Auburn University Identity Theft Prevention Program

Red Flags are defined by the Act as warning signs which should alert an organization a risk of identity theft exists. The Act supplements other legislation aimed at preventing identity theft through tightened data security (e.g., Gramm-Leach-Bliley) by addressing situations where individuals attempt to use another person’s identity to fraudulently obtain resources or services.

1. Auburn University as a Creditor/Financial Institution
   Red Flag Rules apply to financial institutions and creditors that offer or maintain accounts that provide for multiple transactions primarily for personal, family, or household purposes.

   Auburn University is covered under these rules because (a) it offers or maintains 'transaction accounts' that could be subject to a reasonably foreseeable risk of identity theft and (b) it regularly and in the course of ordinary business acts as a creditor in that it participates in the extension, renewal, or continuation of credit to customers (e.g., participation in the Federal Perkins Loan Program; participating as a school lender in the Federal Family Education Loan Program; offering institutional loans to students or employees; offering a payment plan for tuition; as well as any situation where services are paid for involving multiple payments or transactions).

2. Fulfilling requirements of the Red Flags Rule
   Under the Red Flag Rule, the University is required to establish an ''Identity Theft Prevention Program'' tailored to its size, complexity, and the nature of its operation. This program must contain reasonable policies and procedures to:

   1. Identify relevant Red Flags for new and existing covered accounts and incorporate those Red Flags into the Program;

   2. Detect Red Flags that have been incorporated into the Program;

   3. Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft; and

   4. Ensure the Program is updated periodically, to reflect changes in risks to customers or to the safety and soundness of the creditor from Identity Theft.

3. Red Flags Rule definitions used in this Program
   Covered Account: any account the University offers or maintains primarily for personal, family or household purposes, that involves multiple payments or transactions. A Covered Account also includes any other accounts offered or maintained for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the University from identity theft. A list of ''Covered Accounts'' shall be maintained by the Program Administrator.

   Customer: an individual who has a ''Covered Account'' with the University.

   Creditor: an entity that regularly and in the ordinary course of business—(i) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction; (ii)  furnishes information to consumer reporting agencies in connection with a credit transaction; or (iii) advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or on repayment from specific property pledged by or on the person's behalf. Includes University departments, as well as Auburn’s third-party contractors and service providers.

   Identifying Information:  ''any name or number that may be used, alone or in conjunction with any other information, to identify a specific person,'' including:  name, address, telephone number, Social Security Number, date of birth, government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number, unique electronic identification number, computer’s Internet Protocol address, or routing code, or unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation.

   Identity Theft:  fraud committed or attempted using the identifying information of another person without authority.

   Program Administrator: the senior staff member delegated by the President with the responsibility to oversee, implement, administer, and revise the policy to conform with updated legal requirements, business processes, and technologies.

   Red Flag:  a pattern, practice, or specific activity that indicates the possible existence of Identity Theft.  

To identify Red Flags, Auburn University considers the types of accounts that it offers and maintains, the methods it provides to open its accounts, the methods it provides to access its accounts, and its previous experiences with Identity Theft. Red Flags generally fall within one of five types that may signal identity theft, which employees should be aware of and diligent in monitoring for:

• Alerts and Notifications - alerts, notifications, or warnings from a credit reporting agency including fraud alerts, credit freezes, official notice of address discrepancies, or a pattern of unusual activity.

• Suspicious Documents - such as those appearing to be forged or altered, or where the photo identification does not resemble its owner, or an application which appears to have been cut, pasted, or photocopied (different type, color, or size of font).

• Suspicious Personal Identifying Information – such as discrepancies in address, Social Security Number, date of birth, or other information on file; an address that is a mail-drop, a prison, or is invalid; a phone number that is likely to be an internet phone number, VoIP, or answering service; personal information of others already on file; and/or failure to provide all required information.

• Suspicious Account Activity or Unusual Use of Account – such as requests to change direct deposit information or to add an authorized user, material changes in payment patterns, notification that the account holder is not receiving mailed statements, or that the account has unauthorized charges.

• Alerts from Others - notice to Auburn University from a customer, victim of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with Covered Accounts.

• Additional Red Flags Specific to Health Care Clinics – such as failure to produce an insurance card or other physical documentation of insurance even though insurance number provided; medical treatment that is inconsistent with a physical examination or medical history as reported by the patient; complaint or inquiries from a patient regarding billing; patient or insurance company report that coverage for legitimate service is denied because insurance benefits have been depleted or a lifetime cap has been reached.

Red Flag detection practices are described below for relevant program areas. The Program Administrator will consult with appropriate University management to ensure the implementation of the Program and that appropriate protocols are established for each Covered Account.

1. Student Enrollment
   To detect any of the Red Flags identified above associated with the enrollment of a student, University personnel will take the following steps (at a minimum) to obtain and verify the identity of the person submitting application to the University:

   Detect
   1) Require certain Identifying Information such as name, date of birth, academic records, home address or other identification; and

   2) Verify the student’s identity at time of issuance of student identification card to include the review of a government-issued photo identification card.

