Identity Theft Prevention Program (ITPP) under the FTC FACTA Red Flags Rule PROCEDURES DOCUMENT. I. Purpose/Scope... 1

Transcription

1 Identity Theft Preventin Prgram (ITPP) under the FTC FACTA Red Flags Rule PROCEDURES DOCUMENT Table f Cntents I. Purpse/Scpe... 1 II. ITPP Apprval and Administratin... 2 III. Relatinship t Other University Plicies & Prcedures... 2 IV. Key Definitins fr purpses f this Prcedures Dcument... 3 V. Identifying Red Flags & Key Areas... 3 VI. Red Flag Identificatin and Detectin Grid... 5 VII. Preventing and Mitigating Identity Theft VIII. Service Prviders IX. Prgram Administratin X. Key Resurces XI. Acrnyms XII. Dcument Histry and Annual Review I. Purpse/Scpe The Fair and Accurate Credit Transactins Act (FACTA, Pub.L ) became federal law in 2003 as an amendment t the Fair Credit Reprting Act (FCRA). Sectins 114 and 315 f FACTA directed the Federal Trade Cmmissin (FTC), alng with ther banking agencies, t issue regulatins regarding identity theft 1

2 preventin, nw knwn as the Red Flags Rule ( Rule, see 16 CFR 681). The Rule requires many businesses and rganizatins t implement a written Identity Theft Preventin Prgram ( ITPP r Prgram ) designed t detect the warning signs ( red flags ) f identity theft in their daily peratins. The purpse f this Prgram is t detect, prevent, and mitigate identity theft at the University. II. ITPP Apprval and Administratin The Bard f Trustees f UNC Charltte adpted an Identify Theft Preventin Prgram (ITPP) n April 16, 2009, which can be fund n the Red Flags Rule webpage. The University s Cmpliance Manager in the Cntrller s Office is the designated Prgram Administratr and is respnsible fr the versight, develpment, implementatin and administratin f this ITPP. III. Relatinship t Other University Plicies & Prcedures We have reviewed ther plicies, prcedures and plans required by regulatins regarding the prtectin f ur custmer infrmatin in the frmulatin f this ITPP, including University Plicy 311, Data and Infrmatin Access and Security, and its supplemental regulatins and prcedures, and have attempted t establish this ITPP in a way that minimizes incnsistencies and duplicative effrts. Relatinship t GLBA, HIPAA, and FERPA: Nte that the Red Flags Rule is nt a data security regulatin. Per the FTC s Red Flags Rule FAQs, Gd data security practices like cllecting nly the persnal infrmatin yu need, prtecting that infrmatin, and securely dispsing f what yu n lnger need help ensure that persnal infrmatin des nt fall int the hands f identity thieves The Red Flags Rule picks up where data security leaves ff. 1 The Gramm-Leach-Bliley Act (GLBA) shuld cver any plicies and prcedures dealing with the actual safeguarding f identity credentials t prevent their theft. University Plicy speaks t the GLBA and assigns the Chief Infrmatin Security Officer (CISO) r designee as the Prgram Officer fr that plicy. In the same manner, the Health Insurance Prtability and Accuntability Act f 1996 (HIPAA) requires safeguarding f Prtected Health Infrmatin (PHI); the University s HIPAA cmpliance prgram is managed by the University s HIPAA Security Officer as described in University Plicy Finally, the Family Educatinal Rights and Privacy Act f 1974 (FERPA) requires safeguarding f educatin recrds; the University s FERPA cmpliance prgram is managed by the Office f Legal Affairs as described in University Plicy 402. The Red Flags Rule speaks t what happens if identity theft is suspected and the prcedures necessary t mitigate any further expsure t the University and custmer if identity theft des ccur. 1 FAQ D.1, Designing Yur Identity Theft Preventin Prgram 2

