Identity Theft Prevention, Detection, and Mitigation Program

Handbook of Operating Procedures 3-2040

Effective January 31, 2014
Executive Sponsor: Senior Vice President and Chief Financial Officer
Policy Owner: Associate Director Treasury, Records and Risk Management

The University of Texas at Austin ("University") will develop, maintain and update an Identity Theft Prevention, Detection and Mitigation Program (Program) to detect, prevent, and mitigate identity theft in accordance with 16 CFR 681.2, the Federal Trade Commission's "Red Flag Rules".

Reason for Policy

To establish an identity theft prevention program designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or an existing covered account and provide continued administration of the Program in compliance with federal laws and regulations.

Scope & Audience

This policy applies to all employees.

Definitions (specific to this policy)

Account:

any continuing relationship between the University and an account holder that permits the account holder to obtain a product or service for personal, family, household, or business purposes. It may involve the extension of credit for the purchase of a product or service, or a deposit account.

Account Holder:

student, employee, retired employee, or other person that has a covered account held by or on behalf of the University.

Covered Account:

an account that involves or is designed to permit multiple payments or transactions, and which is primarily for personal, family, or household purposes. This account may be maintained by the University or by a third party vendor on behalf of the University. A covered account is also any account for which there is a reasonably foreseeable risk of identity theft. Examples of covered accounts include, but are not limited to:

student loan and tuition accounts
accounts associated with student debit cards and meal plans

Identity Theft:

any use or attempt by an individual to use another person's individual identifying information to obtain a thing of value including money, credit, items, or services, such as education services to which the individual is not entitled.

Individual Identifying Information:

any information which may be used alone or with other information to identify an individual, including, but not limited to:

name
social security number
date of birth
telephone/cell number
government issued driver's license or identification number
alien registration number
passport number
employer or taxpayer identification number
credit/debit/banking account numbers
unique biometric data such as fingerprint, voice print, retina or iris image or other unique physical representation
unique electronic identification number, address, or routing code; IP or other computer identifying address; or telecommunication identifying information or other access device.

Red Flag:

a suspicious pattern, practice, or specific activity in connection with a University covered account that indicates a possible existence of identity theft.

Responsible Party:

appropriate senior officer or employee with sufficient training, experience, and authority to develop, maintain, and oversee compliance with the University's Program.

Website (for policy)

https://secure4.compliancebridge.com/utexas/public/getdoc.php?file=3-2040

Contacts

CONTACT

DETAILS

WEB

Office of Financial Affairs

Phone: 512-471-1422

Website:

http://www.utexas.edu/business/index.html

Student Accounts Receivable

Phone: 512-475-7779

Website:

http://www.utexas.edu/business/accounting/sar/

Housing and Foods

Phone: 512-471-6318

Website:

http://www.utexas.edu/student/housing/

Responsibilities & Procedures

Responsible Party

The president appoints the vice president and chief financial officer as the responsible party for developing the University's written Identity Theft Prevention, Detection, and Mitigation Program (Program) and providing reports on compliance.

Identity Theft Prevention, Detection, and Mitigation Program (Program)

The written Program must:

identify covered accounts.
take into consideration the University's previous identity theft experiences.
take into consideration the methods the University uses to open accounts and provide access to them.

The responsible party, as appropriate, may incorporate into the Program any existing policies and procedures that promote the purpose of the Program.

The responsible party may also incorporate information security tools currently available at the University, to the extent these tools can assist with implementation of the Program.

The University president must approve the written Program.

Elements of the Written Program

The Program must include:

Covered Accounts. A list of all departments and offices identified as holding covered accounts subject to the Program.

Defined Responsibility. The officer or employee responsible for oversight, compliance, and periodic risk assessment to keep the Program up to date and keep the department or office in compliance with the Program and the Red Flag Rules.

Red Flag Identification. Identification of the relevant "Red Flags" associated with the covered accounts within a department.

Practices and Procedures. Practices and procedures designed to perform the following:

identify "Red Flags" for covered accounts and incorporate them into the Program;
detect the presence of "Red Flags" in connection with all covered accounts the Program incorporates;
respond appropriately to detected "Red Flags" to prevent and mitigate identity theft;
update the Program periodically to reflect changes in risks.

Risk Assessment. A requirement for University departments to conduct periodic risk assessments to determine if the department has responsibility for covered accounts, which should be added to the Program.

Monitoring and Reporting

A periodic review and update of the Program conducted at least annually. The review must reflect changes in risk associated with identity theft by performing an assessment of experiences since the previous review, taking into consideration:
- incidents of identity theft occurring since last review.
- changes in methods of identity theft.
- changes in the type of accounts the department maintains.
- changes in methods to detect, prevent, and mitigate identity theft.
The responsible party shall make periodic reports to an appropriate University officer or committee to ensure compliance with the Program.
The responsible party shall report to the president at least annually on compliance with the Program. The report shall address material matters related to the Program and evaluate issues such as:
- the effectiveness of policies and procedures in addressing the risk of identity theft in connection with opening or maintaining covered accounts.
- third party service provider agreements relating to covered accounts.
- significant incidents involving identity theft and management's response.
- recommendations for material changes to the Program.

Training. A requirement the University must provide initial and subsequent periodic training of all University employees as necessary to implement and enforce the Program effectively.

Forms & Tools

None

Frequently Asked Questions

None

Related Information

FTC's "Red Flags Rule"

Handbook of Business Procedures:

Red Flag Rule - General Information