Identity Theft Prevention Program Illinois College of Optometry Illinois Eye Institute Effective Date: May 2009 Revised: Review Dates:
IDENTITY THEFT PREVENTION POLICY STATEMENT The Illinois College of Optometry (ICO) and Illinois Eye Institute (IEI) have an obligation to comply with the Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions Report Act which includes the requirements set forth by the Interagency Final Rules and Guidelines implementing Sections 114 and 315 of the Act and is governed by the Federal Trade Commission. It is the responsibility of ICO not only to comply with the requirements of the law, but also to be proactive in the prevention of identity theft at ICO/IEI, and to be vigilant in the performance of ICO/IEI's identity theft prevention program. In response to the requirements of this legislation, ICO/IEI has outlined the procedures that will be followed. In order to adequately address this legislation, and due to the different types of transactions performed by ICO and IEI, this policy and procedure statement will provide guidelines as to how ICO/IEI will address the requirements. This Policy supplements and applies in conjunction with ICO/IEI's related policies and programs pertaining to security, student identification, privacy, patient privacy (HIPAA), Information Security, Financial Aid and Business Office or any other relevant policies.
KEY COMPONENTS OF THE IDENTITY THEFT PREVENTION PROGRAM Governance Oversight The Board of Trustees Audit Committee or a designated committee of the Board is responsible for reviewing and approving the Identity Theft Prevention ("ITP") Program initially and when the policy is significantly revised. Program Administration The Compliance Office shall be responsible for the oversight the implementation of ICO/IEI s compliance with the requirements. As appropriate, the Compliance Office will provide reports addressing significant regulatory trends, compliance initiatives, and emerging risks to bodies such as the Board of Trustees or Audit Committee and to college/iei departments. Department supervisors are responsible for day-to-day operational implementation of the Identity Theft program. Department supervisors and/or their designees are accountable for the following responsibilities: Establishing and assessing departmental efforts for compliance with the Identity Theft program, detecting and preventing Identity Theft, and reporting of suspicious activity. Conducting testing for compliance with the Identity Theft laws and program and ICO/IEI's internal policies and procedures regarding Identity Theft prevention compliance. Training personnel regarding Identity Theft laws and internal Identity Theft program and procedures. Enforcing Identity Theft prevention requirements when deviations from program or procedure are found. Written Identity Theft Prevention Program ICO/IEI will maintain a written Identity Theft Prevention Program ( ITP ) that is designed to detect, prevent and mitigate identity theft in connection with the opening of a Covered Account or the maintenance of any existing Covered Account. The program will be appropriate based on the size, nature and complexity of ICO/IEI's operations, and shall include reasonable policies and procedures to: Identify relevant indicators ("Red Flags") for the Covered Accounts that ICO/IEI offers or maintains, and incorporate those Red Flags into ICO/IEI's ITP Program; Detect Red Flags that have been incorporated into ICO/IEI's ITP Program; Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft; and Ensure the ITP Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to students, patients and employees and to the safety and soundness of ICO/IEI from Identity Theft.
Frequency of Policy/Program Review This policy and program will be reviewed no less than annually. The Compliance Office is responsible for determining that the Identity Theft Prevention Policy addresses the most current regulatory requirements and is authorized to propose changes to the Policy. The Compliance Office will update the Identity Theft Prevention Program (including the Red Flags determined to be relevant) periodically, to reflect changes in risks to students, patients and employees or to the safety and soundness of ICO/IEI from Identity Theft, based on factors such as: ICO/IEI's experiences with Identity Theft; Changes in methods of Identity Theft Changes in methods to detect, prevent, and mitigate Identity Theft; Changes in the types of accounts ICO/IEI offers or maintains; and Changes in the business arrangements of ICO/IEI, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements. TRAINING The Compliance Office and department managers are responsible for developing and maintaining the content which will be used to train all employees in areas identified as having risk of exposure to Identity Theft and/or those areas responsible for compliance with this Program. Each area shall be responsible for ensuring that its respective employees receive the required training in the manner and time specified by the Compliance Office. Each area shall also be responsible for ensuring new employees receive the required training and for providing any additional training specific to the respective area as needed. Appropriate training may be conducted via live presentations, Internet training, teleconference, written materials, one on one demonstration or any other reasonable learning vehicle for the material and audience. Records of training must be maintained sufficient to demonstrate the effectiveness of the program.
IDENTITY THEFT PREVENTION PROGRAM ELEMENTS Definitions For the purposes of this Program, the following definitions apply: COVERED ACCOUNT: An account that ICO/IEI offers or maintains primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions such as a student account, institutional loans to students, deferment of tuition payments; patient accounts for health care services and any other account that ICO/IEI offers or maintains for which there is a reasonably foreseeable risk to students or to the safety and soundness of ICO/IEI from identity theft, including financial, operational, compliance, reputation or litigation risks. CREDITOR: Any organization who defers payment for services rendered, such as an organization that bills at the end of the month for services rendered the previous month. CLEAR AND CONSPICUOUS: Reasonably understandable and designed to call attention to the nature and significance of the information presented. IDENTITY THEFT: A fraud committed or attempted using the identifying information of another person without authority. IDENTIFYING INFORMATION: Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any: Name, social security number, date of birth, official State or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number; Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; Unique electronic identification number, address, or routing code; or Telecommunication identifying information or access device. NOTICE OF ADDRESS DISCREPANCY: A notice sent to a user by a consumer reporting agency pursuant that informs the user of a substantial difference between the address for the student that the user provided to request the consumer report and the address(es) in the agency's file for the student. RED FLAG: A pattern, practice, or specific activity that indicates the possible existence of identity theft. SERVICE PROVIDER: A person that provides a service directly to ICO/IEI. Assessment of Identity Theft Risks Risk is the potential that events, expected or unanticipated, may have an adverse impact on a students, patients and employees. Effective identity theft risk management requires an understanding of existing and potential risks that may arise from ICO/IEI operations. The Compliance Office will periodically conduct a risk assessment to determine whether it offers or maintains Covered Accounts, as well as the risk associated with the Covered Accounts offered or maintained by ICO/IEI.
