FULFILLING REQUIREMENTS OF THE RED FLAGS RULE
Under the Red Flags Rule, the University is required to establish an “Identity Theft Prevention Program” tailored to its size, complexity, and the nature of its operation. The University has implemented policies and procedures and:

1. Has identified relevant Red Flags for new and existing Covered Accounts and incorporated those Red Flags into the Policy;
2. Will detect Red Flags that have been incorporated into the Policy;
3. Will respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
4. Ensure the Policy is updated periodically to reflect changes in risks to individuals or to the safety and soundness of University information from identity theft.

IDENTIFICATION OF RED FLAGS
In order to identify relevant Red Flags, the University considered the types of accounts that it offers and maintains, methods it provides to open its accounts, methods it provides to access its accounts, and its previous experiences with identity theft. The University identified the following relevant Red Flags in each of the listed categories:

A. Alerts, Notifications, or Warnings

Red Flags

1. A consumer reporting agency provides a notice of address discrepancy.
2. A fraud or active duty alert is included with a consumer report.
3. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.
4. A consumer report indicates a pattern of activity inconsistent with the history and usual pattern of activity of an applicant or account holder.

B. Suspicious Documents

Red Flags

1. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
2. Documents provided for identification appear to have been altered or forged.
3. Other information on the identification is not consistent with information provided by the person opening a new covered account.
4. The photograph or physical description on the identification is not consistent with the appearance of the applicant or account holder presenting the identification.

C. Suspicious Personal Identifying Information

Red Flags

1. The person opening the covered account fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
2. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by Princeton University.
3. Personal identifying information provided is inconsistent when compared against external information sources.
4. Personal identifying information provided is not consistent with personal identifying information that is in Princeton University’s central data repository (Campus Community).
5. Personal identifying information provided is not consistent with other personal identifying information. For example, there is a lack of correlation between the SSN range and date of birth.
6. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the Princeton University or creditor.
7. The SSN provided is the same as that submitted by other persons opening an account.

D. Unusual Use or Suspicious Activity

Red Flags

1. Mail sent is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the covered account.
2. Notification is received of unauthorized charges or transactions in connection with a covered account.
3. Notification is received that an account holder is not receiving paper account statements.

E. Notice Given

1. Red Flags associated with notice from students or employees, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by Princeton University.

DETECTING RED FLAGS

A. Covered Accounts

Princeton University takes steps to detect Red Flags in connection with opening or accessing covered accounts. Princeton University employees in offices handling Covered Accounts are responsible for:

1. Obtaining identifying information about, and verifying the identity of, a person opening or accessing a covered account.
2. Authenticating applicants or account holders, monitoring transactions, and verifying the validity of change of address requests in the case of existing covered accounts. (Employees should operate in accordance with the University’s Red Flags Procedures.)

B. Consumer Report Requests

Princeton University requires users of consumer reports to react to a notice of an address discrepancy or a fraud alert received from a Consumer Report Agency when credit or background checks are done on prospective employees or when credit checks are requested for new loan applicants or assessment of delinquent account holders.

In the event that notice of an address discrepancy or a fraud alert is received, staff will operate in accordance with the University’s Red Flags Procedures.

PREVENTING AND MITIGATING IDENTITY THEFT

Princeton University has measures in place to appropriately respond to Red Flags detected that are commensurate with the degree of risk posed. Employees in offices handling Covered Accounts will utilize the University’s Red Flags Procedures. Appropriate responses may include:

1. Monitoring a covered account for evidence of identity theft;
2. Contacting the applicant or account holder;
3. Changing any passwords, security codes, or other security devices that permit access to a covered account;
4. Reopening a covered account with a new account number;
5. Not opening a new covered account;
6. Closing an existing covered account;
7. Not attempting to collect on a covered account or not assigning a covered account to a debt collector;
8. Notifying law enforcement; or
9. Determining that no response is warranted under the particular circumstances.

When determining the proper response, appropriate staff will consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to an account holder’s records held by Princeton University or a third party, or notice that an account holder has provided information related to a covered account held by Princeton University to someone fraudulently claiming to represent Princeton University or to a fraudulent website.

POLICY ADMINISTRATION

A. Staff Training and Reports

University staff in offices with Covered Accounts are expected to be familiar with the University’s Red Flags Rule Procedures and shall be trained, under the direction of the Coordinator, in the detection of Red Flags and the responsive steps to be taken when a Red Flag is detected. University staff shall be trained, as necessary, to effectively implement the Policy. University employees are expected to notify the Coordinator once they become aware of an incident of Identity Theft or of the University’s failure to comply with this Policy. At least annually or as otherwise requested by the Coordinator, University staff responsible for development, implementation, and administration of the Policy shall report to the Coordinator on compliance with this Policy. The report should address such issues as effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening and maintenance of Covered Accounts, service provider arrangements, significant incidents involving identity theft and management’s response, and recommendations for changes to the Policy.

B. Service Provider Arrangements

In the event the University engages a service provider to perform an activity in connection with one or more Covered Accounts, the University will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of Identity Theft.

1. Require, by contract, that service providers have such policies and procedures in place ; and
2. Report any incidents of suspected identity theft or fraud to the University employee with primary oversight of the service provider relationship.

C. Nondisclosure of Specific Practices

For the effectiveness of this Identity Theft Prevention Policy, knowledge about specific Red Flag identification, detection, mitigation, and prevention practices may need to be limited to the Executive Compliance Committee and to those employees with a need to know them. Any documents that may have been produced or are produced in order to develop or implement this Policy that list or describes such specific practices and the information those documents contain are considered “highly confidential” under the University’s Information Security Policy. The Coordinator shall inform the Committee and those employees with a need to know the information of those documents or specific practices which should be maintained in a confidential/highly confidential manner.

D. Policy Updates

The Executive Compliance Committee will periodically review and update this Policy, including a review of relevant Red Flags, to reflect changes in risks to individuals and the soundness of the University from Identity Theft. In doing so, the Executive Compliance Committee will consider the University's experiences with Identity Theft situations, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in the University's business arrangements with other entities. After considering these factors, the Coordinator will determine whether changes to the Policy, including the listing of Red Flags, are warranted. If warranted, the Executive Compliance Committee will update the Policy.