of requests to change billing addresses by mail or email and provide
the individual a reasonable means of promptly reporting incorrect billing address
- Verify changes in banking information given for billing and payment purposes.
3. Consumer (“Credit”) Report Requests
In order to detect any of the Red Flags identified above for an employment or volunteer
position for which a credit or background report is sought, the University’s Office
of Human Resources personnel shall take the following steps to assist in identifying
- Require written verification from any applicant that the address provided by the applicant
is accurate at the time the request for the credit report is made to the consumer
reporting agency; and
- In the event that a notice of an address discrepancy is received from a consumer reporting
agency, verify that the credit report pertains to the applicant for whom the requested
report was made and report to the consumer reporting agency an address for the applicant
that the University has reasonably confirmed is accurate.
D. Response to Red Flags / Prevention and Mitigation of Identity Theft
In the event University personnel detect any identified Red Flags, such personnel
shall immediately notify the Program Administrator who may take or cause to be taken
any one or more of the following steps, depending on their determination of the degree
of risk posed by the Red Flag:
1. Prevent and Mitigate Fraudulent Account Activity
- Immediately notify the Data Security and Stewardship Committee and/or the Computer
Security Incident Response Team as may be appropriate;
- Complete or oversee additional authentication to determine whether the attempted transaction
was fraudulent or authentic, and determine appropriate steps to take;
- Continue to monitor a Covered Account for evidence of Identity Theft;
- Notify the individual who is the subject of fraudulent account activity;
- Change any passwords, security codes or other security devices that permit access
to Covered Accounts;
- Cancel the transaction;
- Refuse to open a new Covered Account;
- Close an existing Covered Account;
- Provide the individual with a new individual identification number, if feasible;
- Notify and cooperate with law enforcement as may be appropriate;
- File or assist in filing a Suspicious Activity Report (“SAR”) with the Financial Crimes
Enforcement Network, United States Department of the Treasury; or
- Determine that no response is warranted under the particular circumstances.
2. Protect Individual Identifying Information
In order to further prevent the likelihood of Identity Theft occurring with respect
to Covered Accounts, the University will take the following steps with respect to
its internal operating procedures to protect individual Identifying Information:
- Ensure that the University website is secure or provide clear notice that the website
is not secure;
- Ensure complete and secure destruction of paper and electronic records containing
confidential Identifying Information when such records no longer need to be maintained,
subject to and in accordance with the UNC General Records Retention and Disposition
- Ensure that office computers with access to Covered Accounts and confidential Identifying
Information are password protected and are used and maintained in accordance with
all applicable University policies;
- Ensure compliance with University policies regarding passwords; http://www.wcu.edu/WebFiles/WordDocs/Password_Policy_Final_8_17_08.doc
- Ensure that mobile computing devices are password protected and encrypted, if possible,
and locked in a secure location when not in use;
- Avoid the collection and use of Social Security numbers, except as expressly permitted
by the North Carolina Identity Theft Protection Act;
- Ensure the security of the physical facilities that contain confidential Identifying
- Ensure that transmission of information is limited and encrypted when necessary or
- Ensure computer virus protection is up to date; and
- Collect and maintain only the types and amount of confidential Identifying Information
necessary for University business purposes, consistent with University policies and
directives regarding the collection, maintenance, use, and disclosure of Social Security
3. Additional Identity Theft Prevention Measures
Each employee and contractor performing work for the University will use the following
- File cabinets, desk drawers, overhead cabinets, and any other storage space containing
documents with Identifying Information will be locked when not in use.
- External hard drives, flash drives, storage discs and any other electronic storage
media containing Identifying Information will be secured in a locked room, drawer
or cabinet when not in use.
- Storage rooms containing documents with Identifying Information will be locked at
the end of each workday or when unsupervised.
- Desks, workstations, work areas, printers, scanners, and fax machines will be cleared
of all documents containing Identifying Information when not in use.
- Printers, copiers, scanners, and fax machines used to make images containing Identifying
Information will be located in secure areas (i.e., where there is no public traffic).
- Whiteboards, dry-erase boards, writing tablets, and other writing surfaces in common
shared work areas will be erased, removed, or shredded when not in use.
- When documents containing Identifying Information are discarded, they will be placed
inside a locked shred bin or immediately shredded using a mechanical cross cut shredding
device. Locked shred bins are labeled “Confidential paper shredding and recycling.”
