Identity Theft Prevention Program
Illinois College of Optometry
Illinois Eye Institute
Effective Date: May 2009 Revised:
IDENTITY THEFT PREVENTION POLICY STATEMENT
The Illinois College of Optometry (ICO) and Illinois Eye Institute (IEI) have an obligation to comply with the Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions
Report Act which includes the requirements set forth by the Interagency Final Rules and Guidelines
implementing Sections 114 and 315 of the Act and is governed by the Federal Trade Commission. It is the responsibility of ICO not only to comply with the requirements of the law, but also to be proactive in the prevention of identity theft at ICO/IEI, and to be vigilant in the performance of ICO/IEI's identity theft prevention program.
In response to the requirements of this legislation, ICO/IEI has outlined the procedures that will be followed. In order to adequately address this legislation, and due to the different types of transactions performed by ICO and IEI, this policy and procedure statement will provide guidelines as to how ICO/IEI will address the requirements. This Policy supplements and applies in conjunction with ICO/IEI's related policies and programs pertaining to security, student identification, privacy, patient privacy (HIPAA), Information Security, Financial Aid and Business Office or any other relevant policies.
KEY COMPONENTS OF THE IDENTITY THEFT PREVENTION
PROGRAM
Governance Oversight
The Board of Trustees Audit Committee or a designated committee of the Board is responsible for reviewing and approving the Identity Theft Prevention ("ITP") Program initially and when the policy is significantly revised.
Program Administration
The Compliance Office shall be responsible for the oversight the implementation of ICO/IEI’s compliance with the requirements.
As appropriate, the Compliance Office will provide reports addressing significant regulatory trends, compliance initiatives, and emerging risks to bodies such as the Board of Trustees or Audit Committee and to college/IEI departments. Department supervisors are responsible for day-to-day operational implementation of the Identity Theft program.
Department supervisors and/or their designees are accountable for the following responsibilities: • Establishing and assessing departmental efforts for compliance with the Identity Theft
program, detecting and preventing Identity Theft, and reporting of suspicious activity. • Conducting testing for compliance with the Identity Theft laws and program and
ICO/IEI's internal policies and procedures regarding Identity Theft prevention compliance. • Training personnel regarding Identity Theft laws and internal Identity Theft program and
procedures.
• Enforcing Identity Theft prevention requirements when deviations from program or procedure are found.
Written Identity Theft Prevention Program
ICO/IEI will maintain a written Identity Theft Prevention Program (“ITP”) that is designed to detect, prevent and mitigate identity theft in connection with the opening of a Covered Account or the maintenance of any existing Covered Account. The program will be appropriate based on the size, nature and complexity of ICO/IEI's operations, and shall include reasonable policies and procedures to:
Identify relevant indicators ("Red Flags") for the Covered Accounts that ICO/IEI offers or maintains, and incorporate those Red Flags into ICO/IEI's ITP Program;
Detect Red Flags that have been incorporated into ICO/IEI's ITP Program;
Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft; and
Ensure the ITP Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to students, patients and employees and to the safety and soundness of ICO/IEI from Identity Theft.
Frequency of Policy/Program Review
This policy and program will be reviewed no less than annually. The Compliance Office is responsible for determining that the Identity Theft Prevention Policy addresses the most current regulatory requirements and is authorized to propose changes to the Policy. The Compliance Office will update the Identity Theft Prevention Program (including the Red Flags determined to be relevant) periodically, to reflect changes in risks to students, patients and employees or to the safety and soundness of ICO/IEI from Identity Theft, based on factors such as:
ICO/IEI's experiences with Identity Theft; Changes in methods of Identity Theft
Changes in methods to detect, prevent, and mitigate Identity Theft; Changes in the types of accounts ICO/IEI offers or maintains; and
Changes in the business arrangements of ICO/IEI, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.
TRAINING
The Compliance Office and department managers are responsible for developingand maintaining the
content which will be used to train all employees in areasidentified as having risk of exposure to
Identity Theft and/or those areas responsiblefor compliance with this Program. Each area shall be
responsible forensuring that its respective employees receive the required training in the manner
and time specified by the Compliance Office. Each area shall also beresponsible for ensuring new
employees receive the required training and forproviding any additional training specific to the
respective area asneeded.
Appropriate training may be conducted via live presentations, Internet training, teleconference, written materials, one on one demonstration or any other reasonable learning vehicle for the material and audience. Records of training must be maintained sufficient to demonstrate the
IDENTITY THEFT PREVENTION PROGRAM ELEMENTS
Definitions
For the purposes of this Program, the following definitions apply:
COVERED ACCOUNT: An account that ICO/IEI offers or maintains primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions such as a student account, institutional loans to students, deferment of tuition payments; patient accounts for health care services and any other account that ICO/IEI offers or maintains for which there is a reasonably foreseeable risk to students or to the safety and soundness of ICO/IEI from identity theft, including financial, operational, compliance, reputation or litigation risks.
CREDITOR: Any organization who defers payment for services rendered, such as an organization that bills at the end of the month for services rendered the previous month.
CLEAR AND CONSPICUOUS: Reasonably understandable and designed to call attention to the nature and significance of the information presented.
IDENTITY THEFT: A fraud committed or attempted using the identifying information of another person without authority.
IDENTIFYING INFORMATION: Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any:
• Name, social security number, date of birth, official State or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number;
• Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
• Unique electronic identification number, address, or routing code; or • Telecommunication identifying information or access device.
