Insurance and Risk Management
Princeton University (“University”) developed its Identity Theft Prevention Policy ("Policy") pursuant to the Federal Trade Commission's (“FTC”) Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. This Policy was developed with oversight and approval of the Audit & Compliance Committee of the University Board of Trustees. After consideration of the size and complexity of the University's operations and account systems, and the nature and scope of the University's activities, the Executive Compliance Committee determined that this Policy was appropriate for the University, and therefore approved this Policy on December 8, 2010.
The responsibility for the University’s Red Flags Identity Theft Prevention Policy as required by the FACTA Red Flags Rule rests with the Executive Compliance Committee.
The Executive Compliance Committee has appointed an Identity Theft Prevention Coordinator to provide oversight, develop, implement and administer. The Identity Theft Prevention Coordinator is Jim Matteo, Vice President for Finance and Treasurer as of December 8, 2010. The Identity Theft Prevention Coordinator will report to the Executive Compliance Committee at least annually.
II. Who is Affected by this Policy
This policy affects faculty, students, parents of students, and staff that have a loan with the University and are billed monthly.
Definitions used in this Policy are intended to implement and effectuate the “Red Flags Rule” and shall have the meaning described in and be consistent with section 114 of FACTA, codified at 15 U.S.C. §1681 et sec. and 16 C.F.R. §681 et seq., as it may be amended from time to time.
A fraud committed or attempted using the identifying information of another person without authority.
A pattern, practice, or specific activity that indicates the possible existence of Identity Theft.
A consumer account that involves multiple payments or transactions, such as a loan that is billed or payable monthly. Covered accounts include arrangements in which an individual establishes a continuing relationship with the University as a creditor.
Policy Coordinator for Identity Theft Prevention (the Coordinator)
The individual designated with primary responsibility for oversight of the Policy. See Section VII below.
Defined as "personal information that may be used, alone or in conjunction with any other information, to identify a specific person," including: name, address, telephone number, social security number, date of birth, government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number, Princeton University identification number, computer's Internet Protocol address, or routing code.
FULFILLING REQUIREMENTS OF THE RED FLAGS RULE
Under the Red Flags Rule, the University is required to establish an “Identity Theft Prevention Program” tailored to its size, complexity, and the nature of its operation. The University has implemented policies and procedures and:
- Has identified relevant Red Flags for new and existing Covered Accounts and incorporated those Red Flags into the Policy;
- Will detect Red Flags that have been incorporated into the Policy;
- Will respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
- Ensure the Policy is updated periodically to reflect changes in risks to individuals or to the safety and soundness of University information from identity theft.
IDENTIFICATION OF RED FLAGS
In order to identify relevant Red Flags, the University considered the types of accounts that it offers and maintains, methods it provides to open its accounts, methods it provides to access its accounts, and its previous experiences with identity theft. The University identified the following relevant Red Flags in each of the listed categories:
A. Alerts, Notifications, or Warnings
- A consumer reporting agency provides a notice of address discrepancy.
- A fraud or active duty alert is included with a consumer report.
- A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.
- A consumer report indicates a pattern of activity inconsistent with the history and usual pattern of activity of an applicant or account holder.
B. Suspicious Documents
- An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
- Documents provided for identification appear to have been altered or forged.
- Other information on the identification is not consistent with information provided by the person opening a new covered account.
- The photograph or physical description on the identification is not consistent with the appearance of the applicant or account holder presenting the identification.
C. Suspicious Personal Identifying Information
- The person opening the covered account fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
- Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by Princeton University.
- Personal identifying information provided is inconsistent when compared against external information sources.
- Personal identifying information provided is not consistent with personal identifying information that is in Princeton University’s central data repository (Campus Community).
- Personal identifying information provided is not consistent with other personal identifying information. For example, there is a lack of correlation between the SSN range and date of birth.
- Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the Princeton University or creditor.
- The SSN provided is the same as that submitted by other persons opening an account.
D. Unusual Use or Suspicious Activity
- Mail sent is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the covered account.
- Notification is received of unauthorized charges or transactions in connection with a covered account.
- Notification is received that an account holder is not receiving paper account statements.
E. Notice Given
- Red Flags associated with notice from students or employees, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by Princeton University.
