Identity Theft Prevention Program (VIII.A.2)
Volume VIII: Records
Chapter A: Records
Responsible Executive: Chief Financial Officer and Treasurer
Responsible Office: Office of the Bursar
Date Issued: March 16, 2009
Date Last Revised: July 15, 2019
TABLE OF CONTENTS
Contacts
Statement of Policy
Reason for This Policy
Individuals and Entities Affected by This Policy
Exclusions
Responsibilities
Definitions (defined terms are capitalized throughout the document)
Related Documents, Forms and Tools
Website Address for This Policy
History and Updates
Appendix
CONTACTS
Title/Office |
Telephone |
Email/Webpage |
---|---|---|
Office of the Bursar |
765-494-7574 |
Title/Office |
Telephone |
Email/Webpage |
---|---|---|
Fort Wayne: Office of the Bursar |
260-481-6824 |
|
Northwest: Office of the Bursar |
219-989-2560 or 219-785-5338 |
|
West Lafayette: Office of the Bursar |
765-494-7574 |
STATEMENT OF POLICY
The Identity Theft Prevention Program detects, prevents and mitigates Identity Theft related to Covered Accounts. The Program considers the following risk factors in identifying relevant Red Flags for Covered Accounts as appropriate:
- The types of Covered Accounts offered or maintained,
- The methods provided to open Covered Accounts,
- The methods provided to access Covered Accounts, and
- Its previous experience with Identity Theft.
The Program incorporates relevant Red Flags from sources such as:
- Incidents of Identity Theft previously experienced,
- Methods of Identity Theft that reflect changes in risk, and
- Applicable supervisory guidance.
Red Flags
The Program addresses the detection of Red Flags in connection with the opening of Covered Accounts and existing Covered Accounts by:
- Obtaining identifying information about, and verifying the identity of, a person opening a Covered Account; and
- Authenticating Customers, monitoring transactions, and verifying the validity of change of address requests in the case of existing Covered Accounts.
The Program provides for appropriate responses to detected Red Flags to prevent and mitigate Identity Theft as outlined in the Procedures for Identity Theft Prevention. The response will be commensurate with the degree of risk posed.
Consumer Reporting Address Discrepancies and Change of Address Requests
Purdue University maintains procedures for processing a Notice of Address Discrepancy received from a consumer reporting agency indicating the address given by the Consumer differs from the address contained in the consumer report.
The University also maintains procedures intended to assess the validity of a change of address upon receipt of a request for an additional or replacement University ID card within 30 days of a notification of an address change. An additional or replacement card will not be issued until an assessment of the validity of the address change has occurred.
Refer to the Procedures for Identity Theft Prevention for detailed information.
Training
Staff training is provided annually by each campus to all employees, officials, and contractors who might reasonably come into contact with Covered Accounts that may constitute a risk to Purdue University or its Customers. Additional training will be made available if significant changes are made to the Program.
Security Practices of Contractors and Service Providers
Purdue University will exercise appropriate and effective oversight of service provider arrangements involving those service providers with access to Covered Accounts or information regarding Purdue's Customers under this Program.
REASON FOR THIS POLICY
The Identity Theft Prevention Program is established to detect, prevent and mitigate Identity Theft in connection with the opening of a new Covered Account or maintenance of an existing Covered Account and to provide continued administration of the program in compliance with the Fair and Accurate Credit Transactions (FACT) Act of 2003, as implemented through 16 CFR Part 681.1, 681.2, and 681.3.
INDIVIDUALS AND ENTITIES AFFECTED BY THIS POLICY
All individuals and entities who have a Covered Account with the University and all units, individuals and contractors responsible for creating and/or monitoring Covered Accounts for the University.
EXCLUSIONS
There are no exclusions to this policy.
RESPONSIBILITIES
Chief Financial Officer and Treasurer
- Administrative oversight of the Program.
Assigned Resources
- Complete appropriate training as assigned by the Information Security Governance Committee.
- Once potentially fraudulent activity is detected, respond quickly, as a rapid appropriate response can protect Customers and Purdue University from damages and loss.
- Maintain approved standards and responsive action based upon business and technical needs.
Information Security Governance Committee
- Provide functional oversight, program changes, and training.
- Maintain Operating Procedures for Identity Theft Prevention.
- Periodically review standards and processes maintained by each Assigned Resource.