2. New Accounts
   To detect any of the Red Flags identified above associated with the opening of a new Covered Account, University personnel will take the following steps (at a minimum) to obtain and verify the identity of the person opening the account:

   Detect
   1) Require certain Identifying Information such as name, date of birth, residential or business address, principal place of business for an entity, driver's license or other identification;

   2) Verify the Customer's identity to include the review of a government-issued photo identification card; and

   3) Independently contact the Customer.

   4) For emergency loans, requests must be made in person by presenting photo identification or from a properly authorized University-issued account. The check can only be mailed to an address on file or picked up in person by showing picture ID.

3. Existing Accounts
   To detect any of the Red Flags identified above for an existing account, University personnel will take the following steps (at a minimum) to monitor transactions with a Covered Account:

   Detect
   1) Verify the identity of Customers if they request information (in person, via telephone, via facsimile, via email);

   2) Verify the validity of requests to change billing addresses by mail or email and provide the Customer a reasonable means of promptly reporting incorrect billing address change; and

   3) Verify changes in banking information given for billing and payment purposes.

4. Consumer (''Credit'') Report Requests
   To detect any of the Red Flags identified above for an employment or volunteer position for which a credit or background report is sought, University personnel will take the following steps to assist in identifying address discrepancies:

   Detect
   1) Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report/background check is made to the reporting agency; and

   2) If notice of an address discrepancy is received, verify that the credit report/background check pertains to the applicant for whom the requested report was made and report to the agency an address for the applicant that the University has reasonably confirmed is accurate.

In the event Auburn University personnel detect any identified Red Flags, such personnel shall take all appropriate steps to respond to and mitigate identity theft depending on the nature and degree of risk posed by the Red Flag. When a potentially fraudulent activity is detected, Auburn University must act quickly as appropriate to protect students, employees, customers, and patients.

The detection of a Red Flag by an employee shall be reported to their supervisor or designated authority who in turn will report the matter to the Program Administrator following an initial authentication review. The Program Administrator or their authorized designee shall investigate the reported suspicious activity and based on the type of Red Flag, will determine the appropriate response.

Protect constituent identifying information
To further prevent the likelihood of identity theft occurring with respect to Covered Accounts, the University will take the following steps in its internal operating procedures to protect constituent Identifying Information:

1. Ensure that its website is secure or provide clear notice that the website is not secure;

2. Ensure complete and secure destruction of paper documents and computer files containing individual account information when a decision has been made to no longer maintain such information;

3. Ensure that computers with access to Covered Account information are password protected and that computer screens lock automatically after a set period of time;

4. Avoid the use of Social Security Numbers where such use is not required;

5. Maintain papers containing constituent information in a secure manner;

6. Ensure computers are patched in a timely manner and that virus protection is up to date; and

7. Require and keep only the kinds of information that are necessary for university purposes.

Additional Identity Theft Prevention Measures
This Program incorporates by reference the following internal policies in the Auburn University Policy Database accessible at http://www.auburn.edu/policies:        

1. All Auburn University information technology policies

2. Cardholder Data Environment Policies

3. Information Disclosure and Confidentiality Policy

4. Any additional policies and procedures regarding the protection of University Data and information as they are promulgated from time to time.

1. Oversight
   The Audit & Compliance Committee of the Auburn University Board of Trustees shall be responsible for the initial approval of this Program. Authority to implement and administer the Program and to approve all future revisions to the Program shall be delegated to the President and to those he or she deems appropriate.

   The Program Administrator may appoint an Identity Theft Committee for the University, which may be a subcommittee of another data security or privacy committee, to implement and update this Program, consisting of at least two other individuals. The Program Administrator is responsible for program oversight, ensuring appropriate training of university personnel on the Program, reviewing any reports regarding the detection of Red Flags, determining which steps for preventing and mitigating Identity Theft should be taken in particular circumstances, and considering periodic changes to the Program. 

2. Staff Training and Reports
   University personnel responsible for implementing the Program shall be trained either by or under the direction of the Program Administrator in the detection of Red Flags and the responsive steps to take when a Red Flag is detected.

3. Service Provider Arrangements
   In the event the University engages a third-party service provider to perform an activity in connection with one or more Covered Accounts, the University will take the following steps to ensure the service provider performs its activity in accordance with policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft. 

   1. Require, by contract, that service providers have such policies and procedures in place; and

   2. Require, by contract, that service providers review the University's Program and report any Red Flags to the Program Administrator.

   A vendor that maintains its own identity theft prevention program consistent with the guidance of the Red Flag Rules and validated by appropriate due diligence, may meet these requirements.

4. Specific Program Elements and Confidentiality
   For the effectiveness of Identity Theft prevention Programs, the Red Flag Rule envisions a degree of confidentiality regarding the University’s specific practices relating to Identity Theft detection, prevention, and mitigation.  Therefore, under this Program, knowledge of any specific practices is to be limited to the Program Administrator, Identity Theft Committee, and those employees who need to know for purposes of preventing Identity Theft.