3 IV. Key Definitins fr purpses f this Prcedures Dcument Identity Theft - Any use r attempt by an individual t use anther persn s individual identifying infrmatin t btain a thing f value, including mney, credit, items, r services, such as medical care r educatin services t which the individual is nt entitled. Red Flag A pattern, practices, r specific activity that indicates the pssible existence f identity theft. Cvered Accunts Accunts thrugh which UNC Charltte cnducts financial activities that cause the University t be required t cmply with the Red Flags Rule n an institutin-wide basis. Persnally Identifiable Infrmatin (PII) - Any name r number that may be used, alne r in cnjunctin with any ther infrmatin, t identify a specific persn, including, but nt limited t: name; address; telephne number; scial security number; date f birth; gvernment-issued driver s license r identificatin number; passprt number; taxpayer identificatin number; credit, debit, r banking accunt numbers; unique electrnic identificatin number, including IP r ther cmputer identifying address; unique bimetric data such as fingerprint, vice print, retina r iris image r ther unique physical representatin. Key Areas University Departments/units that are expsed t the risk f identity theft by the fact that they: 1) regularly and significantly rely n, and/r 2) have access t mdify, PII. V. Identifying Red Flags & Key Areas T identify relevant identity theft Red Flags, we assessed these risk factrs: 1) the types f cvered accunts at the University, 2) ther Key Areas that are expsed t the risk f identity theft (as defined in Sectin IV), and 3) previus experience with identity theft. There are 22 Key Areas identified by the Prgram Administratr at UNC Charltte, as fllws: Key Area Div Reasn Enrllment Mgmt. Financial Aid AA Administers student emergency lans and lan accunts where UNC Charltte is the creditr (cnstitute a Cvered Accunts); Handles financial aid PII Enrllment Mgmt. Office f the Registrar AA Lgs and maintains the fficial academic recrd (which includes PII) fr all students Enrllment Mgmt. Residency Determinatin AA Receipt, review and maintenance f dcumentatin w/pii fr determinatin f NC residence classificatin, which determines tuitin charges Enrllment Mgmt. AA Prcesses Admissins PII Undergrad Admissins Graduate Schl AA Receives, prcesses, handles, and stres all applicatin fr admissin materials fr graduate applicants as well as internatinal undergraduate applicants 3

4 Graduate Schl AA Administers financial awards fr grad students, incl. schlarships, financial aid, and assistantships. Handles registrar services fr grad students (academic petitins, graduatin clearance, leaves f absence, etc.) Infrmatin Technlgy Services AA Manages system accesses and general infrmatin security Office f Internatinal Prgrams AA Manages internatinal student/faculty database Auxiliary Services 49er ID Card & Retail Services BA Administers 49er ID cards (cnstitutes a Cvered Accunt); Regularly handles cards w/pii Auxiliary Services Mail & BA Issues passprts; handles U.S. mail Package Services Auxiliary Services Parking and Transprtatin Services BA Issues parking permits based n driver-related PII and handles ther DMV-issued PII Facilities Management Mtr Fleet BA Requires cpy f driver's licenses t authrize use f UNC Charltte Mtr Fleet vehicles Financial Services BA Manages PCI cmpliance ecmmerce Financial Services BA Handles tax infrmatin fr the University Tax Office Financial Services Student Accunts BA Handles Student Accunts PII; Helps Financial Aid prcess student emergency lans and lan accunts where UNC Charltte is the creditr (cnstitute a Cvered Accunts) Human Resurces BA Administers emplyee lans up t $250 (cnstitutes a Cvered Accunt) Emplyee Relatins Human Resurces Infrmatin Systems (HRIS) BA Maintains faculty/staff paperwrk w/pii and requests fr related dcumentatin Human Resurces Staff Emplyment BA Handles faculty/staff paperwrk w/pii, including I-9s, backgrund cnsent frms, tax frms Plice and Public Safety BA Manages criminal incident database; Respnds t incidents where fraud is suspected Dean f Students Office, Office SA Manages student cnduct prcess and recrds f Student Cnduct Husing and Residence Life SA Handles Husing-related PII (students are mainly directed t My UNC Charltte t make changes) Student Health Center SA Handles Prtected Health infrmatin gverned by HIPAA In additin, we cnsidered Red Flags frm the fllwing five categries frm Supplement A t Appendix A f the FTC s Red Flags Rule, as they fit ur situatin: 1) alerts, ntificatins r warnings frm a credit reprting agency; 2) suspicius dcuments; 3) suspicius persnal identifying infrmatin; 4) suspicius accunt activity; and 5) ntices frm ther surces. We understand that sme f these categries and examples may nt be relevant t the University and sme may be relevant nly when cmbined r cnsidered with ther indicatrs f identity theft. We als understand that the examples are nt exhaustive r a mandatry checklist but a way t help ur emplyees think thrugh relevant red flags in the cntext f ur peratins. 4

