Supplemental Information Print this PDF

Name: Data Protection Standards - Identity Theft Prevention Program Policy
Responsible Office: College Services

Applies to: (examples; Faculty,Staff, Students, etc)

Faculty , Staff , Students , Contractors_Vendors

Policy Overview:

Issued: 10-31-2016
Next Review Date: 03-18-2023
Frequency of Reviews: Biennially

The University is committed to protecting personally identifying information of its customers by maintaining an effective identity theft prevention program as required by the Fair and Accurate Credit Transactions Act of 2003 and the Federal Trade Commission’s Red Flags Rule.   

Applies to all faculty, staff, temporary employees, student workers, consultants, and outside service providers. 




Identity Theft

“Identity Theft” is an actual or attempted fraud involving the unauthorized use of the Identifying Information of another person.

Red Flag

A “Red Flag” is a pattern, practice, or specific activity that indicates the possible existence of Identity Theft.

Covered Account

A “Covered Account” includes any account that the University or a service provider acting on its behalf offers or maintains for customers that involves or is designed to permit multiple payments or transactions such as student accounts, student loans, credit accounts, deferred payment accounts, or deposit accounts, and any other account for which there is a reasonably foreseeable risk of Identity Theft to customers or the University.

Program Coordinator

“Program Coordinator” is the Director of Public Safety who has been designated with primary responsibility for the coordination and oversight of the Identity Theft Prevention program. 

Personally identifiable

“Personally identifiable information” is any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address, telephone number, social security number, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer’s Internet Protocol address, or routing code. 


The University’s Identity Theft Prevention Program establishes guidelines for identifying Red Flags associated with Identity Theft of personally identifiable information maintained in new and existing Covered Accounts relating to financial services or transactions. The University will take appropriate actions when Red Flags or suspected Identity Theft has been detected to prevent and mitigate harm to customers and the University.  The University will periodically review and update the program to reflect new risks or threats of identity Theft.  University personnel and service providers must be vigilant in reviewing Covered Accounts and related transactions for Red Flags and reporting suspected Identity Theft to the Program Coordinator.  Failure to comply with the standards set forth in this policy may result in termination of relationships with service providers or disciplinary action up to and including dismissal of an employee. 



In order to effectively manage risk associated with Identity Theft, the University has identified the following Red Flags that University personnel and service providers should look for in connection with opening or maintaining any Covered Account: 

A.     Notifications and Warnings from Credit Reporting Agencies

Red Flags

1. Report of fraud accompanying a credit report;
2. Notice or report from a credit agency of a credit freeze;
3. Notice or report from a credit agency of an active duty alert;
4. Receipt of a notice of address discrepancy in response to a credit report request; and
5. Indication from a credit report of activity that is inconsistent with a person’s usual pattern or activity.

B.    Suspicious Documents

Red Flags

1. Identification document or card that appears to be forged, altered or inauthentic;
2. Identification document or card on which a person’s photograph or physical description is not consistent with the person presenting the document;
3. Other document with information that is not consistent with existing information; and
4. Application for service that appears to have been altered or forged.

C. Suspicious Personally Identifiable Information

Red Flags

1. Identifying Information presented that is inconsistent with other information the person provides (example: inconsistent birth dates);
2. Identifying Information presented that is inconsistent with other sources of information (for instance, an address not matching an address on a loan application);
3. Identifying Information presented that is the same as information shown on other applications that were found to be fraudulent;
4. Identifying Information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address);
5. Social security number presented that is the same as one given by another person;
6. An address or phone number presented that is the same as that of another person or associated with a PO Box, a pager, or answering service;
7. A person fails to provide complete Personally identifiable information on an application when reminded to do so; and
8. A person’s Identifying Information is not consistent with the information that is on file for the person named on the account.

D. Suspicious Covered Account Activity or Unusual Use of Account

Red Flags

1. Change of address for an account followed within a short period of time by a request to change a name or security code to access the account;
2. Payments stop on an otherwise consistently up-to-date account;
3. Account used in a way that is not consistent with prior use;
4. Mail sent to the person is repeatedly returned as undeliverable;
5. Notice to the University that a person is not receiving mail sent by the University;
6. Notice to the University that an account has unauthorized activity;
7. Breach in the University's computer system security; and
8. Unauthorized access to or use of an affected person’s account information.

E. Alerts from Others

Red Flag

Notice to the University from a student, Identity Theft victim, law enforcement or other person that the University has opened or is maintaining a fraudulent account for a person engaged in Identity Theft.


A. Student Enrollment

In order to detect any of the Red Flags identified above associated with the enrollment of a student, University personnel will take the following steps to obtain and verify the identity of the person opening the account:


1. Require certain Identifying Information such as name, date of birth, academic records, home address or other identification; and
2. Verify the person’s identity at time of issuance of student identification card (review of driver’s license or other government-issued photo identification).

B. Existing Accounts

In order to detect any of the Red Flags identified above for an existing Covered Account, University personnel will take the following steps to monitor transactions on an account:


1. Verify the identification of any individual who requests information (in person, via telephone, via facsimile, via email);
2. Verify the validity of requests to change billing addresses by mail or email and provide the person a reasonable means of promptly reporting incorrect billing address changes; and
3. Verify changes in banking information given for billing and payment purposes.

