THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM



Similar documents
NYU Langone Medical Center NYU Hospitals Center NYU School of Medicine

Information Security Policy

Identity Theft Prevention Program (ITPP) under the FTC FACTA Red Flags Rule PROCEDURES DOCUMENT. I. Purpose/Scope... 1

Key Steps for Organizations in Responding to Privacy Breaches

Process for Responding to Privacy Breaches

FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT

VCU Payment Card Policy

Audit Committee Charter

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

Plus500CY Ltd. Statement on Privacy and Cookie Policy

Credit Work Group Recommendation

FINANCIAL OPTIONS. 2. For non-insured patients, payment is due on the day of service.

GUIDANCE FOR BUSINESS ASSOCIATES

Privacy and Security Training Policy (PS.Pol.051)

HIPAA Notice of Privacy Practices. Central Ohio Surgical Associates, Inc.

Systems Support - Extended

Personal Data Security Breach Management Policy

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

ES PROCEDURES FOR OVERPAYMENT RECOVERY

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

Symantec User Authentication Service Level Agreement

Municipal Advisor Registration

Malpractice and Maladministration Policy

o o 2) Program Rewards

CHARTER OF THE COMPENSATION COMMITTEE OF THE BOARD OF DIRECTORS OF UPLAND SOFTWARE, INC.

RATIONALE TERMS OF REFERENCE FOR THE QUALITY COMMITTEE UNDER THE EXCELLENT CARE FOR ALL ACT. Authority

ERISA Compliance FAQs: Fiduciary Responsibilities

Accessible Service Policy

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Privacy Breach and Complaint Protocol

DisplayNote Technologies Limited Data Protection Policy July 2014

Workers Disability Compensation Claims Procedures Issued: January 1, 1994 Revised: March 29, 2012

AUDIT AND RISK COMMITTEE TERMS OF REFERENCE

Online Banking Agreement

First Global Data Corp.

THIRD PARTY PROCUREMENT PROCEDURES

Heythrop College Disciplinary Procedure for Support Staff

Directives to LHINs in respect of Reporting Requirements under the BPSAA. Issued By Minister of Health and Long-Term Care

Internet and Social Media Solicitations: Wise Giving Tips

Chapter 7 Business Continuity and Risk Management

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

Seabrook Seventh-Day Adventist Church Seventh-Day Adventist School Education Assistance Policy

E-Business Strategies For a Cmpany s Bard

State Fleet Card Oversight Usage and Responsibilities

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

How To Ensure Your Health Care Is Safe

Sources of Federal Government and Employee Information

NSW FAIR TRADING. Real Estate Fraud Prevention Guidelines

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

HEALTH PLAN IDENTIFIER NUMBERS (HPIDs)

Data Protection Policy & Procedure

Columbine Federal Credit Union ONLINE BANKING/ BILL PAYMENT AGREEMENT & DISCLOSURES AND PRIV ACY DISCLOSURE

DATE APPROVED March Version Date Comments / Changes 1.0 March 2011 Initial policy released

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. HIPAA: Use and Disclosure of Protected Health Information

FREQUENTLY ASKED QUESTIONS ON THE EUCOMED ETHICAL BUSINESS LOGO

Shelby County Schools Online Employee Accident Reporting User Manual

Project Open Hand Atlanta. Health Insurance Portability and Accountability Act (HIPAA) NOTICE OF PRIVACY PRACTICES

Wire Transfer Request

CORPORATE CREDIT CARD POLICY

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

General Records Authority 33. Accredited Training

Creating an Ethical Culture and Protecting Your Bottom Line:

FORM ADV (Paper Version) UNIFORM APPLICATION FOR INVESTMENT ADVISER REGISTRATION AND REPORT FORM BY EXEMPT REPORTING ADVISERS

CLEARANCE REVIEWS FOR STUDENT RESTRICTION ISSUES OTHER THAN ACADEMIC PROGRESS

Fiscal Operation of Service Centers

Process of Setting up a New Merchant Account

Customer Support & Software Enhancements Policy

We will record and prepare documents based off the information presented

DATA REQUEST GUIDELINES

Hillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network

GOVERNORS PHARMACY HIPAA NOTICE OF PRIVACY PRACTICES For Your Protected Health Information