5 Based n a review f the risk factrs, surces, and FTC examples f Red Flags, we have identified ur University s Red Flags, as listed in the first clumn ( Red Flag ) f Sectin VI, Red Flag Identificatin and Detectin Grid. VI. Red Flag Identificatin and Detectin Grid Nte that these prcedures are included here fr basic guidance. Mre detailed prcedures shuld be develped fr yur area as necessary. In general, the fllwing shuld be dne in all situatins where Red Flags are suspected: Once ptentially fraudulent activity is detected, an emplyee must act quickly, as a rapid apprpriate respnse can prtect individuals and the University frm damages and lss. At a minimum, the emplyee must ntify his r her supervisr, gather all related dcumentatin, and cmplete the Red Flag Detectin Frm, which is sent t the Red Flags Rule Prgram Administratr. Additinal investigatin f authenticating infrmatin will be cnducted t determine whether the attempted transactin was fraudulent r authentic. If a transactin is determined t be fraudulent, apprpriate actins must be taken immediately. Actins may include: Canceling the transactin; Ntifying and cperating with apprpriate law enfrcement; Determining the extent f liability f the University; and Ntifying the actual individual upn whm fraud has been attempted. Red Flag Detecting the Red Flag Categry: Alerts, Ntificatins r Warnings frm a Cnsumer Credit Reprting Agency 1. Ntice/reprt f fraud r active duty alert Verify activity reprted with applicant/ custmer. If verified, review the ntice, freeze, r degree f 2. Ntice/reprt f a credit freeze n an incnsistency with prir histry, and prceed with applicant evaluatin f applicant based n cnsumer reprt 3. Indicatin f activity that is incnsistent with an applicant s usual pattern r activity histry Examples: a large increase in the vlume f received. If unable t verify, d nt use this reprt in evaluating applicant n further actin required. inquiries r use f credit, especially n new accunts; an unusual number f recently established credit relatinships; r an accunt clsed because f an abuse f accunt privileges. 4. Ntice f address r ther discrepancy Cmpare reprted address (r ther infrmatin) with that prvided by applicant and, if necessary, cntact the applicant t verify. If address (r ther infrmatin) has been verified, 5

6 reprt t credit reprt agency. If unable t determine relatinship between the applicant and the ntice, d nt use the reprt t evaluate the applicant and ntify the applicant. N further actin required. Als see the FTC s Address Discrepancy rule (16 CFR part 641.1). Categry: Suspicius Dcuments 5. Identificatin presented lks altered, frged, r inauthentic. 6. The persn presenting identificatin des nt lk like the identificatin s phtgraph r physical descriptin. 7. The persn presenting identificatin cnveys infrmatin that differs frm what is indicated n the identificatin. 8. Infrmatin n the identificatin des nt match ther infrmatin n file fr the custmer (e.g., emplyee/student infrmatin in Banner). 9. A request fr infrmatin, applicatin, r ther dcument lks like it has been altered, frged, r trn up and reassembled. Retain and scrutinize identificatin r ther dcument presented t ensure: it is nt altered, frged, r trn up and reassembled; that the phtgraph and the physical descriptin n the identificatin match the persn presenting it; that the identificatin and the statements f the persn presenting it are cnsistent; and/r that the identificatin presented and ther infrmatin we have n file are cnsistent. Ntify management fr assistance if necessary. D nt prvide services until identity is prven. Categry: Suspicius Persnal Identifying Infrmatin 10. Identifying infrmatin is incnsistent with ther external infrmatin surces. Inspect infrmatin and cmpare with ther external infrmatin surces. Examples: an address that des nt match the address printed n a FAFSA frm, a Scial Security Number (SSN) that has nt been issued Retain infrmatin and ntify management fr assistance if necessary. D nt prvide services until identity is prven. r is listed n the Scial Security Administratin s (SSA s) Master Death File. 11. Identifying infrmatin is incnsistent with ther infrmatin prvided by the custmer Inspect infrmatin and ask custmer t validate which infrmatin is accurate. Examples: incnsistent dates f birth, SSNs, r addresses n tw frms received. Retain infrmatin and ntify management fr assistance if necessary. D nt prvide services until crrect identifying infrmatin is prven. 12. Identifying infrmatin is assciated with Inspect infrmatin and cmpare with dcumentatin 6

