UVa Seal

Policy: Prevention, Detection, and Mitigation of Identity Theft 


Date: 10/22/10 Policy ID: FIN-031 Status: Final

Policy Type: University
   
Contact Office: Comptroller (Office of the University)
   
Oversight Executive: Executive Vice President and Chief Operating Officer
   
Applies To: Academic Division, Medical Center, and College at Wise.
   
Table of Contents: 

Policy Statement
Procedures

   
Reason for Policy: In response to the increasing nationwide incidence of identity theft, the Federal Trade Commission, along with the banking regulatory agencies, issued a so-called “Red Flags Rule” intended to protect consumers from this crime.  “Red Flags” are circumstances that should cause creditors and financial institutions to suspect that identity thieves may be using the identifying information of others to commit fraud.

The University is committed to complying with federal regulations concerning the detection, prevention, and mitigation of identity theft.  In accordance with the Fair and Accurate Credit Transaction Act (FACTA) of 2003 and the subsequent “Red Flags Rule” of 2007, the University is required to establish a comprehensive, coordinated, and University-wide approach for facilitating the detection, prevention, and mitigation of identity theft. 
   
Policy Summary: 
   
Definition of Terms in Statement: 

In compliance with 16 Code of Federal Regulations § 681.2, the following definitions shall apply to this Program:

Covered accounts: A consumer account or payment plan that involves multiple payments over time.

Identifying information: Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person.

Identity theft: A fraud committed using the identifying information of another person.

Red Flag: Suspicious information or activities that suggests the possibility of identity thieves using someone else’s identifying information at the University to commit fraud. Red flags fall into several categories including but not limited to:
  • Suspicious documents such as altered or forged identification cards;
  • Suspicious personal identifying information such as fictitious addresses or telephone numbers; and
  • Suspicious activity related to accounts such as mail that is repeatedly sent and returned as undeliverable.

BACK TO TOP

   
Policy Statement: 

In order to detect and stop identity thieves from using someone else’s identifying information at the University, an Identity Theft Prevention Program will be maintained.  (This is distinct from data security which is covered under other University policies; see Related Information.) Identity theft is committed by using the identifying information of another person without his or her authority. Identifying information may include such things as a Social Security number, account number, date of birth, driver's license number, passport number, and other unique identification numbers or codes.

The Identity Theft Prevention Program describes the characteristics of identity theft and helps detect, prevent, and mitigate the effects of identity theft in order to protect individuals and the University from fraudulent transactions.  This program coordinates, reviews, and oversees policies and procedures in order to:
  • identify business processes at risk of identity theft fraud;
  • detect and respond appropriately to signs of potential identity theft;
  • educate appropriate faculty, staff, and others regarding their responsibilities under the Identity Theft Prevention Program; and 
  • update the Identity Theft Prevention Program to appropriately respond to new or evolving risks.   

BACK TO TOP
The Executive Vice President and Chief Operating Officer, oversight executive for the program, delegates administration of the program to the Vice President and Chief Financial Officer and the Vice President and Chief Information Officer.

The Assistant Vice President for Finance and University Comptroller (Comptroller) has responsibility for:
  • operational administration of the program, including notifying an office if it is determined they have covered accounts at risk for identity theft;
  • determining whether processes identified by offices should be included in the program;
  • training for managers and employees handling covered accounts;
  • oversight and monitoring of the program , including review of annual Internal Control Questionnaire responses; and
  • the annual certification process through the Agency Risk Management and Internal Control Standards (ARMICS).
Offices handling covered accounts must:
  • identify and bring to the attention of the Comptroller any processes that would be at risk for such fraud;
  • implement the Identity Theft Prevention Program for those applicable business processes;
  • assess whether identifying information provided by individuals (i.e., students, patients, etc.) may have red flags of identity theft; and
  • document potential identity theft fraud and report the information to the Comptroller.
These areas include but are not limited to:
  • Student Financial Services
  • Accounting Services
  • Medical Center
  • Any departments other than the Medical Center that provide and bill for medical services
  • Any departments in the College at Wise that bill for services

A complete list of offices with covered accounts and guidance information related to the Identity Theft Prevention Program is provided at the University’s Red Flags Rule Program. (Of note, it has been determined that payroll deductions for University parking, intramurals, etc., are low-risk and therefore not included in the program.)
BACK TO TOP

   
Procedures: 

University’s Red Flags Rule Program
Identity Theft Red Flags
Documenting and Reporting Identity Theft

BACK TO TOP

   
Related Information:  Supporting policies include, but are not limited to:

BACK TO TOP

   
Policy Background: 
   
Major Category: Finance and Business Operations
   
Category Cross Reference: Information Resource Management
   
   
Process: 
   
Next Scheduled Review: 10/22/13
   
Approved By, Date: Executive Vice President and Chief Operating Officer, 10/22/10
   
Revision History: This is the first version of this policy.
   
Supersedes (previous policy):