DETECTING RED FLAGS
A. Covered Accounts
Princeton University takes steps to detect Red Flags in connection with opening or accessing covered accounts. Princeton University employees in offices handling Covered Accounts are responsible for:
- Obtaining identifying information about, and verifying the identity of, a person opening or accessing a covered account.
- Authenticating applicants or account holders, monitoring transactions, and verifying the validity of change of address requests in the case of existing covered accounts. (Employees should operate in accordance with the University’s Red Flags Procedures.)
B. Consumer Report Requests
Princeton University requires users of consumer reports to react to a notice of an address discrepancy or a fraud alert received from a Consumer Report Agency when credit or background checks are done on prospective employees or when credit checks are requested for new loan applicants or assessment of delinquent account holders.
In the event that notice of an address discrepancy or a fraud alert is received, staff will operate in accordance with the University’s Red Flags Procedures.
PREVENTING AND MITIGATING IDENTITY THEFT
Princeton University has measures in place to appropriately respond to Red Flags detected that are commensurate with the degree of risk posed. Employees in offices handling Covered Accounts will utilize the University’s Red Flags Procedures. Appropriate responses may include:
- Monitoring a covered account for evidence of identity theft;
- Contacting the applicant or account holder;
- Changing any passwords, security codes, or other security devices that permit access to a covered account;
- Reopening a covered account with a new account number;
- Not opening a new covered account;
- Closing an existing covered account;
- Not attempting to collect on a covered account or not assigning a covered account to a debt collector;
- Notifying law enforcement; or
- Determining that no response is warranted under the particular circumstances.
When determining the proper response, appropriate staff will consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to an account holder’s records held by Princeton University or a third party, or notice that an account holder has provided information related to a covered account held by Princeton University to someone fraudulently claiming to represent Princeton University or to a fraudulent website.
A. Staff Training and Reports
University staff in offices with Covered Accounts are expected to be familiar with the University’s Red Flags Rule Procedures and shall be trained, under the direction of the Coordinator, in the detection of Red Flags and the responsive steps to be taken when a Red Flag is detected. University staff shall be trained, as necessary, to effectively implement the Policy. University employees are expected to notify the Coordinator once they become aware of an incident of Identity Theft or of the University’s failure to comply with this Policy. At least annually or as otherwise requested by the Coordinator, University staff responsible for development, implementation, and administration of the Policy shall report to the Coordinator on compliance with this Policy. The report should address such issues as effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening and maintenance of Covered Accounts, service provider arrangements, significant incidents involving identity theft and management’s response, and recommendations for changes to the Policy.
B. Service Provider Arrangements
In the event the University engages a service provider to perform an activity in connection with one or more Covered Accounts, the University will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of Identity Theft.
- Require, by contract, that service providers have such policies and procedures in place ; and
- Report any incidents of suspected identity theft or fraud to the University employee with primary oversight of the service provider relationship.
C. Nondisclosure of Specific Practices
For the effectiveness of this Identity Theft Prevention Policy, knowledge about specific Red Flag identification, detection, mitigation, and prevention practices may need to be limited to the Executive Compliance Committee and to those employees with a need to know them. Any documents that may have been produced or are produced in order to develop or implement this Policy that list or describes such specific practices and the information those documents contain are considered “highly confidential” under the University’s Information Security Policy. The Coordinator shall inform the Committee and those employees with a need to know the information of those documents or specific practices which should be maintained in a confidential/highly confidential manner.
D. Policy Updates
The Executive Compliance Committee will periodically review and update this Policy, including a review of relevant Red Flags, to reflect changes in risks to individuals and the soundness of the University from Identity Theft. In doing so, the Executive Compliance Committee will consider the University's experiences with Identity Theft situations, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in the University's business arrangements with other entities. After considering these factors, the Coordinator will determine whether changes to the Policy, including the listing of Red Flags, are warranted. If warranted, the Executive Compliance Committee will update the Policy.
10/4/19 - Updated Responsible office name; contact title, and updated Identity Theft Prevention Coordinator name.
10/1/18 - Updated Executive Sponsor listing.
2/25/11 - No changes. Copied to web-based policy library.
12/31/10 - Approved.