- Re-evaluate the Program annually to determine whether all aspects are up to date and applicable in the current business environment. Periodic reviews will include an assessment of which accounts are covered by the Program. As part of the review, Red Flags may be revised, replaced, or eliminated. Defining new Red Flags may also be appropriate.
- Review appropriate remedial actions required following the discovery of fraudulent activities. Revise remedial actions as appropriate to reduce damage to Purdue University and its Customers.
Third-party Contractors and Service Providers
- Follow and be compliant with federal, state, and local laws or regulations that are applicable to Purdue University, as well as Purdue University policies and procedures that are relevant to the underlying contract between the parties. The specific terms and issues of such compliance are addressed in Purdue University contractual documents.
- Review their Purdue University contracts and contact their contract representative with any questions regarding appropriate information security practices or other components of this Program.
DEFINITIONS
All defined terms are capitalized throughout the document. Refer to the central Policy Glossary for additional defined terms.
Assigned Resource
A unit of the University or a contracted third-party entity identified by the Information Security Governance Committee as responsible for addressing Red Flags. Assigned Resources include, but are not limited to:
- Division of Financial Aid/Offices of Financial Aid
- Fort Wayne Accounting Services – Receivables
- Northwest Accounting and Budget
- Offices of the Bursar
- Offices of the Registrar
- PFW Campus Credentials and Transportation Office (ID card services)
- PNW Office of New Student Orientation (ID card services)
- Purdue ID Card Office
- University Receivables and Collections Office
Creditor
A person or entity that arranges for the extension, renewal, or continuation of credit, which in some cases could include third-party debt collectors.
Consumer
An individual.
Covered Account
General activity relating to tuition/fee or receivable billing, student loan origination and servicing, and ID card deposit account maintenance.
Customer
A person that has a "covered account" with a financial institution or creditor.
Identity Theft
Fraud committed or attempted using the identifying information of another person without authority.
Information Security Governance Committee
The committee, as defined in the policy on Information Security and Privacy (VII.B.8), tasked with oversight of this Program.
Notice of Address Discrepancy
A notice sent to a user of a consumer report by a Consumer Reporting Agency pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the Consumer provided by the user in requesting the consumer report and the address or addresses the Consumer Reporting Agency has in the Consumer's file.
Personally Identifiable Information
An individual's first name and last name or first initial and last name and at least one of the following data elements: Social Security Number, driver's license number or identification card number, and account number, credit card number, debit card number, security code, access code, or password of an individual's Covered Account.
Program
The Identity Theft Prevention Program.
Red Flag
A pattern, practice, or specific activity that indicates the possible existence of identity theft. The following Red Flags have been identified for inclusion in the Program:
- Documents provided for identification appearing to have been altered or forged.
- The photograph or physical description on the identification is not consistent with the appearance of the applicant or Customer presenting the identification.
- Other information on the identification is not consistent with information provided by the person opening a new Covered Account or Customer presenting the identification.
- An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
- Personally Identifiable Information provided is inconsistent when compared against external information sources.
- Personally Identifiable Information provided is associated with known fraudulent activity as indicated by internal or third-party sources.
- The Social Security number provided is the same as that submitted by other persons opening an account or other Customers.
- The Customer or the person opening the Covered Account fails to provide all required personally Identifiable Information on an application or in response to notification that the application is incomplete.
- Personally Identifiable Information provided is not consistent with that which is on file.
- Purdue University is notified of unauthorized charges or transactions in connection with a Customer's Covered Account.
- Purdue University receives notice from Customers, victims of Identity Theft, law enforcement authorities, or other persons regarding possible Identity Theft in connection with Covered Accounts.
RELATED DOCUMENTS, FORMS AND TOOLS
Procedures for Identity Theft Prevention
Information Security and Privacy Program
Federal Register Final Rules (PDF contains definitions and final rules for 16 CFR 681.1, 681.2, and 681.3.)
WEBSITE ADDRESS FOR THIS POLICY
www.purdue.edu/policies/records/viiia2.html
HISTORY AND UPDATES
July 15, 2019: Updated Contacts. Updated definition of Information Security Governance Committee and Red Flags, and added definition of Assigned Resource. Incorporated language from the procedures into Statement of Policy and Responsibilities sections and removed remaining procedures to separate document.
November 18, 2011: Policy number changed to VIII.A.2 (formerly VI.2.2).
March 16, 2009: This is the first such policy for this Program. The BOT approved the Program at its stated meeting on April 10, 2009.
APPENDIX
There are no appendices to this policy.