7 knwn fraudulent activity. Example: an address r phne number being used is als knwn t be assciated with a fraudulent applicatin. 13. Identifying infrmatin suggests fraud r is f the type cmmnly assciated with fraudulent activity. Examples: an address that is bviusly fictitius, an address that is fr a mail drp r a prisn, a phne number is invalid. 14. The SSN r University 800 number is the same as that submitted by anther custmer. 15. Address r phne number is the same as that presented by an unusually large number f ther custmers. 16. A custmer mits required persnal identifying infrmatin n an applicatin r ther frm r des nt prvide it in respnse t ntificatin that the applicatin/frm is incmplete. 17. Identifying infrmatin is incnsistent with internal infrmatin surces n file. indicating fraudulent activity. Retain infrmatin and ntify management fr assistance if necessary. D nt prvide services until identity is prven. Inspect infrmatin and determine its validity. Retain infrmatin and ntify management fr assistance if necessary. D nt prvide services until identity is prven. Inspect infrmatin and request t see the student s Scial Security card, 49er Card, r driver s license. Retain infrmatin and ntify management fr assistance if necessary. D nt prvide services until identity is prven. Place hld n riginal custmer wh prvided the duplicate ID number if identity is prven. Direct custmer t FTC Identity Theft website if necessary t learn what steps t take t recver frm identity theft. Request and inspect infrmatin t determine its validity. Retain infrmatin and ntify management fr assistance if necessary. D nt prvide services until identity is prven. D nt prvide services r award aid until applicatin/frm is cmplete. Inspect infrmatin and cmpare with infrmatin in Banner r ther fficial University systems f recrd r data files. Retain infrmatin and ntify management fr assistance if necessary. D nt prvide services until identity is prven. 7

8 18. A persn seeking access t systems r sensitive infrmatin cannt prvide authenticating infrmatin beynd what wuld be fund in a wallet r cnsumer credit reprt, r cannt answer a challenge questin. Example: Staff member cannt answer security challenge questin required t regain access t ecmmerce systems. D nt prvide services, reset passwrds, r therwise prvide access until identity is prven. Fllw any prtcls established t recver access t the system in questin (e.g., by ntifying the system administratr t send a reset passwrd link t the persn s ). Categry: Suspicius Accunt Activity 19. Change f address request fllwed shrtly by a request fr a name change. Request fficial dcumentatin reflecting name change (curt rder, marriage certificate, etc.) and cmpare with pht identificatin. Verify change f address previusly submitted. If custmer did nt initiate the actin(s) and identity theft f the custmer s infrmatin is suspected, direct custmer t FTC Identity Theft website t learn what steps t take t recver frm identity theft. 20. An accunt is used in a manner incnsistent with established patterns f activity n that accunt. Fr example, payments are n lnger made n an therwise cnsistently up-t-date accunt. 21. Mail sent t a custmer is returned repeatedly as undeliverable even thugh the accunt remains active. 22. Custmer ntifies UNC Charltte (via phne, , r in-persn) that the custmer is nt receiving mail. Banner autmatically places a financial hld n verdue accunts and restricts certain services frm being prvided until the hld has been remved by Student Accunts. Attempt t cntact the custmer via cntact infrmatin n file. Verify address infrmatin with custmer and ensure listed addresses are active. If address n file was nt entered by custmer, ntify management fr assistance. If identity theft f the custmer s infrmatin is suspected, direct custmer t FTC Identity Theft website t learn what steps t take t recver frm identity theft. 8

9 23. Custmer ntifies UNC Charltte (via phne, , r in-persn) that an accunt with the University has unauthrized activity. 24. Custmer ntifies UNC Charltte (via phne, , r in-persn) that unauthrized access t a University accunt that uses NinerNET authenticatin ( , My UNC Charltte, Mdle, 49er Mart, etc.) has ccurred. Example: Custmer is autmatically lgged ff during an nline sessin due t multiple lgin attempts frm an external site. Verify if the ntificatin is legitimate and invlves a UNC Charltte accunt. Ntify management fr assistance t investigate the activity. If custmer s accunt des have unauthrized activity and identity theft f the custmer s infrmatin is suspected, direct custmer t FTC Identity Theft website t learn what steps t take t recver frm identity theft. Verify if the ntificatin is legitimate and invlves a UNC Charltte accunt. Ntify management fr assistance t investigate the activity. Instruct custmer t reset the accunt passwrd immediately. If unauthrized access did ccur and identity theft f the custmer s infrmatin is suspected, direct custmer t FTC Identity Theft website t learn what steps t take t recver frm identity theft. Categry: Ntice Frm Other Surces 25. A custmer, identity theft victim, r law enfrcement agent ntifies UNC Charltte (via phne, , r in-persn) that an accunt has been pened r used fraudulently. 26. We learn that unauthrized access t the custmer s persnal infrmatin tk place r became likely due t data lss (e.g., lss f wallet, birth certificate, r laptp), leakage, r breach. Verify if the ntificatin is legitimate and invlves a UNC Charltte accunt. Ntify management fr assistance t investigate the activity and determine if any actins are needed (e.g., inactivating direct depsit, placing a financial hld n the accunt). Direct custmer t FTC Identity Theft website t learn what steps t take t recver frm identity theft, if custmer has nt already dne s. If the fraud ccurred during cnduct f University business, reprt the incident t Campus Plice and cmplete the Red Flag Detectin Frm. Verify if the ntificatin is legitimate and invlves a UNC Charltte accunt. Ntify management fr assistance t investigate the activity and determine if any actins are needed (e.g., inactivating direct depsit, placing a financial hld n the accunt). Als see University Plicy 311.5, Persnal Infrmatin Security Breach Ntificatin Prcedures. If identity theft f custmer s infrmatin is suspected, 9

