Nov 23, 2024  
Policies 
    
Policies

Technology Division


Red Flag Policy
08:20:00 Red Flag Policy

  1. Introduction: In response to the threat of identity theft primarily through financial transactions, the United States Congress passed the Fair and Accurate Credit Transactions Act of 2003 (FACTA), Public Law 108-159, an amendment to the Fair Credit Reporting Act. In accordance with sections 114 and 315 of FACTA, the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Office of Thrift Supervision, Treasury; the National Credit Union Administration; and the Federal Trade Commission jointly adopted and promulgated rules known as the “red flags” rules.
    1. The Tennessee Board of Regents, on behalf of its institutions, has adopted an Identity Theft Prevention policy and program, set forth in TBR Policy 4:01:05:60. This policy is to detect, prevent and mitigate identity theft, and to help protect institutions, faculty, staff, students and other applicable constituents from damages related to the loss or misuse of identifying information due to identify theft.
    2. Chattanooga State Community College developed this policy in order to satisfy the requirements of the Red Flag rules and TBR Policy 4:01:05:60 in consideration of the College’s size and the nature of its activities, with oversight by the Program Administrator.
  2. Definitions:
    1. Covered Account is any account administered by the College designed to permit multiple payments or transactions. This includes new and existing accounts maintained by the College for its students, faculty, staff and other constituents for whom there exists a reasonably foreseeable risk for identity theft. The safety and soundness of the College itself from the financial, operational, compliance, reputation or litigation risks resulting from identity theft is required.
    2. Identifying Information is any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including personal information such as: name, maiden name, address, sate of birth, telephone number, student/faculty/staff identification number (e.g., the “A” number assigned by the College), computer internet protocol address.
    3. Credit card or other account information: credit card number, in whole or in part, credit card expiration date, and tax identification numbers such as: social security number, business identification number, employer identification number.
  • Payroll information includes paycheck, paystub, bank account/routing information.
  • Medical information includes doctor’s name, insurance claim, prescription, any personal medical information
  • Government issued identification numbers include driver’s license number; alien registration number, passport number
  • Identity theft is a fraud committed or attempted using identifying information of another person without authorization.
  • Need to know authorization is given to a user for whom access to the information must be necessary for the conduct of one’s official duties and job functions as approved by the employee’s supervisor.
  • Public Record is a record or data item that any entity, either internal or external to the College, can access.
  1. The purpose of the program is to detect, prevent, respond and mitigate identity theft in connection with any Red Flag possibility. This program envisions the creation of policies and procedures in order to achieve these goals. While Chattanooga State currently does not provide common known covered accounts, Chattanooga State will incorporate new covered accounts or other identity theft concerns into the policy.
  • Chattanooga State will ensure detected red flags will be incorporated into the policy;
  • Chattanooga State will respond appropriately to any red flag that is detected to prevent and mitigate identify theft; and
  • Chattanooga State will update the policy periodically to reflect changes in risks to students and other College constituents from identity theft.
  • Chattanooga State will promote compliance with state and federal laws and regulations regarding identity theft protection.
  • For specific examples and requirements, please review TBR Policy 4:01:05:60.

D. In order to identify relevant red flags, the College considers the types of accounts that it offers and maintains; methods it provides to open its accounts; methods it provides to access its accounts; and its previous experiences with identity theft. While Chattanooga State currently does not handle specific Red Flag loans,  TBR has provided extensive documentation concerning red flags that can be considered potential indicators of fraud in TBR Policy 4:01:05:06. Any time a red flag or a situation closely resembling a Red Flag is apparent, it should be investigated for verification using the TBR policy as guidance.

E.  To ensure protection against the likelihood of identity theft, appropriate data security and classification requirements shall be met. At a minimum, data shall be classified as public or confidential, be appropriately secured and not accessible to non-approved users when not in use. (Refer to 08:14:00 Technology Responsible Use.)