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

VENDOR REGISTRATION AND DISCLOSURE STATEMENT AND SMALL, WOMEN-, AND MINORITY-OWNED BUSINESS CERTIFICATION APPLICATION

NHVAS Mass Management Spot Check Checklist

Transportation Allowance Program

Transcription:

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM 1. Prgram Adptin The City University f New Yrk (the "University") develped this Identity Theft Preventin Prgram (the "Prgram") pursuant t the Federal Trade Cmmissin's Red Flags Rule (the "Rule"), which implements Sectins 114 and 315 f the Fair and Accurate Credit Transactins Act f 2003. On Nvember 9, 2007, a jint ntice f final rulemaking was published in the Federal Register (72 FR 63718) finalizing the Rule. The Rule requires each creditr that ffers r maintains ne r mre "cvered accunts", as defined belw, t develp and prvide fr the cntinuing administratin f a written prgram t detect, prevent, and mitigate identity theft in cnnectin with the pening f a cvered accunt r with any existing cvered accunt. This Prgram was develped with versight and apprval f the University's Bard f Trustees. After cnsideratin f the size and cmplexity f the University's peratins and accunt systems, and the nature and scpe f the University's activities, the University's Bard f Trustees determined that the Prgram was apprpriate fr the University and therefre apprved the Prgram, t be effective as f Octber 1, 2009. 2. Definitins 2.1 "Cvered Accunt" means: (1) An accunt that a Creditr ffers r maintains, primarily fr persnal, family, r husehld purpses, that invlves r is designed t permit multiple payments r transactins; and (2) any ther accunt that the Creditr ffers r maintains fr which there is a reasnably freseeable risk t Custmers r t the safety and sundness f the Creditr frm Identity Theft, including financial, peratinal, cmpliance, reputatin, r litigatin risks. Examples f Cvered Accunts at the University include Perkins lan accunts, tuitin payment plan accunts, and accunts established fr the repayment f lans prvided t students by the University s cllege assciatins, which, fr the purpse f the Prgram, will be cnsidered t be part f the University. 2.2 Creditr means any persn wh regularly extends, renews, r cntinues credit; any persn wh regularly arranges fr the extensin, renewal, r cntinuatin f credit; r any assignee f an riginal creditr wh participates in the decisin t extend, renew, r cntinue credit. 2.3 Custmer means any persn wh has a Cvered Accunt with the University. 2.4 "Identity Theft" means a fraud cmmitted r attempted using the Identifying Infrmatin f anther persn withut authrity. 1

2.5 "Identifying Infrmatin'' means any name r number that may be used, alne r in cnjunctin with any ther infrmatin, t identify a specific persn, including but nt limited t any name, scial security number, date f birth, gvernment issued driver's license r identificatin number, alien registratin number, gvernment passprt number, and emplyer r taxpayer identificatin number. 2.6 Prgram Administratr means the individual designated with primary respnsibility fr versight f the Prgram, as described in Sectin 7.1 belw. 2.7 "Red Flag" means a pattern, practice, r specific activity that indicates the pssible existence f Identity Theft. 3. Identificatin f Red Flags In rder t identify relevant Red Flags, the University has cnsidered the types f Cvered Accunts that it ffers and maintains, the methds it prvides t pen and t access these accunts, and its previus experiences with Identity Theft. The University has identified the fllwing Red Flags in each f the five listed categries: 3.1 Suspicius Dcuments Dcuments prvided fr identificatin appear t have been altered r frged. The phtgraph r physical descriptin n the identificatin is nt cnsistent with the appearance f the Custmer presenting the identificatin. Other infrmatin n the identificatin is nt cnsistent with infrmatin prvided by the persn pening a new Cvered Accunt r the Custmer presenting the identificatin. Other infrmatin n the identificatin is nt cnsistent with readily accessible infrmatin that is n file with the University. An applicatin appears t have been altered r frged, r gives the appearance f having been destryed and reassembled. 3.2 Suspicius Persnal Identifying Infrmatin Persnal Identifying Infrmatin prvided is nt cnsistent with persnal Identifying Infrmatin that is n file with the University. Persnal Identifying Infrmatin prvided is nt cnsistent with external infrmatin surces used by the University. 2