10 VII. Preventing and Mitigating Identity Theft direct custmer t FTC Identity Theft website t learn what steps t take t recver frm identity theft. PROCEDURES TO PREVENT IDENTITY THEFT Student Enrllment T prevent identity theft assciated with the enrllment f a student, University persnnel shall take the fllwing steps t btain and verify the identity f the persn pening the accunt: Require certain Identifying Infrmatin such as name, date f birth, academic recrds, hme address r ther identificatin; and Verify the individual s identity at time f issuance f individual identificatin card (review f driver s license r ther gvernment-issued pht identificatin). Existing Accunts T prevent identity theft fr an existing Cvered Accunt, University persnnel shall take the fllwing steps t mnitr transactins n an accunt: Verify the identificatin f individuals if they request infrmatin (in persn, via telephne, via facsimile, via ); Verify the validity f requests t change billing addresses by mail r and prvide the individual a reasnable means f prmptly reprting incrrect billing address changes; and Verify changes in banking infrmatin given fr billing and payment purpses. Cnsumer ( Credit ) Reprt Requests T prevent identity theft regarding an emplyment r vlunteer psitin fr which a credit r backgrund reprt is sught, University persnnel shall take the fllwing steps t assist in identifying address discrepancies: Require written verificatin frm any applicant that the address prvided by the applicant is accurate at the time the request fr the credit reprt is made t the cnsumer reprting agency; and In the event that ntice f an address discrepancy is received, verify that the credit reprt pertains t the applicant fr whm the requested reprt was made and reprt t the cnsumer reprting agency an address fr the applicant that the University has reasnably cnfirmed is accurate. Prtectin f Identifying Infrmatin T further prevent the likelihd f Identity Theft ccurring during cnduct f University business, the University will take the fllwing steps with respect t its internal perating prcedures t prtect PII: Ensure that its website is secure r prvide clear ntice that the website is nt secure; Ensure cmplete and secure destructin f paper dcuments and cmputer files cntaining individual accunt infrmatin when a decisin has been made t n lnger maintain such infrmatin; Ensure that ffice cmputers with access t PII are passwrd prtected; Ensure that laptps are passwrd prtected and encrypted; Avid use f scial security numbers when pssible; Ensure the security f physical facilities that cntain PII; Ensure that transmissin f PII is limited and encrypted when necessary; 10

11 Ensure cmputer virus prtectin is up t date; and Require and keep nly the kinds f individual infrmatin that are necessary fr University purpses. Hard Cpy Distributin Each emplyee and cntractr perfrming wrk fr the University will cmply with the fllwing security measures related t hard cpy files with PII: File cabinets, desk drawers, verhead cabinets, and any ther strage space cntaining dcuments with PII will be lcked when nt in use, when unsupervised, and at the end f each wrkday. Desks, wrkstatins, wrk areas, printers and fax machines, and cmmn shared wrk areas will be cleared f all dcuments cntaining PII when nt in use. Whitebards, dry-erase bards, writing tablets, and ther writing surfaces in cmmn shared wrk areas with PII will be erased, remved, r shredded when nt in use. When dcuments cntaining PII are discarded, they will be placed inside a lcked shred bin r immediately shredded using a mechanical crss cut r Department f Defense-apprved shredding device. Lcked shred bins are labeled Cnfidential paper shredding and recycling. PROCEDURES TO MITIGATE IDENTITY THEFT In the event that University persnnel are ntified f a Red Flag r ur detectin prcedures shw evidence f a Red Flag, such persnnel shuld take the steps utlined belw, as apprpriate t the type and seriusness f the threat: Watch. We will mnitr, limit, r temprarily suspend activity in the accunt until the situatin is reslved. Check with the custmer. We will cntact the custmer, describe what we have fund, and verify with them that there has been an attempt at identify theft. Change passwrds. We will change any passwrds r ther security measures that permit access t the affected accunt(s). Deny new accunts. If we find that the applicant is using an identity ther than his r her wn, we will deny pening any new accunts. Prvide new identificatin. If a custmer s identificatin number has been cmprised, we will prvide the individual with a new 800 number. Heightened risk. We will determine if a particular reasn exists that has made it easier fr an intruder t seek access, such as a custmer s lst wallet, mail theft, a data security incident, r the ccurrence f a custmer giving his r her accunt infrmatin t an impster pretending t represent the University r t a fraudulent website. Check similar accunts. We will review similar accunts the custmer has with the University t see if ther attempts t access them withut authrizatin have been made. 11

