How is a Red Flags incident different from a data security breach?
A data security breach is the unintentional release of personal information. The Federal Trade Commission (FTC) strongly encourages reasonable data security practices, but the Red Flags Rule is not a data security regulation. The Red Flags Rule picks up where data security leaves off. If identity thieves do get hold of someone’s personal information, they typically use it to get goods or services from unsuspecting businesses and have no intention of paying the bill. By having established procedures to look for and to respond to the “Red Flags” that indicate an identity thief is trying to use someone else’s information, the rule seeks to reduce the damage identity thieves can inflict on victims of identity theft and on businesses left with accounts receivable balances they’ll never be able to collect. While data security practices are incorporated, the Red Flags program is a different kind of plan aimed at preventing a different kind of harm.
What are some examples of covered accounts that apply to UA?
Action Card Office, Bama Dining, Business Activities for Construction and Physical Plant, Business Activities System Support and Admin Services, Campus Mail Service; Capstone Village Accounting, Financial Aid, Human Resources, Procurement, Student Account Services, Student Health Center, Supply Store, University Medical Center, and University Recreation.
What are some examples of red flags?
Notifications and warnings from Credit Reporting Agencies, suspicious documents, suspicious personal identifying information, suspicious covered account activity or unusual use of account alerts from others.
How are red flags typically detected?
New Accounts/Enrollment
- Require certain identifying information such as name, date of birth, academic records, home address, or other identification.
- Verify the person’s identity at time of issuance of identification card (review of driver’s license or other government-issued photo identification).
Existing Accounts
- Verify the identification of the individual if they request information.
- Verify the validity of requests to change billing addresses by mail or email and provide the individual a reasonable means of promptly reporting incorrect billing address changes.
- Verify changes in banking information given for billing and payment purposes.
Consumer (Credit) Report Requests
In the event that notice of an address discrepancy is received, verify that the credit report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency an address for the applicant that the university has reasonably confirmed to be accurate.
Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency.
I may have detected a red flag. Now what do I do?
Any employee who knows or suspects that a security incident has occurred shall immediately: notify their supervisor; notify the appropriate Identity Theft Prevention Officer (ITPO); complete a Red Flag Reporting Form. The ITPO will report to the Program Administrator as needed. If fraud is known or reasonably suspected, contact UAPD.
What training is required?
The Program Administrator will provide basic training on this policy and on the requirements of the Red Flags Regulations to all staff in departments with covered accounts. In addition, the individual designated as the Identity Theft Prevention Officer within each department shall provide the staff training necessary to detect, prevent, and mitigate identity theft in their area.
Who is responsible for oversight of the University's Red Flags program?
Compliance, Ethics and Regulatory Affairs is responsible for oversight of the program.
How do I determine if the Red Flags policy applies to my department?
The Red Flags policy applies if your unit engages in any of the following activities:
- Sells or transfers debts to a third party.
- Enters or alters personally identifying information in a university system or database.
- Maintains systems that generate personally identifying information.
- Offers goods or services that individuals can pay for later on an account administered by, or on behalf of, your office.
- Administers billing, declining balance, debit, or other accounts whether on behalf of your own unit or another university unit/department.
- Makes loans, such as short-term loans to students, faculty, or staff.
- Administers student loans.
- Issues cards to individuals that can be used to access accounts.
- Uses consumer credit reports such as those issued by Experian, TransUnion, or Equifax.
- Reports information to credit reporting agencies.
- Bills for fines.
- Pursues debt collection.
- Offers leases to individuals for personal use/non-business purposes.
What is the purpose of the Identity Theft Prevention Annual Assessment?
The purpose is to document compliance and provide the Red Flags committee with the ability to evaluate the effectiveness of the program.
After a Red Flags incident is reported, then what?
Evaluate whether the program worked effectively and whether any changes are needed.
Do I need to worry about third-party service providers?
In the event the University engages a service provider to perform an activity in connection with one or more covered accounts, the University, through its contract review process, shall take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft: 1. Require, by written contract, that service providers have identity theft policies and procedures in place; and 2. Require, by written contract, that service providers report any red flags or identity theft incidents associated with University accounts/records to the University employee with primary oversight of the service provider relationship who must report to the appropriate ITPO. The ITPO should provide this information to the Program Administrator via the Red Flags Detection Report.
As a staff member, is it my responsibility to notify appropriate University personnel that a red flag has been detected?
As a university employee, it is your duty to comply with university programs and policies. You must act if you observe a violation of the Red Flags Rule.
What are the consequences to UA if it fails to comply with the Red Flags Rule?
An incident of identity theft could be damaging to the University and your department in significant ways. The FTC can seek both monetary civil penalties and injunctive relief for violations of the Red Flags Rule. Where the complaint seeks civil penalties, the U.S. Department of Justice typically files the lawsuit in federal court on behalf of the FTC. Each instance in which the company has violated the rule is a separate violation. Injunctive relief in cases like this often requires the parties being sued to comply with the law in the future and provide reports, retain documents, and take other steps to ensure compliance with both the rule and court order. Failure to comply with the court order could subject the parties to further penalties and injunctive relief.