F.   The best way to ensure data is secured is the user’s dedication to protecting that data. Users should collect, distribute, and retain only the minimal amount of personal and protected data that is related to their business needs and/or assigned tasks. Ensure personal and protected information is deleted when there is no longer a business need for its retention. When personal or protected data must be included in the distribution of data, include notification of that fact, including reference to this policy. Always comply with existing college policies/standards regarding the handling of Confidential/Protected data. Refer to 08.14:00 Responsible Use, 08:15:00 Security Incidence Response, 08:20:00 Red Flag and Identity Theft Program, and Payment Card Industry Questionnaire Section C 9.7a and B, and 9.9.

G. Chattanooga State is required to tailor this program taking into consideration its size, complexity, and nature of its operation.  Chattanooga State will consider the types of accounts it offers and maintains, the methods it provides to open those accounts, the methods it provides to access its accounts and its previous experience with identity theft. Operational responsibility of the program at Chattanooga State is delegated to a Program Administrator appointed by the President or Director and shall include but not be limited to;

  • The oversight, development, implementation and administration of the program;
  • Approval and implementation of needed changes to the program;
  • Staff training.

The Program Administrator is responsible for ensuring that appropriate steps are taken to prevent and mitigate identity theft, review any staff reports regarding the detection of red flags and determine which steps should be taken in particular circumstances when red flags are suspected or detected.       

1.  A report to the President of Chattanooga State should be made annually concerning institutional compliance with and effectiveness of the program.  The responsibility for such report may be placed with the Program Administrator. This report should address:

  • Service provider arrangements;
  • The effectiveness of the program in addressing the risk of identity theft;
  • Significant incidents of identity theft and Chattanooga State’ s response;
  • Any recommendations for material changes to the program.

H. Staff training will be provided for all employees for whom it is reasonably expected they will come into contact with covered accounts or identifying information as determined by the Program Administrator.

I.   Periodic updates to the program will be established as required. The program will be re-evaluated to determine whether all aspects of the program are up to date and applicable. Consideration will be given to the College experiences with identity theft situations; changes in identity theft methods, detection methods or prevention methods; and changes in the Institution’s business arrangements with other entities. Periodic reviews will include an assessment of which accounts are covered by the program. As part of the review, red flags may be revised, replaced or eliminated. Defining new red flags may also be appropriate. Actions taken in the event that fraudulent activity is suspected or discovered may also require revision.

  1. It is the responsibility of Chattanooga State to ensure that the activities of all service providers are conducted in accordance with reasonable policies and procedures designated to detect, prevent, and mitigate the risk of identity theft. In the event Chattanooga State engages a service provider to perform an activity in connection with one or more covered accounts, Chattanooga State will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.
  • Require, by contract, that service providers have such policies and procedures in place; or,
  • Require, by contract, that service providers review Chattanooga State’ s program and report any red flags to the Program Administrator.
  • Specific language for inclusion in contracts can be found in TBR Guideline G-030 Contracts and Agreements.
  • A service provider that maintains its own identity theft prevention program, consistent with the guidance of the red flag rules and validated by appropriate due diligence, may be considered to be meeting these requirements

 

 

References:

  1. The Department of Education “Family Educational Rights and Privacy Act of 1974” (as amended), 34 CFR, Part 99
  2. State of Tennessee Department of Finance and Administration Strategic Technology Solutions 2:01, 12/15/2016
  3. Tennessee Board of Regents Policy Identity Theft Prevention 04:01:05:60, 6/19/2009
  4. Tennessee Board of Regents Guideline B-090 Gramm-Leach-Bliley Act, Safeguarding of Customer’s Nonpublic Financial Information, 11/5/2003
  5. Tennessee Board of Regents Guideline G-070 Records Retention and Disposal of Records, 5/16/2017.
  6. Tennessee Board of Regents (TBR) Information Technology Policy 1:08:00:00, 9/26/2014
  7. Tennessee Board of Regents (TBR) Password Management G-051, 9/26/2014
  8. Tennessee Board of Regents (TBR) Policy G-052 Access Control, 9/26/2014
  9. Chattanooga State Community College IT Policy 08.13 Computer Passwords, 5/30/2017
  10. Chattanooga State Community College IT Policy 08:14 Responsible Use, 5/30/2017
  11. Chattanooga State Community College IT Policy 08:15 Security Incident Response, 5/30/2017
  12. Chattanooga State Community College IT Policy 08:17 Computer Access, 5/30/2017