Identification of Red Flags ICO/IEI will identify and periodically assess, together with existing policies, procedures and processes to identify and document the Red Flags relevant to its operations. As part of this determination, ICO/IEI will incorporate relevant Red Flags from sources such as: Incidents of Identity Theft that ICO/IEI has experienced; Methods of Identity Theft that ICO/IEI has identified that reflect changes in Identity Theft risks; and Applicable supervisory guidance Relevant resources. The ITP Program includes, as appropriate, Red Flags from the following categories: Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services or credit reporting agencies 1. A fraud alert included with a consumer report such as a credit report. 2. Notice of a credit freeze in response to a request for a credit report. 3. A credit reporting agency providing a notice of address discrepancy. 4. Unusual credit activity, such as an increased number of accounts or inquiries The presentation of suspicious documents 5. Identification appearing altered or forged. 6. Photograph on ID inconsistent with appearance or physical description. 7. Information on ID inconsistent with information provided by person opening account. 8. Information on ID, such as signature, inconsistent with information on file. 9. Application appearing forged or altered or destroyed and reassembled The presentation of suspicious personal identifying information 10. Information on ID not matching any address in the consumer report, Social Security number has not been issued or appears on the Social Security Administration s Death Master File, a file of information associated with Social Security numbers of those who are deceased. 11. Lack of correlation between Social Security number range and date of birth. 12. Personal identifying information associated with an account you know to have fraud activity. 13. Suspicious addresses supplied, such as a mail drop or prison, or phone numbers associated with pagers or answering service. 14. Social Security number provided matching that submitted by another person opening an account or other customers. 15. An address or phone number matching that has been used by a large number of people opening accounts. 16. The person opening the account unable to supply identifying information in response to notification that the application is incomplete.
17. Personal information inconsistent with information already on file at financial institution or creditor. 18. Person opening account or customer unable to correctly answer challenge questions beyond what information can be found in a wallet or credit report. The unusual use of, or other suspicious activity related to an account 19. Shortly after change of address, receiving request for additional users of account. 20. Most of available credit used for cash advances, jewelry or electronics (items that can easily be converted to cash), plus customer fails to make first payment. 21. Drastic change in payment patterns, use of available credit or spending patterns. 22. An account that has been inactive for a lengthy time suddenly exhibiting unusual activity. 23. Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions on active account. 24. Being notified that customer is not receiving paper account statements. 25. Being notified of unauthorized charges or transactions on an account. Notice from an account holder, victims of Identity Theft, law enforcement authorities, or other persons regarding possible Identity Theft in connection with an account held by ICO/IEI 26. Being notified that it has opened a fraudulent account for a person engaged in identity theft. Prevention and Mitigation of Identity Theft ICO/IEI may maintain many different types of covered accounts in several different departments. These covered accounts included, but are not limited to: Student demographic information such as applications, registration, etc. Student financial accounts for tuition and fees, room and board, bookstore, etc. Perkins Loan accounts Student Emergency Loan accounts ICO One card accounts Health Professions Loan accounts Patient demographic and financial accounts Health care records Employee demographic accounts such as benefit transactions, payroll and health insurance
Prevention of identity theft has many mechanisms but some include: Ensuring websites are secure. Complete and secure destruction of paper records Password protected computers. Avoiding the use of Social Security numbers; using only the last four digits Up to date virus protection Identification verification Obtaining the least information necessary Detection of Red Flags ICO/IEI will take appropriate steps to detect Red Flags in connection with the opening of Covered accounts and the maintenance of existing Covered Accounts, such as by: Obtaining identifying information about, and verifying the identity of, a person opening a Covered Account; and Authenticating identification, monitoring transactions, and verifying the validity of change of address requests, in the case of existing Covered Accounts. Response to Red Flags: ICO/IEI will respond appropriately to the Red Flags it has detected commensurate with the degree of risk posed. In determining an appropriate response, management will consider aggravating factors that may heighten the risk of Identity Theft, such as a data security incident that results in unauthorized access to account records held by ICO/IEI or third party, or notice that a student, patient or employee has provided information related to a Covered Account held by ICO/IEI to someone fraudulently claiming to represent ICO/IEI or to a fraudulent website. Appropriate responses may include the following: Monitoring a Covered Account for evidence of Identity Theft; Contacting the account holder; Changing any passwords, security codes, or other security devices that permit access to a Covered Account; Reopening a Covered Account with a new account number; Not opening a new Covered Account; Closing an existing Covered Account; Not attempting to collect on a Covered Account or not sending a Covered Account to a debt collector; Notifying law enforcement; and/or Determining that no response is warranted under the particular circumstances. Oversight of Service Provider Arrangements When ICO/IEI engages a Service Provider to perform an activity in connection with one or more Covered Accounts, ICO/IEI will take appropriate steps to ensure that any activities of the service provider are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft. The oversight of Service Providers shall be performed according to the standards set forth by ICO/IEI's Identity Theft Program, patient information (HIPAA,) Information Security and other relevant policies.