Tufts University "Red Flag" Identity Theft Prevention Program October 2009
I. Program Adoption
Tufts University (“University”) has adopted this initial Identity Theft Prevention Program ("Program") in compliance with the “Red Flag” rules issued by the Federal Trade Commission pursuant to the Fair and Accurate Credit Transactions Act (“FACTA”). The University is engaging in activities which are covered by the FACTA Red Flag rules. After consideration of the size and complexity of the University’s operations and account systems, and the nature and scope of the University’s activities, the Board has determined that this Program is appropriate for the University.
II. Program Purpose
Under the Red Flag rules, the University is required to establish an “Identity Theft Program” with reasonable policies and procedures to detect, identify, respond to and mitigate identity theft in its financial accounts that are covered by the rules. The University shall ensure that the Program is updated periodically to reflect changes in risks to customers or creditors of the University from identity theft.
A “Covered Account” includes all student and employee accounts or loans that are administered by the University and any patient accounts maintained by Tufts University Dental and Veterinary Programs.
A “Customer” includes any person with a covered account with the University (for example: student, patient, employee).
An “Employee” shall mean any staff, faculty, employed student or volunteer who may have access through their work at the University to Customer information relating to Covered Accounts.
“Identity Theft” is a fraud committed or attempted using the identifying information of another person without authority.
“Program Administrator” is the individual designated with primary responsibility for oversight of the program. See Section VIII below.
A “Red Flag” is a pattern, practice, or specific activity that indicates the possible existence of Identity Theft.
IV. Covered Accounts
Tufts has identified various types of accounts that may fall within the regulatory definition of a Covered Account:
1. Federal Perkins Loan Program
2. Health Professional Loan Program
3. Institutional Loans
4. Student Accounts
5. Patient/Clinical Accounts
We believe this list is complete, however, the list may be amended should we find other activities that are subject to these rules.
V. Identification of Relevant Red Flags
The University considers the following to be potential Red Flags for Covered Accounts:
1. Receipt of Notice of Dispute or a credit freeze from a credit agency;
2. An identification document or card that appears to be forged, altered or inauthentic;
3. An identification document or card on which a person’s photograph or physical description is not consistent with the person presenting the document;
4. Any other document with information that is not consistent with customer information;
5. Identifying information presented that is inconsistent with other information the customer provides (example: inconsistent birth dates);
6. Identifying information presented that is inconsistent with other sources of information (for instance, an address not matching an address on a Perkins loan application);
7. Social security number presented that is the same as one given by another customer;
8. Notice to the University that a Covered Account has unauthorized activity;
9. Notice by a customer to the University of unauthorized access to or use of customer account information;
10. Notice to the University from a customer, identity theft victim, law enforcement or other person that the University has opened or is maintaining a fraudulent account for a person engaged in Identity Theft;
11. Customer signs a different name on registration forms;
12. A Customer presents conflicting demographic information during registration or treatment without presenting a corroborating piece of identification;
13. A Customer receives a bill and asserts that he/she did not receive services at the facility and other processes indicate that this is likely to be true;
14. A payment is denied by insurance because it is improbable or impossible that the insured patient received the service; and
15. A Customer or a representative of a Customer admits during the service process that someone else’s identity is being used.
VI. Detecting Red Flags
A. Student Enrollment
In order to detect any of the Red Flags identified above associated with the enrollment of a student, University personnel will take the following steps to obtain and verify the identity of the person opening the account:
1. Require certain identifying information such as name, date of birth, academic records, home address or other identification; and
2. Verify the student’s identity at time of issuance of student identification card (review of driver’s license or other government-issued photo identification).
B. New Covered Accounts
In order to detect any of the Red Flags identified above associated with the opening of a new Covered Account, University personnel will take any one of the following steps to obtain and verify the identity of the person opening the account:
1. Require certain identifying information such as name, date of birth, residential or business address, driver’s license or other identification;
2. Verify the customer’s identity (review of driver’s license or other government-issued photo identification);
3. Independently contact the Customer.
C. Existing Covered Accounts
In order to detect any of the Red Flags identified above for an existing Covered Account, University personnel will take the following steps to monitor transactions on an account:
1. Verify the identification of customer if they request information (in person, via telephone, via facsimile, via email).
D. Consumer Report Requests
When a user of any consumer credit report receives a notice of address discrepancy from any of the consumer credit reporting agencies, the user must:
1. Utilize procedures to form a reasonable belief that the consumer report does relate to the consumer about whom it has requested the report.
2. Utilize procedures, where required, to furnish a confirmed address for the consumer to the credit reporting agency that provided the notice of address discrepancy.
VII. Preventing and Mitigating Identity Theft
In the event University personnel detect any identified Red Flags, such personnel shall take one or more of the following steps, depending on the degree of perceived risk posed by such Red Flag(s):
A. Prevent and Mitigate
1. Continue to monitor a Covered Account for evidence of Identity Theft;
2. Change any password or other security devices that permit access to such Covered Accounts;
3. Notify their supervisor and/or the Program Administrator for determination of the appropriate step(s) to take;
4. Notify law enforcement;
5. Notify the Customer who is the account holder; or
6. Determine that no response is warranted under the particular circumstances.
B. Protect Student Identifying Information
In order to further prevent the likelihood of Identity Theft occurring with respect to Covered Accounts, the University will adopt the following procedural steps to protect Customers’ identifying information:
1. Ensure that its websites are secure and that appropriate data is encrypted;
2. Ensure that system access to Covered Account information is password protected; and
3. Maintain appropriate Employee training as outlined below.
VIII. Program Administration
Responsibility for developing, implementing and updating the Program lies with the Identity Theft Prevention Program Team (“Program Team”). The Program Team is headed by the “Program Administrator” who is the Director of Financial Services. The Program Team includes representatives from Financial Services, the Bursar’s Office and/ or Student Services, University Information Technology, the Dental and Veterinary clinics and the Office of University Counsel. The Program Team will be responsible for ensuring appropriate training of University Employees with respect to the requirements of the Program, reviewing any Employee reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft and determining which steps of prevention and mitigation should be taken in particular circumstances.
B. Employee Training and Reports
Under the direction of the Program Administrator, documentation shall be created to train appropriate Employees in the detection of Red Flags and the responsible steps to be taken when a Red Flag is detected. Training documentation will be made available to key members of the Program Team (or their designees) for proper training of staff in their respective areas of responsibility (student accounts, clinics etc.). Training documentation should also be included in new Employee orientation and existing Employees will receive periodic training refreshers covering the Program and their respective responsibilities.
C. Program Updates
The Program Team will review this Program at least annually to evaluate the University’s experiences with Identity Theft situations, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in the University’s business arrangements with other entities. After considering these factors, the Program Administrator will determine whether changes to the Program, including the listing of Red Flags, are warranted.
D. Oversight of Service Provider Arrangements
Tufts shall take steps to ensure that any outside service provider who may have access to Covered Accounts or otherwise be in a position to identify the occurrence of Red Flags be made aware of the Program and agree to fully cooperate with Tufts’ activities thereunder (with specific obligations to be included in any service agreement as appropriate).