 

 

  Dr. Rebecca Ashford, President                                                                                                             October 24, 2017

  Signature                                                                                                                                                     Date Approved

 

 

Policy Change

 

Division Name: Technology Division

 

Policy Number and Title: 08:20:00 Red Flag Policy (Identity Theft)

  1. Reformatted the whole policy to new format.
  2. All pages - Information Technology Services was changed to new division name - Technology Division.
  3. Introduction section was changed to reflect additional information from the original policy.
  4. Section B Definitions was moved to the beginning of the policy.
  5. Section F was added

F. The best way to ensure data is secured is the user’s dedication to protecting that data. Users should collect, distribute, and retain only the minimal amount of personal and protected data that is related to their business needs and/or assigned tasks. Ensure personal and protected information is deleted when there is no longer a business need for its retention. When personal or protected data must be included in the distribution of data, include notification of that fact, including reference to this policy. Always comply with existing college policies/standards regarding the handling of Confidential/Protected data. Refer to 08:14:00 Responsible Use, 08:15:00 Security Incidence Response, 08:20: Red Flag and Identity Theft Program, and PCI Questionnaire Section C 9.7a and B, and 9.9.

  1. Section G was added

G. Chattanooga State is required to tailor this program taking into consideration its size, complexity, and nature of its operation.  Chattanooga State will consider the types of accounts it offers and maintains, the methods it provides to open those accounts, the methods it provides to access its accounts and its previous experience with identity theft. Operational responsibility of the program at Chattanooga State is delegated to a Program Administrator appointed by the President or Director and shall include but not be limited to;

  • The oversight, development, implementation and administration of theprogram;
  • Approval and implementation of needed changes to the program;
  • Staff training.

The Program Administrator is responsible for ensuring that appropriate steps are taken to prevent and mitigate identity theft, review any staff reports regarding the detection of red flags and determine which steps should be taken in particular circumstances when red flags are suspected or detected.       

1.  A report to the President of Chattanooga State should be made annually concerning institutional compliance with and effectiveness of the program.  The responsibility for such report may be placed with the Program Administrator. This report should address:

  • Service provider arrangements;
  • The effectiveness of the program in addressing the risk of identity theft;
  • Significant incidents of identity theft and Chattanooga State’ s response;
  • Any recommendations for material changes to the program.

7. Section H was added

H. Staff training will be provided for all employees for whom it is reasonably expected they will come into contact with covered accounts or identifying information as determined by the Program Administrator.

8.  Section I was added

I.   Periodic updates to the program will be established as required. The program will be re-evaluated to determine whether all aspects of the program are up to date and applicable. Consideration will be given to the College experiences with identity theft situations; changes in identity theft methods, detection methods or prevention methods; and changes in the Institution’s business arrangements with other entities. Periodic reviews will include an assessment of which accounts are covered by the program. As part of the review, red flags may be revised, replaced or eliminated. Defining new red flags may also be appropriate. Actions taken in the event that fraudulent activity is suspected or discovered may also require revision.                                                                                                                                                                                                  1. It is the responsibility of Chattanooga State to ensure that the activities of all service providers are conducted in accordance with reasonable policies and procedures designated to detect, prevent, and mitigate the risk of identity theft. In the event Chattanooga State engages a service provider to perform an activity in connection with one or more covered accounts, Chattanooga State will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.

  • Require, by contract, that service providers have such policies and procedures in place; or,
  • Require, by contract, that service providers review Chattanooga State’ s program and report any red flags to the Program Administrator.
  • Specific language for inclusion in contracts can be found in TBR Guideline G-030 Contracts and Agreements.
  • A service provider that maintains its own identity theft prevention program, consistent with the guidance of the red flag rules and validated by appropriate due diligence, may be considered to be meeting these requirements

 

Dr. Rebecca Ashford, President                                                                                        October 24, 2017

Signature                                                                                                                           Date Approved                 

 

 

 

 

 

Approved:

Dr. James L. Catanzaro,  President, 5/7/2012

 Implemented and Reviewed by: Computer Services, 12/2/2011