Original Date: 9/8/2009 * Last Revision Effective: 10/19/2015
Policy Contact: Vice President, Administrative Services
The purpose for the following procedure is to implement BC policy #7360: Identity Theft Prevention, detect, prevent, and mitigate instances of identity theft, and to ensure compliance with the Federal Trade Commission’s regulations commonly referred to as “Red Flag Rules.”
A covered account is defined as any account which involves multiple payments or transactions or any other account the college offers or maintains for which there is a foreseeable identity theft risk, such as in payroll, human resources, cashiering, accounting, admissions , or financial aid functions.
Sensitive information is defined as:
- Student or employee social security number
- Telephone number
- Credit card number and expiration date
- Amount of debt or earnings
Assessment of Risk
Each administrative area where covered accounts are maintained will review risk factors annually. How sensitive data is acquired, stored and accessed will be reviewed to determine where opportunities for identity theft could occur.
Key elements of determination of risk include but are not limited to:
- Is sensitive information kept secure at all times through the use of passwords and limited access for electronic data and the use of locking drawers and offices for hard copy data?
- Do all staff who access sensitive date receive regular appropriate training?
- Are identifying numbers (credit/debit card numbers, social security numbers, college generated ID numbers, etc.) being protected to the greatest extent possible, being used only when necessary and with only the last four digits showing on receipts or other documents?
- Is access to sensitive data limited to only those with a need for the specific data?
Identify red flags
Each area will identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate training to identify those red flags into the program.
Examples of red flags include but are not limited to:
- Suspicious or altered identification or documentation (such as driver’s license, social security card, or credit card)
- Suspicious address change – official address of record is located in enrollment and registrar services or human resources offices
- A notice from a student or staff that they have been a victim of identity theft
- A notice from law enforcement or other authorities about the possibility of an identity theft
- Any type of security breach involving the theft of personal information
Prevention and detection of red flags
To prevent identity theft occurrences:
- Student covered accounts are carefully monitored by student services and cashier office staff
- Employee covered accounts are carefully monitored by human resources and payroll staff
- Appropriate identification is required before any consultation
- All account information on paper is secured in a locked, restricted location
- All electronic information is password protected following college guidelines and policies for all electronic security.
Respond appropriately to red flags
If a potentially fraudulent activity is detected, employee will investigate documentation and write a description of the situation and forward to the finance administrator or information resources administrator in the case of an electronic data security breach. If it is determined a fraudulent transaction has occurred actions may include:
- Contacting the account holder
- Notifying and cooperating with appropriate law enforcement
- Canceling the transaction
- Monitoring the account for unusual activity
- Notifying the state auditor’s office
Periodic procedure update
These procedures will be evaluated annually and modified as needed to achieve maximum effectiveness.
Relevant Laws and Other Resources
- Federal Trade Commission sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003
- BC policy #5000 Acceptable Use of BC Computers
Revisions 9/24/2012; 11/15/2012; 10/19/2015
Last Updated October 19, 2015