2017 Recompilation, formerly Rule 2.91
07/29/2009 Policy adoption ratified by Board of Regents
07/14/2009 Policy approved by Administrative Council
PART 1: INTRODUCTION
The Fair and Accurate Credit Transactions Act of 2003, an amendment to the Fair Credit Reporting Act, requires rules regarding identity theft protection to be promulgated and adopted jointly by the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Office of Thrift Supervision, Treasury; the National Credit Union Administration; and the Federal Trade Commission. The risk to New Mexico State University (the “university”), and its students, faculty, staff, and other constituents from data loss and Identity Theft is of significant concern to the university.
PART 2: PURPOSE
The university adopts this Identity Theft Prevention Program (the “Program”) in an effort to detect, prevent, and mitigate Identify Theft in connection with the opening of a Covered Account or any existing Covered Account. The Program is further intended to help protect students, faculty, staff, and other constituents and the university from damages related to the fraudulent activity of Identity Theft.
- This Program will:
- Identify patterns, practices, or specific activities that indicate the possible existence of Identity Theft with regard to new or existing Covered Accounts;
- Detect Red Flags that have been incorporated into the Program;
- Respond appropriately to any Red Flags that are detected under the Program;
- Ensure periodic updating of the Program, including reviewing the accounts that are covered and the identified Red Flags that are part of the Program; and
- Promote compliance with state and federal laws and regulations regarding Identity Theft protection.
PART 3: SCOPE
The Program applies to all units of the university’s Las Cruces campus, community college campuses and satellite operations having interaction with students, faculty, staff, and other constituents.
PART 4: DEFINITIONS
- Covered Account: An account the university offers or maintains that involves or is designed to permit multiple payments or transactions; and every new and existing account maintained by the university for its students, faculty, staff, and other constituents that meets the following criteria:
- Accounts for which there is a reasonably foreseeable risk of Identity Theft; or
- Accounts for which there is a reasonably foreseeable risk to the safety or soundness of the university from Identity Theft, including financial, operational, compliance, reputation, or litigation risk.
- Identity Theft: Fraud committed or attempted using the identifying information of another person without authority.
- Personally Identifying Information: Any information that may be used to identify a specific person in conjunction with the name of the person, including: name, address, telephone number, social security number, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer’s Internet Protocol address, banking account information and credit card information.
- Red Flag: A pattern, practice, alert, or specific activity that indicates the possible existence of Identity Theft.
- Program Administrator: The individual assigned with primary responsibility for oversight of the Program.
PART 5: PROCEDURES FOR THEFT PREVENTION
A. Identification of Red Flags
Any time a Red Flag, or a situation closely resembling a Red Flag, is apparent, it should be investigated for verification by the highest authority within the operation or department of the university where it has or is occurring. The following list is not intended to be complete or comprehensive, but rather only provide examples of the most common Red Flags.
- Alerts, notifications, or warnings from a consumer reporting agency: Examples of these Red Flags include, but are not limited to, the following:
- A fraud or active duty alert included with a consumer report;
- A notice of credit freeze from a consumer reporting agency in response to a request for a consumer report;
- A notice of address discrepancy from a consumer reporting agency as defined in § 334.82(b) of the Fairness and Accuracy in Credit Transactions Act; and
- A consumer report that indicates a pattern of activity inconsistent with the history and usual pattern of activity of an applicant or customer, such as:
- A recent and significant increase in the volume of inquiries;
- An unusual number of recently established credit relationships;
- A material change in the use of credit, especially with respect to recently established credit relationships; or
- An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.
- Suspicious documents: Examples of these Red Flags include, but are not limited to, the following:
- Documents provided for identification that appears to have been altered or forged;
- The photograph or physical description on the identification is not consistent with the appearance of the student, faculty, staff, and other constituent presenting the identification;
- Other information on the identification is not consistent with information provided by the person opening a new Covered Account or student, faculty, staff, and other constituent presenting the identification;
- Other information on the identification is not consistent with readily accessible information that is on file with the university; and
- An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
- Suspicious Personally Identifying information: Examples of these Red Flags include, but are not limited to, the following:
- Personally Identifying Information provided is inconsistent when compared against external information sources used by the university;
- Personally Identifying Information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the university;
- Personally Identifying Information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the university;
- The SSN provided is the same as that submitted by another student, faculty, staff, or constituent;
- The person opening the Covered Account fails to provide all required Personally Identifying Information on an application or in response to notification that the application is incomplete;
- Personally Identifying Information provided is not consistent with Personally Identifying Information that is on file with the university ; and
- When using security questions (mother’s maiden name, pet’s name, etc.), the person opening the Covered Account cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
- Unusual use of, or suspicious activity related to, the Covered Account: Examples of these Red Flags include, but are not limited to, the following:
- Shortly following the notice of a change of address for a Covered Account, the university receives a request for new, additional, or replacement goods or services, or for the addition of authorized users on the account;
- A Covered Account is used in a manner that is not consistent with established patterns of activity on the account;
- A Covered Account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors);
- Mail sent to the student, faculty, staff, or other constituent is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the Covered Account;
- The university is notified that the student, faculty, staff, or other constituent is not receiving account statements;
- The university is notified of unauthorized charges or transactions in connection with a Covered Account;
- The university receives notice from students, faculty, staff, or other constituents, victims of Identity Theft, law enforcement authorities, or other persons regarding possible Identity Theft in connection with Covered Accounts held by the university ; and
- The university is notified by a student, faculty, staff, or other constituent, a victim of Identity Theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in Identity Theft.
