ADMINISTRATIVE RULE NO: 5090-01

RELATED TO POLICY SERIES NO: 5090

TITLE: IDENTITY THEFT PREVENTION PROGRAM

PURPOSE
To establish an identity theft prevention program. The program is designed to detect, prevent, and mitigate identity theft. This rule applies to college accounts or procedures which either:

  1. allow a person to register, receive financial aid, make payments, or be employed by the college; or
  2. present a "reasonably foreseeable risk" of identity theft.

STATEMENT
The college hereby establishes an identity theft prevention program to detect, prevent, and mitigate identity theft. The program includes procedures to:

  1. identify red flags for covered records and incorporate those red flags into the program;
  2. detect red flags that have been incorporated into the program;
  3. respond appropriately to any detected red flags to prevent and mitigate identity theft; and
  4. update the program periodically to reflect changes in risks to students or employees and to ensure the safety and soundness of the college from identity theft.

DEFINITIONS

  1. Covered Account
    1. a record that the college offers or maintains primarily for registration, financial aid, accounts receivable or payable, or employment; and
    2. any other record that the college offers or maintains for which there is a reasonably foreseeable risk of identity theft to the person or a risk to the safety and soundness of the college's records, including financial, operational, compliance, reputation, or litigation risks.
  2. Identify Theft

    Fraud committed or attempted using the identifying information of another person without authority.

  3. Red Flag

    A pattern, practice, or specific activity that indicates the possible existence of identity theft.

  4. Identifying Information
    Defined as government data, the disclosure of which would likely substantially jeopardize the security of identifying information.

PROGRAM ADMINISTRATION

  1. Oversight

    Responsibility for developing, implementing, and updating this program lies with the college's vice president of finance and operations and the Identity Theft Committee. The vice president will designate a program administrator. The committee will be comprised of:

    1. director of enrollment services
    2. director of human resources
    3. director of information services
    4. assistant director of financial aid
    5. director of accounting and budget
    6. director of college advancement
    7. director of safety and loss prevention
  2. The program administrator and the committee will be responsible for:
    1. program resources and planning;
    2. ensuring appropriate program training of college staff;
    3. reviewing any staff reports regarding red flag detection and identification theft mitigation and prevention;
    4. determining which steps of prevention and mitigation should be taken in particular circumstances commensurate with the risk posed; and
    5. considering periodic changes to the program.

The program administrator and committee will review and update this program annually to reflect changes in risks to students or employees and the soundness of protection of college records from identity theft. In doing so, the program administrator and committee will consider the college's experience with identity theft situations, changes in identity theft methods, changes in identity theft detection and prevention methods, and changes in the college's business arrangements with other entities. After considering these factors, including the degree of identity theft risk posed, the program administrator and committee will determine whether changes to the program, including the listing of new red flags, are warranted. If warranted, the program administrator and committee will update the program or present College Council with recommended changes, and they will make a determination of whether to accept, modify, or reject those changes to the program.

Department heads are responsible for familiarizing themselves with the program. Department heads shall meet with their staff annually to assess current compliance. Staff responsible for implementing the program will be trained by or under the direction of the committee. Staff will provide timely reports to the committee on all incidents of identity theft or occurrences of red flags.

IDENTIFICATION OF RED FLAGS
In order to identify red flags, the college considers the types of records it maintains, the methods it uses to open and access records, and its previous experiences with identity theft. The college has identified the following red flags in each of the listed categories:

  1. Notifications and Warnings from Credit Reporting or Background Check Agencies
    1. Red flags
      1. report of fraud accompanying a credit or background report;
      2. notice or report from a credit agency of a credit freeze on a student, employee, or applicant;
      3. notice or report from a credit agency of an active duty alert for an applicant; or
      4. indication from a credit report of activity that is inconsistent with a student's or employee's usual pattern or activity.
  2. Suspicious Documents
    1. Red flags
      1. identifying information that appears to be forged, altered, or inauthentic;
      2. identifying Information on which a person's photograph or physical description is inconsistent with the person presenting the document;
      3. other document with information that is inconsistent with existing student or employee information (such as if a person's signature on a check appears forged); or
      4. application that appears to have been altered or forged.
  3. Suspicious Personal Identifying Information
    1. Red flags
      1. identifying information presented inconsistent with other information the student or employee provides (e.g., inconsistent birth dates);
      2. identifying information presented inconsistent with other sources of information ( e.g., an address not matching an address on file);
      3. identifying information presented that is the same as information shown on other applications that were found to be fraudulent;
      4. identifying information presented that is consistent with fraudulent activity (e.g., an invalid phone number or fictitious billing address);
      5. social security number presented that is the same as one given by another student or employee;
      6. failure to provide complete personal identifying information on an application when reminded to do so; or
      7. identifying information inconsistent with the information on file for the student or employee.
  4. Suspicious Activity or Unusual Use of Account
    1. Red flags
      1. change of address for a record followed by a request to change the record holder's name;
      2. mail sent to the record holder is repeatedly returned as undeliverable;
      3. notice to the college that a student or employee is not receiving mail sent by the college;
      4. notice to the college that an account has unauthorized activity;
      5. breach in the college computer system security; or
      6. unauthorized access to or use of student or employee account information.
  5. Alerts From Others
    1. Red flag
      1. notice to the college from a student or employee, identity theft victim, law enforcement, or other person that the college has opened or is maintaining a fraudulent record for a person engaged in identity theft.