- Computing devices and all data storage devices are decommissioned consistent with
all applicable University policies and procedures.
4. Related Policies and Procedures
This Program incorporates by reference the following internal policies and procedures:
- Gramm-Leach-Bliley Act Financial Information Security Plan, appended hereto as
University IT Division Password Policy
University Policy #97, Data Security and Stewardship Policy
University Policy #95, Data Network Security and Management
University Policy #93, Electronic Email Policy
University Policy #52, Use of Computers and Data Communications
IV. PROGRAM ADMINISTRATION
Responsibility for oversight of the development, implementation, and administration
of this Program lies with the Chief Information Officer (the Program Administrator),
who also serves as Chair of the Data Security and Stewardship Committee. Program implementation
and administration shall be assigned to the Data Security and Stewardship Committee.
The Program Administrator shall be responsible for reviewing the reports referenced
in Paragraph C below. Program compliance may be reviewed from time to time by the
University Internal Auditor. The Program Administrator shall have the responsibility
and authority to approve material revisions to this Program as may be necessary from
time to time, consistent with Paragraph E below.
B. Staff Training
University employees responsible for implementing the Program shall be trained under
the direction of the Program Administrator in the detection of Red Flags and the responsive
steps to be taken when a Red Flag is detected.
Departments maintaining Covered Accounts shall report to the Program Administrator
at least annually on compliance with this Program. The report shall address matters
such as the effectiveness of the policies and procedures of the University in addressing
the risk of Identity Theft in connection with the opening of Covered Accounts and
with respect to existing Covered Accounts; Service Provider arrangements; significant
incidents involving Identity Theft and the University’s response; and recommendations
for material changes to the Program.
D. Service Provider Arrangements
In the event the University engages a Service Provider to perform an activity in connection
with one or more Covered Accounts, the University will take the following steps to
ensure the Service Provider performs its activity in accordance with reasonable policies
and procedures designed to detect, prevent and mitigate the risk of Identity Theft.
- Require, by signed contract, that Service Providers have such policies and procedures
in place; and
- Require, by signed contract, that Service Providers review the University’s Program
and report any Red Flags to the Program Administrator.
E. Program Review and Updates
The Program Administrator shall review and update this Program periodically to reflect
changes in risks to individuals and the University from Identity Theft. In doing so,
the Program Administrator shall consider the University’s experiences with Identity
Theft situations, changes in Identity Theft methods, changes in Identity Theft detection
and prevention methods, and changes in the University’s business arrangements with
Appendix A - Western Carolina University, Gramm-Leach-Bliley Act
Financial Information Security Plan
It is Western Carolina University (WCU) policy to ensure the integrity, security,
and confidentiality of student financial information as required by implementing regulations
of the Gramm-Leach-Bliley Act (GLBA).
“Covered data and information” for purposes of this plan includes student financial information, as defined below,
required to be protected under GLBA. Additionally, WCU, as a matter of policy and
other legal and contractual obligations, includes in this definition any credit card
information received in the course of business by WCU, whether or not such credit
card information is covered by GLBA. Covered data includes data maintained in any
“Student financial information” is that information obtained by WCU from a student (sometimes also referred to as
the “customer”) in the process of offering a financial product or service, or such
information provided to WCU by another financial institution. Offering a financial
product or service includes offering student loans to students, receiving income tax
information from a student’s parent when offering a financial aid package, and other
miscellaneous financial services. Examples of student financial information include
addresses, phone numbers, bank and credit card account numbers, income and credit
histories and Social Security numbers, in both paper and electronic format.
2. Covered WCU Offices
The following WCU offices and activities are covered for purposes of this plan:
- Athletics – administration of student athlete scholarships
- One Stop – administration of emergency loans and access to student financial data
- Controller – administration of student loans and access to student financial data
- Student Accounts/Perkins Loan Office - administration of student loans and access
to student financial data
- WCU Cashier - access to student financial data
- Financial Aid Office – administration of student loans (FFEL/Stafford loans and PLUS
loans) and Pell grants and access to student financial data
- Office of Legal Counsel - access to student financial data
- Office of Internal Audit - access to student financial data
- Division of Information Technology - access to student financial data
- Associate Vice Chancellor for Finance - access to student financial data
3. Designation of GLBA Security Plan Coordinators
The Systems Accountant in the Division of Administration and Finance and the Systems
Analyst in the Division of Information Technology are designated as co-GLBA Security
Plan Coordinators. These individuals are responsible for overseeing the implementation
and oversight of this plan, in conjunction with the WCU Data Security and Stewardship
4. Risk Identification and Assessment
The managers of each covered office, with the assistance of the GLBA Security Plan
Coordinators and the Division of Information Technology, shall conduct an initial
assessment of existing computer systems security, threats, and vulnerabilities. Covered
offices shall also conduct an initial risk assessment relative to covered data and
information maintained in non-electronic media. The initial risk assessment must identify
and assess external and internal risks to the security, confidentiality, and integrity
of covered data and information that could result in the unauthorized disclosure,
use, alteration, destruction or other compromise of such information.