Persnal Identifying Infrmatin prvided by the Custmer is nt cnsistent with ther persnal Identifying Infrmatin prvided by the Custmer. Persnal Identifying Infrmatin prvided is assciated with knwn fraudulent activity, as indicated by internal r third-party surces used by the University. Persnal Identifying Infrmatin prvided is f a type cmmnly assciated with fraudulent activity, as indicated by internal r thirdparty surces used by the University. The scial security number prvided is the same as that submitted by ther persns pening an accunt r ther Custmers. The address r telephne number prvided is the same as r similar t the accunt number r telephne number submitted by an unusually large number f ther persns pening accunts r ther Custmers. The persn pening the Cvered Accunt r the Custmer fails t prvide all required persnal Identifying Infrmatin n an applicatin r in respnse t ntificatin that the applicatin is incmplete. If the University uses a challenge questin fr the purpse f authenticatin, the persn pening the Cvered Accunt r the Custmer cannt prvide authenticating infrmatin beynd that which generally wuld be available frm a wallet r cnsumer reprt. 3.3 Unusual Use f, r Suspicius Activity Related t, the Cvered Accunt Shrtly fllwing the ntice f a change f address fr a Cvered Accunt, the University receives a request fr a new, additinal, r replacement card r fr the additin f authrized users n the accunt. A new revlving credit accunt is used in a manner cmmnly assciated with knwn patterns f fraud. A Cvered Accunt is used in a manner that is nt cnsistent with established patterns f activity n the accunt. 3

A Cvered Accunt that has been inactive fr a reasnably lengthy perid f time is used. Mail sent t the Custmer is returned repeatedly as undeliverable althugh transactins cntinue t be cnducted in cnnectin with the Custmer s Cvered Accunt. The University is ntified that the Custmer is nt receiving paper accunt statements. The University is ntified f unauthrized charges r transactins in cnnectin with a Cvered Accunt. Unauthrized access t r inapprpriate disclsure f Identifying Infrmatin ccurs in cnnectin with a Cvered Accunt. 3.4 Ntice frm Custmers, Victims f Identity Theft, Law Enfrcement Authrities, r Other Persns regarding Pssible Identity Theft in Cnnectin with Cvered Accunts The University is ntified by a Custmer, a victim f Identity Theft, a law enfrcement authrity, r any ther persn that the University has pened a fraudulent accunt fr a persn engaged in Identity Theft. 3.5 Alerts, Ntificatins, r Warnings frm a Cnsumer Reprting Agency A fraud r credit alert is included with a cnsumer reprt. A ntice f credit freeze n a cnsumer reprt is prvided frm a cnsumer reprting agency. A cnsumer reprting agency prvides a ntice f address discrepancy. A cnsumer reprt indicates a pattern f activity incnsistent with the histry and usual pattern f activity f a Custmer. 4. Detecting Red Flags 4.1 Student Enrllment In rder t detect any f the Red Flags identified in Sectin 3 abve assciated with the enrllment f a student, University persnnel will take the fllwing steps t btain and verify the identity f the persn pening the accunt: 4

Require certain Identifying Infrmatin such as name, date f birth, academic recrds, hme address, r ther identificatin; and Verify the student's identity at time f issuance f a student identificatin card, including review f a driver's license r ther gvernment-issued pht identificatin. 4.2 Existing Accunts In rder t detect any f the Red Flags identified in Sectin 3 abve fr an existing Cvered Accunt, University persnnel will take the fllwing steps t mnitr transactins n an accunt: Verify the identificatin f a student in persn r via telephne if he r she requests infrmatin related t the Cvered Accunt by asking questins with readily accessible infrmatin that is n file with the University; Verify the validity f a student request by mail r e-mail t change an address r banking infrmatin in cnnectin with the Cvered Accunt by asking questins with readily accessible infrmatin that is n file with the University; and Prvide students a reasnable means f prmptly reprting incrrect changes in addresses r banking infrmatin in cnnectin with Cvered Accunts. 4.3 Cnsumer Reprt Requests In rder t detect any f the Red Flags identified in Sectin 3 abve in a case in which the University seeks a cnsumer reprt, University persnnel will take the fllwing steps t assist in identifying address discrepancies: Require written verificatin frm the subject f the cnsumer reprt that the address prvided by him r her is accurate at the time the request fr the cnsumer reprt is made t the cnsumer reprting agency; and In the event that ntice f an address discrepancy is received, verify that the cnsumer reprt pertains t the subject f the requested reprt and reprt t the cnsumer reprting agency an address fr the applicant that the University has reasnably cnfirmed is accurate. 5. Preventing and Mitigating Identity Theft In the event any University persnnel detects any f the Red Flags identified in Sectin 3 abve, he r she will take ne r mre f the fllwing steps, depending n the degree f risk psed by the Red Flag: 5