12 VIII. Cllect incident infrmatin. Persnnel will cmplete a Red Flag Detectin Frm, which is sent t the Red Flags Rule Prgram Administratr. Reprt. If we find that the applicant is using an identity ther than his r her wn, we will reprt it t the campus plice ( ), wh may determine if it is subsequently necessary t ntify ther federal r state agencies if rganized r widespread crime is suspected r, if mail is invlved, the US Pstal Inspectr. Service Prviders In the event the University engages a Service Prvider t perfrm an activity in cnnectin with ne r mre f its Cvered Accunts, the University will take the fllwing steps t ensure the Service Prvider perfrms its activities in accrdance with reasnable plicies and prcedures designed t detect, prevent and mitigate the risk f Identity Theft: Require, by signed cntract, that Service Prviders have such plicies and prcedures in place; and Require, by signed cntract, that Service Prviders review the University s Prgram and reprt any Red Flags t the Prgram Administratr. IX. Prgram Administratin The Prgram Administratr, currently the Cmpliance Manager in the Cntrller s Office, is respnsible fr develping, implementing, and administering the University s ITPP. Apprpriate staff shall reprt t the Prgram Administratr at least annually n cmpliance by the University with this Prgram. The reprt shall address matters such as the effectiveness f the plicies and prcedures f the University in addressing the risk f Identity Theft in cnnectin with the pening f Cvered Accunts and with respect t existing Cvered Accunts; Service Prvider arrangements; significant incidents invlving Identity Theft and the University s respnse; and recmmendatins fr material changes t the Prgram. X. Key Resurces University Red Flags Rule pages: Overview: Annual Survey: Red Flag Detectin Frm: FTC Resurces: FTC Data Security resurces: Fighting Identity Theft with the Red Flags Rule: A Hw-T Guide fr Business 12

13 FTC Cnsumer Infrmatin: Identity Theft XI. Acrnyms CFR Cde f Federal Regulatins CISO Chief Infrmatin Security Officer FACTA Fair and Accurate Credit Transactins Act FAFSA Free Applicatin fr Federal Student Aid FCRA Fair Credit and Reprting Act FERPA Family Educatinal Rights and Privacy Act f 1974 FTC Federal Trade Cmmissin GLBA Gramm-Leach-Bliley Act HIPAA Health Insurance Prtability and Accuntability Act f 1996 ITPP Identity Theft Preventin Prgram ITS Infrmatin Technlgy Services department NCRA Natinwide Cnsumer Reprting Agency (Experian, Equifax, TransUnin) PHI Prtected Health Infrmatin PII Persnally Identifiable Infrmatin SSA Scial Security Administratin SSN Scial Security Number XII. Dcument Histry and Annual Review These Prcedures were cnstructed using varius resurces, including the University s ITPP, the FTC FACT Act Red Flags Rule Template, and The University f Texas at San Antni s Red Flags Rule plicy. The fllwing departments cntributed t the creatin and review f this dcument: Financial Services, the Office f Legal Affairs, the Internal Audit Department, and the ITS Infrmatin Systems Cmpliance Office. The cntributins and cllabratin amng the staff within these departments are gratefully acknwledged. Creatin date: June 2013 Our identity theft plicies, prcedures and internal cntrls will be reviewed and updated peridically t ensure they accunt fr changes bth in regulatins and in ur peratins. Revisin dates: March 2014 (updated links); April 2014 (updated Key Areas); June 2015 (updated Key Areas & links); Octber 2015 (updated 49er Express text t My UNC Charltte) 13