Covered offices, with the assistance of the GLBA Security Plan Coordinators, shall
establish procedures for identifying, assessing, addressing, monitoring, and documenting
such risks. Such procedures should be consistent with existing university procedures
pertaining to data security, including relevant parts of the HIPAA Security Policies,
the Division of Information Technology Policy Handbook, and University Policies 52
(Policy on the Use of Computers and Data Communications), 67 (Personal Computers),
95 (Data Network Security and Management), and 97 (Data Security and Stewardship Policy).
Following the initial risk assessment, risk assessments shall be conducted on a routine
and periodic basis. Such assessments shall monitor and evaluate the sufficiency of
any administrative, technical, and physical safeguards put in place to mitigate system
risks. Security systems shall be regularly tested and modified when necessary. Compliance
with this plan will be periodically reviewed by Internal Audit.
5. Security of Information Systems
Access to WCU information systems and covered data and information is limited to those
employees who have a business reason to know such information. Each employee is assigned
a user name and password consistent with existing policies regarding information access
management and personnel management. Covered data and information, specifically including
account numbers, account balances, and transactional information, are available only
to WCU employees in the covered offices listed above.
WCU will take reasonable and appropriate measures to ensure that all covered data
and information is secure, and to safeguard the integrity of data in storage and transmission
consistent with existing Division of Information Technology policies and procedures.
When commercially reasonable, encryption technology will be utilized for both storage
and transmission. All covered data and information will be maintained on servers that
are behind WCU’s firewalls, and all firewall software and hardware maintained by the
Division of Information Technology will be kept current.
6. Detection, Prevention, Response to Information Systems Intrusions
WCU will maintain effective technical systems to prevent, detect, and respond to attacks,
intrusions, and other information system failures. Such systems shall be developed
in accordance with existing policies pertaining to malicious software and acceptable
use, data security risk analysis, information security audits, business continuity,
data backup and retention, and facility and equipment security. Such systems may include:
maintaining and implementing current anti-virus software; obtaining and installing
current patches and corrections to software vulnerabilities; maintaining appropriate
filtering or firewall technologies, alerting those with access to covered data and
information of security threats; and backing up data regularly and storing back up
data off site. The GLBA Security Plan Coordinators shall work with Internal Audit
to periodically review compliance with this plan and the sufficiency of detection
and monitoring activities.
7. Employee Training and Management
Safeguards for the security of covered data and information include the management
and training of employees who are authorized to access such information. WCU has adopted
comprehensive policies regarding information security training and personnel management/sanction,
which are referenced in paragraph 4 above. The GLBA Security Plan Coordinators will
work with the Data Security and Stewardship Committee and Human Resources to ensure
that appropriate training is provided to all employees who have access to covered
data and information. Training will include education on this plan and all other relevant
information security policies and procedures.
8. Physical Safeguards
The physical security of electronic covered data and information shall be ensured
by limiting access to only those employees who have a business reason to know such
information. Additionally, pursuant to university information security policies, system
and network equipment and other physical assets are locked, alarmed, and monitored.
Electronic media containing covered data and information shall be maintained and disposed
of in accordance with existing policies pertaining to record retention and media handling
Loan files, account information, and other paper documents are kept in file cabinets,
rooms or vaults that are locked each night. Only authorized employees know combinations
and the location of keys. Paper documents that contain covered data and information
shall be maintained in accordance with existing policies pertaining to record retention
and shall be shredded at the time of disposal.
9. Selection and Oversight of Contractors/Service Providers
In the ordinary course of business, WCU may from time to time appropriately share
covered data and information with third parties. The university will take reasonable
steps to select and retain appropriate service providers, and shall require by contract
that such providers maintain safeguards for the security, confidentiality, and integrity
of covered data and information that they receive.