B. Responding to Red Flags
- Once a Red Flag, or potential Red Flag, is detected, the university will endeavor to act quickly as a rapid appropriate response can protect students, faculty, staff, and other constituents and the university from damages and loss.
- The university will quickly gather all related documentation, write a description of the situation, and present this information to the Program Administrator for determination.
- The Program Administrator will complete additional authentication to determine whether the attempted transaction was fraudulent or authentic.
C. Responsive Action
If a transaction is determined to be fraudulent, appropriate actions will be taken immediately. Actions may include:
- Canceling the transaction;
- Notifying and cooperating with appropriate law enforcement;
- Determining the extent of liability of the university; and
- Notifying the student, faculty, staff, or other constituent that fraud has been attempted.
PART 6: POLICIES AND PROCEDURES TO PROTECT PERSONALLY IDENTIFYING AND CONFIDENTIAL INFORMATION
- The following information, even though it may otherwise be considered public or proprietary, is often used in conjunction with confidential information to commit fraudulent activity such as Identity Theft:
- Payroll information, such as paychecks and pay stubs.
- Benefit enrollment forms and associated supporting documentation.
- Medical information for any employee or customer, including but not limited to doctor names and claims, insurance claims, prescriptions and related personal medical information.
- Distribution of Information:
- Hard Copy. In accordance with NMSU Institutional Data Security policy and rules, all university personnel should make efforts to secure data.
- Electronic. The university regulates electronic distribution of confidential information under the following guidelines:
- NMSU Institutional Data Security Policy
- Information Stored on Computing Devices Policy
- Acceptable Use Rule
- All university employees should comply with the following policies:
- Confidential and other information commonly used in Identity Theft may only be transmitted using approved methods as defined by the Information and Communication Technology department.
- Confidential and other information commonly used in Identity Theft in an electronic format must be protected from unauthorized access or disclosure at all times.
- All e-mails containing confidential and other information commonly used in Identity Theft should include the following statement: “This message may contain confidential and/or proprietary information and is intended for the person/entity to which it was originally addressed. Any use by others is strictly prohibited.”
PART 7: APPLICATION OF OTHER LAWS AND UNIVERSITY POLICIES
University personnel must make reasonable efforts to secure confidential and other information commonly used in Identity Theft to the proper extent. Furthermore, this section should be read and applied in conjunction with the Family Education Rights and Privacy Act (“FERPA”) and other applicable laws and university policies. If an employee is uncertain of the confidentiality of a particular piece of information, he/she should contact the Program Administrator or the Office of General Counsel.
PART 8: PROGRAM ADMINISTRATION
- Involvement of Management
- Establishment of the Program is the responsibility of the university’s Board of Regents. The board’s approval of the initial plan must be appropriately documented and maintained.
- Operational responsibility of the Program, including but not limited to the oversight, development, implementation, and administration of the Program, approval of needed changes to the Program, as well as periodic evaluation of the Program and implementation of needed changes to the Program, is delegated to the university’s associate vice president for information technology as the Program Administrator. If deemed appropriate and necessary by the Program Administrator, an Identity Theft Committee will be established to assist with implementing, maintaining and updating the Program.
- Employee Training
- Training will be conducted for all employees for whom it is reasonably foreseeable, as determined by the Program Administrator, that the employee may come into contact with accounts or Personally Identifiable Information that may constitute a risk to the university or its students, faculty, staff, and other constituents.
- The university’s Office of Human Resources Services offices are responsible for ensuring that Identity Theft training is conducted for all employees for whom it is required.
- Employees shall receive annual training in all elements of the Program.
- To ensure maximum effectiveness, employees will continue to receive additional training as changes to the Program are made.
- Oversight of Service Provider Arrangements
- The university will endeavor to ensure that the activities of all service providers are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft.
- A service provider that maintains its own Identity Theft prevention program, consistent with the guidance of the Red Flag rules and validated by appropriate due diligence, may be considered to be meeting these requirements.
- Any specific requirements will be specifically addressed in the appropriate contract arrangements.
PART 9: UPDATES
The Program Administrator will require a periodic review of the Program to reflect changes in risks to students, faculty, staff and other constituents, and the soundness of the university from Identity Theft. This review will consider the university’s experiences with Identity Theft situations, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in the university’s business arrangements with other entities. The review will also include an assessment of which accounts are covered by the Program, accuracy and completeness of Red Flags and actions taken when fraudulent activity is discovered. After considering these factors, the Program Administrator will determine whether changes to the Program are warranted. If warranted, the Program will be updated.
PART 10: NON DISCLOSURE
For the effectiveness of this Program, knowledge about specific Red Flag identification, detection, mitigation and prevention practices may need to be limited to the Program Administrator and to those employees with a need to know them. Any documents that may have been produced or are produced in order to develop or implement this program that list or describe such specific practices and the information those documents contain are considered “confidential” and should not be shared with other university employees or the public. The Program Administrator shall inform those employees with a need to know the information of those documents or specific practices which should be maintained in a confidential manner.
2017 Recompilation, formerly Rule 2.91
07/29/2009 Policy adoption ratified by Board of Regents
07/14/2009 Policy approved by Administrative Council