C. Consumer (“Credit”) Report Requests

In order to detect any of the Red Flags identified above for any activity for which a credit or background report is sought, University personnel will take the following steps to assist in identifying address discrepancies:

1. Require written verification that the address provided is accurate at the time the request for the credit report is made to the consumer reporting agency; and
2. In the event that notice of an address discrepancy is received, verify that the credit report pertains to the person for whom the requested report was made and report to the consumer reporting agency an address for such person that the University has reasonably confirmed is accurate.


In the event University personnel detect any identified Red Flags, such personnel shall notify the Program Coordinator for determination of the appropriate step(s) to take which may include, but is not limited to, one or more of the following steps, depending on the degree of risk posed by the Red Flag:

Prevent and Mitigate

1. Continue to monitor a Covered Account for evidence of Identity Theft;
2. Contact the affected person for which a credit report was run;
3. Change any passwords or other security devices that permit access to Covered Accounts;
4. Not open a new Covered Account;
5. Provide the affected person with a new identification number;
6. Notify law enforcement; or
7. Determine that no response is warranted under the particular circumstances.

Protect Identifying Information

In order to further prevent the likelihood of Identity Theft occurring with respect to Covered Accounts, the University will take the following steps with respect to its internal operating procedures to protect Identifying Information:

1. Ensure that its website is secure or provide clear notice that the website is not secure;
2. Ensure complete and secure destruction of paper documents and computer files containing student account information when a decision has been made to no longer maintain such information;
3. Ensure that office computers with access to Covered Account information are password protected;
4. Avoid use of social security numbers;
5. Ensure computer virus protection is up to date; and
6. Require and keep only the kinds of customer information that are necessary for University purposes.


A. Oversight

Responsibility for developing, implementing, and updating this Program lies with the Program Coordinator for the University.  The Program Coordinator will be responsible for ensuring appropriate training of University staff on the Program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program. 

B. Staff Training and Reports 

The Program Coordinator will coordinate Red Flags training for University staff responsible for implementing the Identity Theft Prevention Program. University employees are expected to notify the Program Coordinator once they become aware of an incident of Identity Theft or of the University’s failure to comply with this Program.

C. Service Provider Arrangements

In the event the University engages an outside person such as a consultant or service provider to perform any activity in connection with one or more Covered Accounts, the Program Director should be contacted to ensure that the party has adequate policies and procedures designed to detect, prevent, report, and mitigate the risk of Identity Theft.  Additionally, the General Counsel must be notified of the proposed engagement so that appropriate terms relating to protection of personally identifiable information from Identity Theft are incorporated into applicable contracts.

D. Non-disclosure of Specific Practices

The Program Coordinator may need to limit sensitive information relating to specific Red Flag identification, detection, and mitigation and prevention practices to those employees with a need-to-know.  The Program Coordinator will mark any documents containing sensitive information as "confidential" and provide instruction to employees on authorized access, disclosure, and security measures.  In some instances, the Program Coordinator will consult with the General Counsel to determine if an employee will be required to sign a Confidentiality Agreement.

E. Notices

The Program Coordinator will inform the General Counsel and the Chief Compliance Officer of any suspicious activity involving suspected or actual Identity Theft.  It is the General Counsel and Chief Compliance Officer's responsibility to manage and coordinate any notices to external authorities or parties such as law enforcement, insurance companies, government agencies, and affected persons or companies.

F. Program Updates

At least annually or as otherwise requested by the Program Coordinator, University staff responsible for development, implementaion, and administration of the Program will submit a compliance report to the Program Coordinator.  The report should address such issues as effectiveness of the policies and procedures in addressing the risk of Identity Theft in connection with the opening and maintenance of Covered Accounts, service provider arrangements, significant incidents involving Identity Theft and management's response, and recommendations for changes to the Program.  The Program Coordinator will review the reports and pertinent information from internal and external resources as part of the annual review to assess the effectiveness of the Program.  In doing so, the Program Coordinator will consider the University's experiences with Identity Theft incidents, changes in criminal practices or schemes to commit Identity Theft, changes in Identity Theft detection and prevention methods, and changes in the University's business arrangements with other entities.  After considering these factors, the Program Coordinator will determine whether changes to the Program, including the listing of Red Flags, are warranted.  If warranted, the Program Coordinator will update the Program.




Director of Public Safety

Coordinates training, detection, reporting, and corrective actions required under this policy to eliminate risk and appropriately address incidents of identity theft, including improving the University’s identity theft prevention program.

AVP, Information Technology

Coordinates training, detection, reporting, and corrective actions required under this policy to eliminate risk and appropriately address incidents of identity theft, including improving the University’s identity theft prevention program.

General Counsel

Reporting and notices to insurance companies, government agencies, and affected parties

Policy Contacts:


Contact Information

Zachary Lewis, AVP IT, 314-446-8402

Scott Patterson, Director Public Safety, 314-446-8382

Ken Fleischmann, General Counsel, 314-446-8104

Supplemental Information: