To develop and identify campus identity theft prevention programs.
Account: A relationship established with an institution by a student, employee, or other person to obtain educational, medical, or financial services. Covered Account: An account that permits multiple transactions or poses a reasonably foreseeable risk of being used to promote an identity theft. Responsible Staff: Personnel, based on title, who regularly work with Covered Accounts and are responsible for performing the day-to-day application of the Program to a specific Covered Account by detecting and responding to Red Flags.Red Flag: A pattern, practice, or specific activity that indicates the possible existence of identity theft.Response: Action taken by Responsible Staff member(s) upon the detection of any Red Flag to prevent and mitigate identity theft.Service Provider: A contractor to the College engaged to perform an activity in connection with a Covered Account.Identity Theft: A fraud committed or attempted using the identifying information of another person without authority.
The Federal Trade Commission (FTC), under the authority granted by the Fair and Accurate Credit Transaction Act of 2003 (FACTA), has issued a Red Flags Rule (16 CFR 681.2) requiring that financial institutions and creditors develop Identity Theft Prevention Programs aimed at recognizing and preventing activity related to identity theft. SUNY campuses and health care facilities come within the definition of creditors and, therefore, must develop Identity Theft Prevention Programs as necessary.
Each Identity Theft Prevention Program must include written policies and procedures for: (1) identifying "covered accounts"; (2) identifying relevant patterns, practices, and forms of activity within those accounts that are “red flags” signaling possible identity theft; (3) detecting red flags; (4) responding appropriately to any red flags that are detected in order to prevent and mitigate identity theft; and, (5) administering the program in a manner that ensures proper staff training, implementation, oversight, and updating.
Under FACTA, the FTC may impose civil penalties on institutions that fail to comply with the Red Flags Rule.
This Identity Theft Prevention Program ("Program") was developed pursuant to a SUNY policy adopted by the Board of Trustees on May 12, 2009 in order to comply with the Federal Trade Commission's Red Flags Rule (16 CFR 681.2). The purpose of this Program is to prevent frauds committed by the misuse of identifying information (i.e. identity theft). The Program aims to accomplish this goal by identifying accounts maintained by the College which may be susceptible to fraud (hereinafter "Covered Accounts"), identifying possible indications of identity theft activity associated with those accounts (hereinafter "Red Flags"), devising methods to detect such activity, and responding appropriately when such activity is detected.
The President has designated the Vice President for Administration as Program Administrator to oversee administration of this Program. The Program Administrator may designate additional staff of the College to undertake responsibility for training personnel, monitoring service providers, and updating the Program, all under the supervision of the Program Administrator.
The Program Administrator or designees shall identify and train responsible staff, as necessary, to effectively implement and apply the Program. All College personnel are expected to assist the Program Administrator in implementing and maintaining the Program.
The Program Administrator or designees shall review service provider agreements and monitor service providers, where applicable, to ensure that such providers have adequate identity theft prevention programs in place. When the Program Administrator determines that a service provider is not adequately guarding against threats of identity theft, he/she shall have the authority to take necessary corrective action, including termination of the service provider's relationship with the College.
Prior to the beginning of each academic year, the Program Administrator shall evaluate the Program to determine whether it is functioning adequately. This evaluation shall include: a case-by-case assessment of incidents of identity theft or attempted identity theft that occurred during the previous academic year; interviews with Responsible Staff; and a survey of all accounts maintained by the College to identify any additional Covered Accounts. In response to this annual evaluation, the Program Administrator shall recommend amendments to this Program for approval by the President.
The Program Administrator shall maintain records relevant to the Program, including: the Written Program; documentation on training; documentation on instances of identity theft and attempted identity theft; contracts with service providers that perform activities related to Covered Accounts; and updates to the Written Program. From time to time, the College Vice President for Administration, or other designated internal control officer, may perform audits to determine if various segments of the College are in compliance with the Program.