DETECTING RED FLAGS

  1. New Records

    In order to detect any of the red flags identified above associated with a new record or which presents a foreseeable risk of identity theft, college personnel will take the following steps to obtain and verify the identity of the person or business opening the account:

    1. Require certain Identifying Information, including:
      1. full name;
      2. date of birth (for individual);
      3. previous and current residential or business address; and
      4. identification.
        1. U.S. citizen
          • (a) social security number; and/or
          • (b) photo-bearing documents (original required) such as:
            • state-issued driver's license; or
            • state-issued identification card; or
            • United States passport.
        2. Non-U.S. citizen
          • (a) social security number; and/or
          • (b) photo-bearing documents (original required) such as:
            • state-issued driver's license; or
            • state-issued identification card; or
            • passport from any country; or
            • documents containing an alien identification number and country of issuance; or
            • any other photo-bearing government-issued document evidencing nationality or residence.
    2. Review all documentation for red flags; and/or independently contact the student or employee.
  2. Existing Records

    In order to detect any of the red flags identified above for an existing record, personnel will take the below steps to monitor transactions. College personnel have the discretion to determine the degree of risk posed and act accordingly.

    1. verify person's identifying information if a person requests any information on the record (this can be done in person, via telephone, via facsimile, or via email);
    2. verify the validity of requests to change address; and
    3. verify changes in banking information given for payment purposes.

PREVENTING AND MITIGATING IDENTITY THEFT
In order to further prevent the likelihood of identity theft, personnel will take the below steps, commensurate with the degree of risk posed, regarding ongoing internal operating procedures. College personnel have the discretion to determine the degree of risk posed and act accordingly.

  1. Ensure that its website is secure or provide clear notice that the website is not secure.
  2. Ensure complete and secure destruction of paper documents and computer files containing a person's identifying information.
  3. Ensure that office computers are password protected.
  4. Keep offices clear of papers containing personal information.
  5. Ensure computer virus protection is up-to-date.
  6. Require and keep only information necessary for business purposes.
  7. Transmit identifying information using only approved methods, and include the following statement on any transmitted identifying information:
    This message may contain confidential and/or proprietary information, and is intended for the person/entity to which it was originally addressed. If you have received this email by error, please contact the college and then delete the original document. Any use by others is strictly prohibited.
  8. Do not use or post a person's social security number as an account identifier or on any other documents unless requested by the person or required by federal law (such as W-2 forms).
  9. Steps to take when you detect a red flag
    In the event college personnel detect red flags, they will take one or more of the below steps, commensurate with the degree of risk posed, to prevent and mitigate risk of identity theft.

    College personnel have the discretion to determine the degree of risk posed and act accordingly.

    1. continue to monitor an account for evidence of identity theft;
    2. contact the person, either by written notice or telephone;
    3. refuse to open a new account;
    4. close an existing account;
    5. reopen an account with a new number;
    6. notify the program administrator for determination of the appropriate step(s) to take based on the Oregon Identity Theft Act Best Practices; or
    7. determine that no response is warranted under the particular circumstances.

SERVICE PROVIDER ARRANGEMENTS
In the event the college engages a service provider to perform an activity in connection with a covered account, the college will take one of the following steps to ensure the service provider performs in accordance with the program:

  1. Require, by contract, that service providers have appropriate policies and procedures in place designed to detect, prevent, and mitigate identity theft.
  2. Require, by contract, that service providers review this program and report any red flags to the program administrator.
  3. Require that contracts include indemnification provisions limiting the college's liability for the service provider's failure to detect, prevent, or mitigate identity theft.

NON-DISCLOSURE OF SPECIFIC PRACTICES
Disclosure of specific information or practices regarding red flag identification, detection, mitigation, and prevention practices may be limited to designated college staff and/or policymakers. Documents produced to develop or implement the program which describe specific practices may constitute security information and may be non-disclosable because disclosure would likely jeopardize the security of identifying information and may circumvent the college's identity theft prevention efforts.

DATE OF ADOPTION: 4/13/09
DATE(S) OF REVISION(S): 12/1/16
DATE OF LAST REVIEW: 12/1/16; 1/7/21