Policies

10.10 Identity Theft Prevention Programs

Purpose:

To establish an Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft in connection with opening a covered account or an existing covered account at the University of Northern Iowa.

This Program is established pursuant to the Federal Trade Commission's Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003.

Definitions:

Account: A continuing relationship established as a result of becoming a student, accepting employment, or obtaining goods or service which includes an extension of credit involving a deferred payment.

Covered Account: Accounts allowed by the University of Northern Iowa which are primarily for students, faculty, and staff and allow multiple payments or transactions; and any other accounts the University of Northern Iowa maintains for which there is a foreseeable risk to customers or to the safety and soundness of the University of Northern Iowa from identity theft, including financial, operational, compliance, reputation, or litigation risks.

Red Flag: A pattern, practice or specific activity that indicates the possible existence of identity theft.

Identity Theft: A fraud committed or attempted using the identifying information of another person without authority.

Identifying Information: Any name or number used (alone or in conjunction with any other information) to identify a specific person.

Policy:
  1. University of Northern Iowa Identification of Covered Account
    1. Student – Accounts opened as part of being a registered student.
    2. Faculty and Staff – Accounts opened as a result of accepting employment.
    3. Non-Student – Accounts opened as a result of obtaining goods or services.   
  2. Establishment of an identity Theft Prevention Program
    1. The University of Northern Iowa establishes its program through the implementation of this policy. The Program is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.   
  3. Elements of the Program
    1. The University of Northern Iowa will identify relevant Red Flags for covered accounts that the University offers or maintains and will incorporate those Red Flags into the Program.
    2. The University of Northern Iowa will put process and procedures in place to detect Red Flags that have been incorporated into the Program.
    3. The University of Northern Iowa will respond appropriately to any Red Flags that are detected in order to prevent and mitigate identity theft
    4. The University of Northern Iowa will ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the University systems and services from identity theft.  
  4. Administration of the Program
    1. The initial program shall be approved by the Board of Regents, State of Iowa.
    2. Program oversight shall be the responsibility of the Director, Office of Business Operations and responsibility for the implementation of the program shall be assigned to the Bursar, Cashier Coordinator, and other designee(s) as necessary and appropriate. University staff will be trained as necessary to effectively implement the Program.
    3. At least annually, the Bursar, Cashier Coordinator, and any other designee(s) shall report to the Director, Office of Business Operations on the University of Northern Iowa’s compliance with the detection, prevention, and mitigation of identity theft.  
  5. Service Provider Arrangements
    1. When the University of Northern Iowa engages a service provider in connection with one or more covered accounts, the University will require the service provider by contract to have policies and procedures in place to detect relevant Red Flags that may arise in the performance of the service provider’s activities, and to report the Red Flags to the University of Northern Iowa, as well as to take appropriate steps to prevent or mitigate identity theft.  
  6. Identification of Red Flags
    1. When identifying relevant Red Flags, the University of Northern Iowa will consider, as appropriate, the types of covered accounts it offers or maintains, the methods it provides to open its covered accounts, the methods it provides to access its covered accounts, and its previous experiences with identity theft.  
  7. Detection of Red Flags
    1. To detect Red Flags, the University of Northern Iowa will take the following steps to obtain information and verify the identity of the person opening a covered account or using an existing covered account, consistent with the applicable University procedures:
      1. obtain indentifying information and verify identity of a person opening a covered account; and
      2. monitor transactions and verify validity of change of address requests for existing covered accounts.
  8. Identified Potential Red Flags and Corresponding Responses/Procedures
    1. The attachment to this section is to be updated periodically, to reflect changes in risks to students and customers and to the safety and soundness of the University systems and services from identity theft.

Red Flag Response Policy    

UNI notified of unauthorized charges or transactions on customer's account

1) Notify University Police 2) Suspend charging ability 3) Advise UNI departments to cease submitting charges for that account
Documents provided for identification appear to have been altered or forged 1) Refuse Service  2) Notify University Police  3) Retain altered or forged documents
Photograph on UNI ID card is not consistent with the appearance of the customer presenting the identification  1) Request additional form of Photo ID to resolve inconsistency - if not resolved with additional form of Photo ID, or additional form not provided, refuse service  2) Notify University Police  3) Retain UNI ID card
Customer unable to correctly answer challenge questions. 1) Refuse service    
Information is discovered that is not consistent with information already on file 1) Contact customer to provide additional documentation to resolve discrepancy 2) If any suspicion of fraud remains, notify University Police  
Personal identifying information associated with known Fraud activity  1) Follow University Police procedures and policies    
Social Security Number provided matches that of another person  1) Request additional information to resolve SSN discrepancy  2) Resolution required or refuse service  3) If service refused, report to University Police
Social Security Number provided has not been issued or appears on the Social Security Administration's Death master File  1) Request additional information to resolve SSN discrepancy  2) Resolution required or refuse service 3) If service refused, report to University Police
Lack of Correlation between Social Security Number range and date of birth  1) Request additional information to resolve SSN discrepancy  2) Resolution required or refuse service 3) If service refused, report to University Police
Personal information provided inconsistent with information alreadymon file (e.g. address)  1) Request additional information to resolve 2) Resolution required or refuse service  
Excessive spending on discretionary items or drastic change in purchasing patterns  1) Contact customer to verify purchases are legitimate and i.d. card is not stolen  2) If any suspicion of fraud remains, suspend charging ability  3) If any suspicion of fraud remains, notify University Police
Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions on active account 1) Contact customer to determine correct address 2) If unable to determine correct address, suspend charging ability until resolved  

Office of Business Operations, approved May 27, 2009.
President's Cabinet, approved June 9, 2009.
Board of Regents, State of Iowa, approved June 11, 2009.