Identity Theft Prevention Program Frequently Asked Questions (FAQ)
A data security breach is the unintentional release of personal information. The Federal Trade Commission (FTC) strongly encourages reasonable data security practices, but the Red Flags Rule is not a data security regulation.
The Red Flags Rule picks up where data security leaves off. If identity thieves do get hold of someone’s personal information, they typically use it to get goods or services from unsuspecting businesses and have no intention of paying the bill. By having established procedures to look for and to respond to the “Red Flags” that indicate an identity thief is trying to use someone else’s information, the rule seeks to reduce the damage identity thieves can inflict on victims of identity theft and on businesses left with accounts receivable balances they’ll never be able to collect. While data security practices are incorporated, the Red Flags program is a different kind of plan aimed at preventing a different kind of harm.
Action Card Office, Bama Dining, Business Activities for Construction and Physical Plant, Business Activities System Support and Admin Services, Campus Mail Service; Capstone Village Accounting, Financial Aid, Human Resources, Procurement, Student Account Services, Student Health Center, Supply Store, University Medical Center, and University Recreation.
Notifications and warnings from Credit Reporting Agencies, suspicious documents, suspicious personal identifying information, suspicious covered account activity or unusual use of account alerts from others.
New Accounts/Enrollment
- Require certain identifying information such as name, date of birth, academic records, home address, or other identification.
- Verify the person’s identity at time of issuance of identification card (review of driver’s license or other government-issued photo identification).
- Verify the identification of the individual if they request information.
- Verify the validity of requests to change billing addresses by mail or email and provide the individual a reasonable means of promptly reporting incorrect billing address changes.
- Verify changes in banking information given for billing and payment purposes.
- Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency.
- In the event that notice of an address discrepancy is received, verify that the credit report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency an address for the applicant that the university has reasonably confirmed to be accurate.
Any employee who knows or suspects that a security incident has occurred shall immediately:
notify their supervisor;
notify the appropriate Identity Theft Prevention Officer (ITPO);
complete a Red Flag Reporting Form.
The ITPO will report to the Program Administrator as needed. If fraud is known or reasonably suspected, contact UAPD.
The Program Administrator will provide basic training on this policy and on the requirements of the Red Flags Regulations to all staff in departments with covered accounts. In addition, the individual designated as the Identity Theft Prevention Officer within each department shall provide the staff training necessary to detect, prevent, and mitigate identity theft in their area.
Yes, annual training is required for departments that have determined they have covered accounts.
Compliance, Ethics and Regulatory Affairs is responsible for oversight of the program.
The Red Flags policy applies if your unit engages in any of the following activities:
- Enters or alters personally identifying information in a university system or database.
- Maintains systems that generate personally identifying information.
- Offers goods or services that individuals can pay for later on an account administered by, or on behalf of, your office.
- Administers billing, declining balance, debit, or other accounts whether on behalf of your own unit or another university unit/department.
- Makes loans, such as short-term loans to students, faculty, or staff.
- Administers student loans.
- Issues cards to individuals that can be used to access accounts.
- Uses consumer credit reports such as those issued by Experian, TransUnion, or Equifax.
- Reports information to credit reporting agencies.
- Bills for fines.
- Pursues debt collection.
- Offers leases to individuals for personal use/non-business purposes.
- Sells or transfers debts to a third party.
The purpose is to document compliance and provide the Red Flags committee with the ability to evaluate the effectiveness of the program.
Please feel free to contact Compliance, Ethics and Regulatory Affairs at 205-348-2334 or privacy@ua.edu.
Evaluate whether the program worked effectively and whether any changes are needed.
In the event the University engages a service provider to perform an activity in connection with one or more covered accounts, the University, through its contract review process, shall take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft:
1. Require, by written contract, that service providers have identity theft policies and procedures in place; and
2. Require, by written contract, that service providers report any red flags or identity theft incidents associated with University accounts/records to the University employee with primary oversight of the service provider relationship who must report to the appropriate ITPO. The ITPO should provide this information to the Program Administrator via the Red Flags Detection Report.
As a university employee, it is your duty to comply with university programs and policies. You must act if you observe a violation of the Red Flags Rule.
An incident of identity theft could be damaging to the University and your department in significant ways. The FTC can seek both monetary civil penalties and injunctive relief for violations of the Red Flags Rule. Where the complaint seeks civil penalties, the U.S. Department of Justice typically files the lawsuit in federal court on behalf of the FTC. Each instance in which the company has violated the rule is a separate violation. Injunctive relief in cases like this often requires the parties being sued to comply with the law in the future and provide reports, retain documents, and take other steps to ensure compliance with both the rule and court order. Failure to comply with the court order could subject the parties to further penalties and injunctive relief.