Red Flags Policy on Identity Theft

Title: Red Flags Policy on Identity Theft
Effective Date: February 10, 2017
Revision Date: First Version
Responsible Office: Information Technology; Finance & Administration

I.  Scope and Purpose

This policy applies to the College of William & Mary, including the Virginia Institute of Marine Science, hereafter referred to as the University.  The policy establishes the University’s Identity Theft Prevention Program, which helps protect students, employees and others who have certain accounts with the university.  The program is designed to detect, prevent, and mitigate identity theft in accordance with the Federal Trade Commission’s (FTC) Red Flag Rule (16 CFR 681.2), which implements sections of the Fair and Accurate Credit Transactions Act (Pub L. 108-159). 

II.  Definitions 

Covered Account.  A consumer account designed to permit multiple payments or transactions, and any other account for which there is a reasonably foreseeable risk of identity theft, including:

  • student accounts established for the payment of tuition, fees, room, board and other charges related to University activities; and
  • personal accounts through which employees receive wages or reimbursements, and;
  • accounts tied to University identification cards that allow students and employees to load personal funds for use at University retail locations and approved community vendors.

Customer.  A person who has a covered account with the University.  A customer may be a student, employee, or other individual. 

Identify Theft.  A fraud committed or attempted using the identifying information of another person without his or her authority.

Red Flag.  A pattern, practice or specific activity that could indicate identity theft.

III. Policy: Identity Theft Prevention Program 

The university is committed to protecting its students, faculty, staff, and others who entrust their personal information with the University.  Common Red Flags include:

  1. Receipt of Notice of Dispute from a credit agency;
  2. Identification document or card that appears to be forged, altered or inauthentic;
  3. Identification document or card on which a person’s photograph or physical description is not consistent with the person presenting the document;
  4. Inconsistencies in information among different documents presented by the customer (example: inconsistent birth dates);
  5. Identifying information presented by the customer that is inconsistent with other sources of information (for instance, an address not matching an address on a Perkins loan application);
  6. Social Security number presented that is the same as one given by another student or employee; and
  7. Notice to the university from an external source, student, or employee that an account has unauthorized activity.

The Identity Theft Prevention Program consists of this policy, which identifies common Red Flags, and other policies and procedures to detect and respond to any Red Flags that occur.  The Senior Vice President for Finance and Administration will be responsible for the Policy and will establish an Identify Theft Prevention Committee (the “Committee”) to be charged with overseeing the Program. The Committee will be co-chaired by the university’s Chief Financial Officer and the Chief Information Officer.   Members of the Committee may include representatives from Admissions, Advancement, Auxiliary Enterprises, the Bursar’s Office, Financial Aid, Human Resources, Information Technology, Payroll, the Registrar’s Office, and Student Affairs.  Other members may be appointed by the Senior Vice President for Finance and Administration as needed. 

The Committee is responsible for ensuring that reasonable policies and procedures exist to identify, detect, and respond to Red Flags relating to covered accounts.  The Committee is charged with reviewing existing university policies and procedures related to identify theft and incident reporting, and developing new policies and procedures as needed to ensure that the university maintains a high level of due diligence with respect to preventing, detecting, and mitigating identify theft.  The Committee will also be responsible for establishing and maintaining routine training for staff in relevant positions, including training in how to identify a Red Flag, how to report a Red Flag, and how to mitigate against identity theft in Covered Accounts. 

IV.  Authority and Amendment; Implementation 

This policy is approved by the Board of Visitors, in accordance with 16 CFR 681.2.  The Board of Visitors delegates to the Senior Vice President for Finance and Administration the authority to implement this policy.