NOTICE OF ADDRESS DISCREPANCY: A notice sent to a user by a consumer reporting agency pursuant that informs the user of a substantial difference between the address for the student that the user provided to request the consumer report and the address(es) in the agency's file for the student.
RED FLAG: A pattern, practice, or specific activity that indicates the possible existence of identity theft. SERVICE PROVIDER: A person that provides a service directly to ICO/IEI.
Assessment of Identity Theft Risks
Risk is the potential that events, expected or unanticipated, may have an adverse impact on a students, patients and employees. Effective identity theft risk management requires an understanding of existing and potential risks that may arise from ICO/IEI operations.
Identification of Red Flags
ICO/IEI will identify and periodically assess, together with existing policies, procedures and processes to identify and document the Red Flags relevant to its operations. As part of this determination, ICO/IEI will incorporate relevant Red Flags from sources such as:
• Incidents of Identity Theft that ICO/IEI has experienced;
• Methods of Identity Theft that ICO/IEI has identified that reflect changes in Identity Theft risks; and
• Applicable supervisory guidance • Relevant resources.
The ITP Program includes, as appropriate, Red Flags from the following categories:
• Alerts, notifications, or other warnings received from consumer reporting
agencies or service providers, such as fraud detection services or credit reporting agencies
1. A fraud alert included with a consumer report such as a credit report.
2. Notice of a credit freeze in response to a request for a credit report.
3. A credit reporting agency providing a notice of address discrepancy.
4. Unusual credit activity, such as an increased number of accounts or
inquiries
• The presentation of suspicious documents
5. Identification appearing altered or forged.
6. Photograph on ID inconsistent with appearance or physical description.
7. Information on ID inconsistent with information provided by person
opening account.
8. Information on ID, such as signature, inconsistent with information on
file.
9. Application appearing forged or altered or destroyed and reassembled
• The presentation of suspicious personal identifying information
10. Information on ID not matching any address in the consumer report, Social Security number has not been issued or appears on the Social Security Administration’s Death Master File, a file of information associated with Social Security numbers of those who are deceased. 11. Lack of correlation between Social Security number range and date of
birth.
12. Personal identifying information associated with an account you know to have fraud activity.
13. Suspicious addresses supplied, such as a mail drop or prison, or phone numbers associated with pagers or answering service.
14. Social Security number provided matching that submitted by another person opening an account or other customers.
15. An address or phone number matching that has been used by a large number of people opening accounts.
17. Personal information inconsistent with information already on file at financial institution or creditor.
18. Person opening account or customer unable to correctly answer
challenge questions beyond what information can be found in a wallet or credit report.
• The unusual use of, or other suspicious activity related to an account
19. Shortly after change of address, receiving request for additional users of account.
20. Most of available credit used for cash advances, jewelry or electronics (items that can easily be converted to cash), plus customer fails to make first payment.
21. Drastic change in payment patterns, use of available credit or spending patterns.
22. An account that has been inactive for a lengthy time suddenly exhibiting unusual activity.
23. Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions on active account.
24. Being notified that customer is not receiving paper account statements. 25. Being notified of unauthorized charges or transactions on an account. • Notice from an account holder, victims of Identity Theft, law enforcement authorities, or
other persons regarding possible Identity Theft in connection with an account held by ICO/IEI 26. Being notified that it has opened a fraudulent account for a person
engaged in identity theft.
Prevention and Mitigation of Identity Theft
ICO/IEI may maintain many different types of covered accounts in several different departments. These covered accounts included, but are not limited to:
• Student demographic information such as applications, registration, etc.
• Student financial accounts for tuition and fees, room and board, bookstore, etc. • Perkins Loan accounts
• Student Emergency Loan accounts • ICO One card accounts
• Health Professions Loan accounts
• Patient demographic and financial accounts • Health care records
Prevention of identity theft has many mechanisms but some include: • Ensuring websites are secure.
• Complete and secure destruction of paper records • Password protected computers.
• Avoiding the use of Social Security numbers; using only the last four digits • Up to date virus protection
• Identification verification
• Obtaining the least information necessary
Detection of Red Flags
ICO/IEI will take appropriate steps to detect Red Flags in connection with the opening of Covered accounts and the maintenance of existing Covered Accounts, such as by:
• Obtaining identifying information about, and verifying the identity of, a person opening a Covered Account; and
• Authenticating identification, monitoring transactions, and verifying the validity of change of address requests, in the case of existing Covered Accounts.
Response to Red Flags:
ICO/IEI will respond appropriately to the Red Flags it has detected commensurate with the degree of risk posed. In determining an appropriate response, management will consider aggravating factors that may heighten the risk of Identity Theft, such as a data security incident that results in unauthorized access to account records held by ICO/IEI or third party, or notice that a student, patient or employee has provided information related to a Covered Account held by ICO/IEI to someone fraudulently claiming to represent ICO/IEI or to a fraudulent website. Appropriate responses may include the following:
• Monitoring a Covered Account for evidence of Identity Theft; • Contacting the account holder;
• Changing any passwords, security codes, or other security devices that permit access to a Covered Account;
• Reopening a Covered Account with a new account number; • Not opening a new Covered Account;
• Closing an existing Covered Account;
• Not attempting to collect on a Covered Account or not sending a Covered Account to a debt collector;
• Notifying law enforcement; and/or
• Determining that no response is warranted under the particular circumstances.
Oversight of Service Provider Arrangements
