Policy Number: 18.104.22.168
Category: Information Privacy
Responsible Unit: Information Technology Services
Effective: August 5, 2020
Revision History: Originally effective November 1, 2009 as an Emergency Board of Governor's Rule; approved January 29, 2010 as a regular BOG Policy
Review Date: August 4, 2023
PURPOSE AND SCOPE
- The purpose of this Policy is to establish an Identity Theft Detection and Prevention program at West Virginia University, West Virginia University Institute of Technology, and Potomac State College of West Virginia University (collectively the “University”).
- This Policy applies to all accounts at the University designed to permit multiple payments or transactions or any other account for which there is a foreseeable risk of Identity Theft (“Covered Accounts”).
UNIVERSITY IDENTITY THEFT DETECTION AND PREVENTION PROGRAM
- Managed by Information Technology Services (“ITS”), the University’s Identity
Theft Detection and Prevention Program (“ITDPP”) is responsible for identifying,
detecting, preventing, and responding to the warning signs of Identity Theft
(“Red Flags”) including, but not limited to the following activities:
- Identifying University Covered Accounts;
- Preventing and mitigating Identity Theft in connection with Covered Accounts;
- Establishing procedures to identify and detect Red Flags;
- Establishing a system for reporting potential instances of Identity Theft; and,
- Providing annual training to all University employees who process information related to a Covered Account.
- Managed by Information Technology Services (“ITS”), the University’s Identity Theft Detection and Prevention Program (“ITDPP”) is responsible for identifying, detecting, preventing, and responding to the warning signs of Identity Theft (“Red Flags”) including, but not limited to the following activities:
UNIVERSITY COVERED ACCOUNTS
- The University will classify an account as a Covered Account if involves:
- Deferred payments made by a borrower periodically over time, such as fee installment payment plans;
- Refunding of credit balances involving both Direct PLUS Loans and without Direct PLUS Loans; or,
- Deferment of tuition payments.
- Based on this criteria, the University identifies the following accounts as Covered Accounts: student accounts, institutional loans, Federal Perkins Loan Program, Health Professional Loan Program, and patient accounts.
- The University will classify an account as a Covered Account if involves:
PREVENTING AND MITIGATING RED FLAGS AT THE UNIVERSITY
- To prevent and mitigate Identity Theft in connection with Covered Accounts,
the University will:
- Verify a person’s identity information prior to opening a new Covered Account, which includes reviewing the Identifying Information provided by the applicant and independently contacting the applicant.
- Monitor contacts and transactions for existing Covered Accounts by;
- Verifying the identification of applicant prior to providing information to applicant;
- Reviewing the validity of requests to change billing addresses; and,
- Noting changes in banking information given for billing and payment purposes.
- Review ITDPP procedures annually and update as needed; and,
- Review training materials annually to assess the need for updates and provide training as needed.
- To ensure all Service Providers with access to Covered Accounts act with appropriate
care to detect, prevent, and mitigate the risk of Identity Theft, all third-parties
must contractually agree that they:
- Have Identity Theft policies and procedures in place;
- Have reviewed this Policy; and,
- Will report any Red Flags associated with University Covered Accounts, accordingly.
- To prevent and mitigate Identity Theft in connection with Covered Accounts, the University will:
IDENTIFICATION OF RED FLAGS AT THE UNIVERSITY
- The University considers any pattern, practice, or specific activity that indicates
the possible existence of Identity Theft, a Red Flag. Red Flags include,
but are not limited to:
- Receipt of Notifications or Warnings from credit reporting agencies or Other Sources;
- Presentation of Identification Documents that appear to be forged, inauthentic, or inconsistent with existing applicant information;
- Presentation of Personally Identifiable Information (“PII”) that is inconsistent with Other Information associated with the applicant or appearing to be Fraudulent Activity; or,
- Suspicious Account Activity that is inconsistent with previous activity.
- The University considers any pattern, practice, or specific activity that indicates the possible existence of Identity Theft, a Red Flag. Red Flags include, but are not limited to:
REPORTING RED FLAGS AT THE UNIVERSITY
- Pursuant to the Computer Security Incident Reporting Policy, any time a Red Flag assocated with a Covered Account, or a situation resembling a Red Flag is apparent, Information Technology Services must be notified to investigate for further verification.
- “Direct PLUS Loans” means federal loans that graduate or professional students and parents of dependent undergraduate students can use to help pay for college or career school expenses not covered by other financial aid.
- “Fraudulent Activity” means deliberately deceitful, dishonest, or untrue activity such as providing an invalid phone number, fictitious billing address, or another person’s Social Security number, address, or phone number. This includes providing identifying information that is the same as information shown on other applications or accounts that are found to be fraudulent.
- “Identifying Information” means documents that prove a person’s identity such as residential or business address, driver’s license, visa, passport, or birth certificate.
- “Identity Theft” means fraud committed or attempted using identifying information of another without authorization.
- “Notifications or Warnings” means any notification (e.g., reports, letters, emails) from credit reporting agencies reporting credit report fraud, credit freeze, applicant activity duty alert, or activity that is inconsistent with an applicant’s usual pattern of activity.
- “Other Information” means information provided by the user (e.g., birth date) or information provided by a credit report, other application, University Data, or other outside source.
- “Other Source” means notification by someone other than credit reporting agencies such as an applicant, Identity Theft victim, law enforcement, or other person.
- “Personally Identifiable Information (PII)” means any piece of information that may be used to uniquely identify, contact, or locate a specific person. PII includes but is not limited to: name, address, telephone number, Social Security number, date of birth, driver’s license number, alien registration number, passport number, employer or tax ID number, financial information, and any combination of information that will uniquely identify an individual.
- “Suspicious Account Activity” means activity that is inconsistent with prior use such as change of address followed by a change to the account holder’s name; stopping payments on an account otherwise up-to-date; high activity; undeliverable mail; or notice of unauthorized activity.
- “Suspicious Documents” means identification documents or cards that appear to be forged, altered or inauthentic; feature an inconsistent photograph or physical description with the person presenting the document; or otherwise contain information that appears to have been altered or forged (e.g., forged signature).
- “Red Flags” means a pattern, practice, or specific activity that indicates the possible existence of identity theft and includes, but is not limited to: an application appears to have been forged, altered, or destroyed and reassembled; a consumer report includes a fraud alert, credit freeze, or address discrepancy; a change of address notice is followed shortly by a request for a new credit card, bank card, or cell phone; the Social Security number supplied by a user is the same as that submitted by another person opening an account; the address or telephone number supplied by an applicant is the same or substantially the same as an address or telephone number submitted by an unusually large number of other persons; notification that the user is not receiving account statements; or an account that has been inactive for a reasonably long period of time is utilized.
ENFORCEMENT AND INTERPRETATION
- Any employee who violates this Policy will be subject to appropriate disciplinary action.
- Any student who violates this Policy will be subject to appropriate disciplinary action in accordance with the Student Code of Conduct.
- Any individual affiliated with the University who violates this Policy will be subject to appropriate corrective action, including, but not limited to, termination of the individual’s relationship with the University.
- The University’s Chief Information Officer, supported by the Chief Information Security Officer, will coordinate with appropriate University entities on the implementation and enforcement of this Policy.
- Responsibility for interpretation of this Policy rests with the Chief Information Officer.
AUTHORITY AND REFERENCES
- BOG Governance Rule 1.11 – Information Technology Resources and Governance
- All other University policies are also applicable to the electronic environment. Relevant institutional documents include, but are not limited to: