Policy FN23 IDENTITY THEFT DETECTION, PREVENTION AND MITIGATION PROGRAM

Policy Steward:  Chief Privacy Officer

Contents:

  • Purpose
  • Scope
  • Definitions
  • Administration of the Program
  • Training
  • Further Information

  • PURPOSE:

    In compliance with the Red Flags Rule issued by the Federal Trade Commission, Penn State University has established an Identity Theft Prevention Program. Using reasonable policies and procedures, this Program is intended to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing account and to provide administration of the Program in compliance with Federal Trade Commission requirements, 16 CFR Part 681.

    This policy outlines the parameters by which the program will be coordinated and administered. It applies at all University locations.

    SCOPE:

    This program enables Penn State University, in its capacity as a creditor, to protect existing consumers, reduce risk from identity fraud, and minimize potential damage from fraudulent accounts with the least possible impact on business operations. 

    Note Regarding Third Party Contractors and Service Providers: Penn State University’s Third Party Contractors and Service Providers are expected to follow and be compliant with all federal, state, and local laws or regulations which are applicable to the University. Service Providers and Contractors are required to report any "red flags" to the Chief Privacy Officer. The specific terms and issues of such compliance are addressed in Penn State University’s contractual documents with these providers.

    This program applies to business practices used by employees, Third Party Contractors and Service Providers when conducting business activity relating to a "covered account," as defined below. In order to achieve program objectives, these parties will:

    DEFINITIONS:

    Identity Theft -A fraud committed or attempted using the "personally identifying information" of another individual without that individual's authority.

    Personally Identifying Information -Any full name (first and last) or last name and first initial used in conjunction with other information to identify a specific person. Other identifying information may include their:

    Covered Accounts - For the purposes of the Identify Theft Program at Penn State University, covered accounts specifically refer to any account the University offers or maintains primarily for personal, family or household purposes, that involves multiple payments or transactions.  A covered account also includes any other accounts offered or maintained for which there is a reasonable foreseeable risk to customers or to the safety and soundness of the University from identity theft.

    Customer - An individual who has a “covered account” with the University.

    Creditor - Entities that defer payment for services rendered and bill customers later; who regularly participate in the decision to extend, renew, or continue credit. Includes University departments, as well as Penn State’s Third Party Contractors and Service Providers.

    Red Flag– A practice, pattern of behavior, or specific activity that indicates the possible existence of identity theft.

    ADMINISTRATION OF THE PROGRAM:

    Authorized by the Board of Trustees in March 2009, this program is intended to detect, prevent, and mitigate identity theft in connection with "covered accounts," and to provide guidelines for the administration of the Program per Federal Trade Commission requirements, 16 CFR Part 681.

    Upon Board of Trustee authorization, the Senior Vice President for Finance and Business (or Designee) has delegated operational responsibility of the program to the Chief Privacy Officer, who serves as the Program Administrator.  The Program Administrator shall exercise appropriate and effective oversight over the program and shall report regularly to theSenior Vice President for Finance and Business (or Designee) on the program.

    The Program Administrator is responsible for developing, implementing and updating the program throughout the University system. 

    The program will be periodically reviewed and updated to assure reasonable policies and procedures to identify relevant red flags, detect red flags, and respond appropriately to red flags.  The Program Administrator will consider the University’s experiences with identity theft; changes in identity theft methods; changes in types of accounts the University maintains; changes in the University’s business arrangements with other entities; and any changes in legal requirements in the area of identity theft.

    The Program Administrator shall confer with all appropriate University personnel as necessary to ensure compliance with the program.  The Program Administrator shall annually report to the Senior Vice President for Finance and Business (or Designee) on the effectiveness of the program.  The Program Administrator shall present any recommended changes to the Senior Vice President for Finance and Business (or Designee) for approval.  Senior Vice President for Finance and Business (or Designee) approval shall be sufficient to make changes to Penn State University’s Identity Theft Program.

    TRAINING:

    Training shall be required for all employees whose responsibilities result in their conducting business activity relating to covered accounts. This training will provide the appropriate information that, upon completion, will enable participants to identify, detect, respond to, and minimize the impact of identity theft at the University. Subsequent training will be required when significant changes occur, as recommended and announced by the by the Program Administrator.

    Training may be accessed as follows:

    1. Go to https://cms.psu.edu/default.asp
    2. Press the “Logon” button and login in with your Penn State Access Account
    3. Under My Groups, click on “Find a Group”
    4. In the Keyword Search box, type in “Identity Theft Prevention Program” and click on the Search button
    5. Click on the “Identity Theft Prevention Program” link

    FURTHER INFORMATION:

    For questions, additional detail, or to request changes to this policy, please contact the Privacy Office.


    Effective Date: June 29, 2010
    Date Approved: June 25, 2010
    Date Published: June 29, 2010 (Editorial changes, January 29, 2014)

    Most Recent Changes:

    Revision History (and effective dates):

    | top of this policy | GURU policy menu | GURU policy search | GURU home | GURU Tech Support | Accessibility Statement | Penn State website |