Nt pen a new Cvered Accunt; Change any passwrds r ther security devices that permit access t the Cvered Accunt; Cntact the student r the applicant fr which a cnsumer reprt was run; Ntify the Prgram Administratr r his r her designee t determine the apprpriate step(s) t take; Cntinue t mnitr the Cvered Accunt fr evidence f Identity Theft; Ntify law enfrcement; and/r Determine that n respnse is warranted under the particular circumstances. 6. Prtecting Identifying Infrmatin In rder t further prevent the likelihd f Identity Theft ccurring with respect t Cvered Accunts, the University has established and disseminated Infrmatin Technlgy Security Prcedures t limit access and disclsure f Identifying Infrmatin and require that all individuals permitted access t such infrmatin in University files and systems, whether in cmputerized r printed frm, are cntinually respnsible fr maintaining the integrity, accuracy, and privacy f such infrmatin. These Infrmatin Technlgy Security Prcedures are available nline at http://prtal.cuny.edu/cms/id/cuny/dcuments/infosec/plicies/pdfs/plicy8.pdf 7. Prgram Administratin 7.1 Oversight The develpment, implementatin, and updating f the Prgram are the respnsibility f the University s Identity Theft Preventin Cmmittee (the Cmmittee ) established under the Prgram. The Cmmittee will be headed by the Prgram Administratr, wh will be the University Cntrller r his r her designee. Tw r mre ther individuals wh represent functinal departments within the University that are respnsible fr pening and/r maintaining Cvered Accunts and wh are appinted by the Prgram Administratr will cmprise the remainder f the Cmmittee s membership. The Cmmittee will be respnsible fr ensuring apprpriate training f University persnnel with respect t the Prgram, reviewing any reprts cncerning the detectin f Red Flags and the steps fr preventing and mitigating Identity Theft, determining which steps f preventin and mitigatin shuld be taken in particular circumstances, and cnsidering peridic changes in the Prgram. 6

7.2 Staff Training and Reprts University persnnel respnsible fr implementing the Prgram will be trained under the directin f the Cmmittee t detect Red Flags and determine the respnsive steps t be taken when a Red Flag is detected. University persnnel will be trained, as necessary, t carry ut the Prgram effectively. University persnnel are expected t ntify the Cmmittee nce they becme aware f an incident f Identity Theft r the University s failure t cmply with the Prgram. At least annually r as therwise requested by the Cmmittee, University persnnel respnsible fr the develpment, implementatin, and administratin f the Prgram will reprt t the Cmmittee n cmpliance with the Prgram. The reprt will cver such issues as effectiveness f the University s plicies and prcedures in addressing the risk f Identity Theft in cnnectin with the pening and maintenance f Cvered Accunts, the effectiveness f the University s service prvider arrangements in cmplying with the Prgram, significant incidents invlving Identity Theft at the University and the University s respnse, and recmmendatins fr changes in the Prgram. 7.3 Service Prvider Arrangements In the event the University has engaged r engages in the future any service prvider t perfrm an activity in cnnectin with any Cvered Accunts, the University will take the fllwing steps t ensure the service prvider perfrms its activity in accrdance with reasnable plicies and prcedures designed t detect, prevent, and mitigate the risk f Identity Theft: Require, by cntract, that the service prvider have its wn similar plicies and prcedures in place; and Require, by cntract, that the service prvider review the University's Prgram and reprt any Red Flags t the Prgram Administratr r the University emplyee with primary versight f the relatinship with the service prvider. 7.4 Prgram Updates The Cmmittee will peridically review and update the Prgram t reflect changes in risks t Custmers r t the safety and sundness f the University frm Identity Theft. In ding s, the Cmmittee will cnsider the University's experiences with Identity Theft, changes in methds f Identity Theft, changes in methds t detect, prevent, and mitigate Identify Theft, and changes in the University's business arrangements with ther entities. After cnsidering these factrs, the Cmmittee will determine whether changes in the Prgram, including the list f Red Flags, are warranted. If warranted, the Cmmittee will update the Prgram. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information