1. 概述

   The Red Flags Rule was issued in 2007 under Section 114 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003 and published at 《newbb电子平台》第16卷第681条.1. The Red Flags Rule was established to protect consumers from the incidence of identity theft. The purpose of this policy is to assist employees in identifying, detecting and responding to patterns, practices and/or specific activities known as red flags that could indicate identify theft. 


2. 定义

   1. Covered Account: Includes all student, 病人, and employee accounts or loans that are administered by Ohio University.

      1. Any account that involves or is designated to permit multiple payments or transactions; or
      2. Any other account maintained by the university for which there is a reasonably foreseeable risk of identity theft to students, 教师, 工作人员, customers or other applicable constituents, or for which there is a reasonably foreseeable risk to the safety or soundness of the university from identity theft, including financial, 操作, 合规, reputation or litigation risks.
   2. Identifying information: Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including but not limited to: name, address, telephone number, social security number, 出生日期, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer Internet Protocol address or routing code, credit card number or other credit card information.
   3. 红色标记: A pattern, practice or specific activity that indicates the possible existence of identity theft.
   4. Identity theft: A fraud committed or attempted using the identifying information of another person without authority.
   5. Service Provider: A person or entity that performs an activity in connection with a covered account on behalf of the university (Examples: collection agencies, billing servicers).

3. Covered Account

   1. Covered accounts maintained by Ohio University include, but are not limited to, the following:

      1. Student loans (including Perkins Loans and institutional loans)
      2. Student accounts (including Bobcat Cash)
      3. Patient/client accounts (including Well Works, clinics, etc.)

4. Identification and Detection of Red Flags

   1. Ohio University’s Identity Theft Prevention Program addresses the detection of red flags in connection with the opening of covered accounts and existing covered accounts, 例如:
      1. Obtaining identifying information about, and verifying the identity of a person. 例如, requiring persons to show a valid photo ID or other proof of identity for any person conducting business with the university when opening a covered account and with existing accounts.
      2. Authenticating customers, monitoring transactions, and verifying the validity of change of address requests in the case of existing accounts.
   2. The following examples of red flags are potential indicators of fraud or identity theft. The risk factors for identifying relevant red flags include the types of covered accounts offered or maintained; the methods provided to open or access covered accounts; and, previous experience with identity theft. Any time a red flag or a situation closely resembling a red flag is apparent, it must be investigated for verification. Some examples are:
      1. Alerts, notifications or warnings from a credit or consumer reporting agency.
      2. Suspicious documents.
      3. Suspicious personal identifying information.
      4. Unusual use of, or suspicious activity related to, the covered account.

5. Responding to Red Flags

   Once a red flag or potential red flag is detected, the employee must act quickly with consideration of the risk posed by the red flag. The employee detecting the red flag must gather all related documentation, write a description of the situation and present this information to the Program Administrator for determination. The Program Administrator will complete additional authentication to determine whether the attempted transaction was fraudulent or authentic.

6. Protecting Personal Information

   Employees designated by the Program Administrator must review on an annual basis the university's Red Flag Program. University personnel are also encouraged to use good judgment in securing covered account information. Furthermore, designated employees must review 政策 12.020 Student Records, 政策 93.001 Data Classification, 政策 40.007 Public Records Requests, and other applicable laws and policies. If an employee is uncertain of the sensitivity of a particular piece of information, he/she must contact his/her supervisor. If the supervisor is uncertain, they must contact the Program Administrator for further advice.

7. Program Administration

   Operational responsibility of the program at the university is delegated to a Program Administrator. The duties of the Program Administrator are oversight, 发展, implementation and administration of the program; approval and implementation of needed changes to the program; and 工作人员 training. The Program Administrator is also responsible for ensuring that appropriate steps are taken for 防止ing and mitigating identity theft, for reviewing any 工作人员 reports regarding the detection of red flags, and for determining which steps must be taken in particular circumstances when red flags are suspected or detected.

8. 工作人员 Training

   工作人员 training must be conducted for all employees who may come into contact with covered accounts or identifying information, as determined by the Program Administrator. The Program Administrator must retain training records for all designated employees showing that all designated employees have received annual training.

9. Periodic Updates to the Program

   1. The program will be re-evaluated annually to determine whether the program addresses currently relevant and emerging risks for identity theft. Consideration will be given to the university's experiences with identity theft situations; changes in identity theft methods, detection methods or 防止ion methods; and, changes in the university’s business arrangements with other entities.
   2. Periodic reviews will include an assessment of which accounts are covered by the program. As part of the review, red flags may be revised, replaced or eliminated. Defining new red flags may also be appropriate. Actions to take in the event that fraudulent activity is suspected or discovered may also require revision to the program.

10. 概述 of Service Provider Arrangements

    It is the responsibility of the university to ensure that the activities of all service providers are conducted in accordance with reasonable policies and procedures designated to detect, 防止, and mitigate the risk of identity theft. In the event the university engages a service provider to perform an activity in connection with one or more covered accounts, the university will take steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, 防止 and mitigate the risk of identity theft.

评论家

Proposed revisions of this policy must be reviewed by:

1. 法律事务
2. Chief Information Officer
3. Information Security
4. Vice Provost for Enrollment Management
5. University Bursar
6. University Registrar
7. Director, Student Financial Aid and Scholarships
8. Director, Undergraduate 入学s
9. Director, Graduate 入学s
10. OUHCOM 入学s/Financial Aid

形式, 参考文献, and 历史

1. 形式

   The following forms are specific to this policy:

   There are no forms specific to this policy.
    

2. 参考文献

   The following items are relevant to this policy:

   1. 《newbb电子平台》第16卷第681条.1- www.联邦贸易委员会.gov/policy/federal-register-notices/identity-theft-red-flags-and-address-discrepancies-under-fair-and
   2. 政策 12.020 Student Records
   3. 政策 93.001 Data Classification 
   4. 政策 40.007 Public Records Requests

   Ohio University Identity Theft Prevention Program - http://www.OHIO.edu/sites/default/files/sites/bursar/identity-theft-prevention-program.pdf

3. 历史

   Draft versions of this policy that were circulated for review, their cover memos, 他们的形式, and 评论家' comments on them are available on the password-protected Review site.

   There are no prior versions of this policy.