DEFINITIONS AND PROGRAM
A. Red-Flags Rule Definitions Used in this Program
1. Business and personal accounts for which there is a reasonably foreseeable risk of identity theft; or
2. A business or personal account for which there is a reasonably foreseeable risk to the safety or soundness of The University of Montana from identity theft, including financial, operational, compliance, reputation, or litigation risks.
The following types of accounts are examples of covered accounts: Student Accounts, Student Loans, Student Financial Assistance Accounts, Payroll Accounts, and Campus Based Identification Cards.
“Program Administrator” – the individual designated with primary responsibility for oversight of the Identity Theft Prevention Program.
“Personal Identifying Information” – “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person,” including: name, address, telephone number, social security number, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer’s Internet Protocol address, or routing code.
B. Fulfilling the Requirements of the Red Flags Rules
Under the Red Flags Rules, the University is required to establish an “Identity Theft Prevention Program” tailored to its size, complexity and the nature of its operation. Each program must contain reasonable policies and procedures to:
1. Identify relevant Red Flags for new and existing covered accounts and incorporate those Red Flags into the Program;
2. Detect Red Flags that have been incorporated into the Program;
3. Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft; and
4. Ensure the Program is updated periodically to reflect changes in risks to students or to the safety and soundness of the student from Identity Theft.
IDENTIFICATION OF RED FLAGS
In order to identify relevant Red Flags, the University considers the types of accounts that it offers and maintains, methods it provides to open its accounts, methods it provides to access its accounts, and its previous experiences with Identity Theft. The University identifies the following Red Flags for use in this Program. Red Flags
DETECTING RED FLAGS
A. Opening of Covered Accounts In order to establish or open a covered account and to detect any Red Flags, it will be necessary to obtain identifying information about, and verifying the identity of, a person opening a covered account. University personnel will take the following steps to obtain and verify the identity of the person opening the account:
1. Require certain identifying information such as name, date of birth, academic records, I-9, home address, or other identification; and
2. Verify the individual’s identity at time of issuance of a campus based identification card (review of driver’s license or other government-issued photo identification)
B. Existing Covered Accounts
In order to change information on an existing covered account and to detect Red Flags, University personnel will take the following steps to monitor transactions on an account:
1. Verify the identification of individuals if they request information (in person, via on-line access, via telephone, via facsimile, or via e-mail);
2. Verify the validity of requests to change billing addresses by mail or e-mail and provide the account holder a reasonable means of promptly reporting incorrect billing address change; and
3. Verify changes in banking information, if applicable, i.e. Human Resources or Accounts Payable.
C. Consumer (“Credit”) Report Requests
In order to detect any of the Red Flag conditions identified above for an employment or volunteer position for which a credit or background reports is sought, University personnel will take the following steps to assist in identifying address discrepancies:
1. Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency; and
2. In the event that notice of an address discrepancy is received, verify that the credit report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency (credit bureau) an address for the applicant that the University has reasonably confirmed is accurate.
PREVENTING AND MITIGATING IDENTITY THEFT
In the event that University personnel detect any Red Flags, such personnel shall take one or more of the following steps, depending upon the degree of risk posed by the Red Flag(s):
1. Monitoring the account for evidence of identity theft
2. Contacting the customer
3. Changing passwords or security codes and PIN’s
4. Reopening an account with a new account number
5. Not opening a new account
6. Closing an existing account
7. No collection on an account
8. Notifying law enforcement; or
9. Determining that no response is warranted under the particular circumstances
The University of Montana shall appoint a Program Administration Team comprised of four administrative staff professionals to represent all four campuses of The University of Montana. The Vice President of Administration and Finance will appoint one of these team members as the overall Program Administrator for this program. The Program Administration Team shall have the responsibility for reviewing and updating the Identity Theft Prevention Program. The Program Administrator, or designee, will be responsible for ensuring appropriate training of University staff on the program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program.
STAFF TRAINING AND REPORTS
Staff training shall be conducted for all employees and officials for whom it is reasonably foreseeable that they may come into contact with accounts or personally identifiable information that may constitute a risk to The University of Montana or its customers. University staff responsible for implementing the Identity Theft Prevention Program shall be trained as necessary either by or under the direction of the Program Administrator in the detection of Red Flags and the responsive steps to be taken when a Red Flag is detected. University employees are expected to notify their supervisor once they become aware of an incident of Identity Theft or of the University’s failure to comply with this program. University staff responsible for development, implementation, and administration of this program will periodically report to the Program Administrator on compliance including the effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening and maintenance of covered accounts, service provider arrangements, significant incidents involving identity theft and management’s response, and recommendations for changes to the program. To ensure maximum effectiveness, employees and officials may continue to receive additional training as changes to the program are made.
OVERSIGHT OF SERVICE PROVIDER ARRANGEMENTS
In the event the University engages a service provider to perform any activity in connection with one or more covered accounts, the University shall take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of Identity Theft.
1.Require, by contract, that service providers have such policies and procedures in place; and
2. Require, by contract, that service providers certify their compliance with applicable FTC regulations, report any Red Flags to the University Program Administrator, and to take appropriate steps to prevent or mitigate identity theft.
To reflect changes in risks to the University from Identity Theft and to ensure the continued effectiveness of this program it will be evaluated periodically by the Program Administration Team.
Emma B. Lommasson Center
The University of Montana
Missoula, MT 59812