Chapter 8: Identity Theft Prevention, Detection and Mitigation Policy (Red Flags Rule)
8.1 Policy Overview
The Ãå±±ÂÖ¼é of Texas at El Paso ("Ãå±±ÂÖ¼é") will develop, maintain and update an Identity Theft Prevention, Detection and Mitigation Program ("Program") to detect, prevent and mitigate identity theft in accordance with , the Federal Trade Commission's "Red Flags Rule."
8.2 Definitions
8.2.1 Account: Any continuing relationship between the Ãå±±ÂÖ¼é and an Account Holder that permits the Account Holder to obtain a product or service for personal, family, household or business purposes. It may involve the extension of credit for the purchase of a product or service, or a deposit account.
8.2.2 Account Holder: Student, employee, retired employee, patient or other person that has a Covered Account held by or on behalf of the Ãå±±ÂÖ¼é.
8.2.3 Covered Account: An Account the Ãå±±ÂÖ¼é offers or maintains or is offered or maintained by a vendor or other third party on behalf of the Ãå±±ÂÖ¼é primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and any other Account the Ãå±±ÂÖ¼é offers or maintains for which there is a reasonably foreseeable risk to an Account Holder or to the safety and soundness of the Ãå±±ÂÖ¼é from Identity Theft, including financial, operational, compliance, reputation, or litigation risks. Examples of Covered Accounts include, but are not limited to: student loans and tuition accounts; patient medical service Accounts; Accounts associated with employee benefits; student debit cards; and meal plans.
8.2.4 Identity Theft: Any use or attempt by an individual to use another person’s individual identifying information to obtain a thing of value including: money; credit; items; or services, such as medical care or education services; to which the individual is not entitled.
8.2.5 Individual Identifying Information is any information that may be used alone or with other information to identify an individual, including, but not limited to:
- name;
- social security number;
- date of birth;
- telephone/cell number;
- government issued driver’s license or identification number;
- alien registration number;
- passport number;
- employer or taxpayer identification number;
- credit/debit/banking account numbers;
- unique biometric data such as fingerprint, voice print, retina or iris image or other unique physical representation;
- unique electronic identification number; address or routing code; IP or other computer identifying address; or telecommunication identifying information or other access device.
8.2.6 Red Flag: Suspicious patterns or practices, or specific activities that indicate the possibility that identity theft may occur or is occurring in connection with the Ãå±±ÂÖ¼é’s Covered Accounts.
8.2.7 Responsible Party: Appropriate senior officer or employee with sufficient training, experience and authority to develop, maintain, and oversee compliance with the Ãå±±ÂÖ¼é’s Program.
8.3 Policy Contact(s)
The Office of the Vice President for Business Affairs (VPBA) is responsible for this policy.
8.4 Procedures
8.4.1 Responsible Party
8.4.1.1 The President shall appoint the Responsible Party.
8.4.1.2 The President has appointed the Vice President for Business Affairs (VPBA) as the Responsible Party under this policy.
8.4.1.3 The VPBA has assigned the Associate Vice President for Business Affairs (AVPBA) as the program administrator and is responsible for developing, implementing and maintaining the Identity Theft Prevention, Detection and Mitigation Program. A copy of this Program is maintained on file.
8.4.1.4 The AVPBA is also responsible for identifying those areas where covered accounts are held by the Ãå±±ÂÖ¼é, ensuring Ãå±±ÂÖ¼é personnel are appropriately trained and providing an annual report to the President on compliance with the program. A copy of this report is maintained on file.
8.4.2 Risk Assessment and Program Review
8.4.2.1 An annual risk assessment shall be performed to determine if additional departments and/or areas have become responsible for opening or maintaining covered accounts. Each department must determine the following:
- Types of covered accounts offered and maintained
- Existing account opening processes
- Methods for accessing existing accounts
- Previous instances where identity theft has occurred
8.4.2.2 The program administrator shall complete an annual program and review any incidents of identity theft occurring since last review, changes in methods of identity theft and to the methods of identifying and preventing identity theft.
8.4.3 Reporting
8.4.3.1 The VPBA shall submit an annual report to the President illustrating the program's effectiveness, any third party service provider agreements, significant incidents of identity theft, management's response, and any recommended changes to the Program.