1

How To Protect Student How To Protect Student Against Identity Theft & New Against Identity Theft & New

“Red Flag” Regulations “Red Flag” Regulations

FALL KASRO Louisville, Kentucky

2008

BY: KAREN REDDICKNATIONAL CREDIT MANAGEMENT

Since 19602

SANDBOX RULESSANDBOX RULES

This session is open forum

Audience participation is encouraged

Questions and comments as we move through the presentation are welcome

Since 19603

IDENTITY THEFTIDENTITY THEFT

The fastest growing crime in America

Nearly 10 million people are victims of identify theft per year(4.5% of the Adult Population)

Takes over 600 hours of personal time and $1400 to clear their names

The FTC estimates it takes victims 14-16 months to clear their names

Victims face higher interest rates, insurance rates, rejected loans, and/or unjust accusations of criminal conduct which require costly legal assistance to rectify

$5,686 Per Incident

88% Non-Tech Related

Since 19604

Interesting StatsInteresting Stats

Education is most likely to be hacked This year alone over 50 colleges

and universities have had some sort of security breaches

Main Source off Education Breaches– 50% from lost/stolen PCs, laptops and

media

Since 19605

Interesting StatsInteresting Stats

Another Main Source of Identity Theft is among the student population

The highest rates of identity theft are in the 18-29 age group– Need to education students on how they

handle their personal information Bills laying around in dorms Carrying their social security cards in their

wallets, etc….

Since 19606

What To ProtectWhat To ProtectNameSocial Security #Date of BirthAddressCredit Card#Bank Account #PIN’s or Passwords

Since 19607

How To Protect IdentityHow To Protect Identity Opt out 1-888-5optout or 1-888-567-8688

Remove your name from Credit Bureau ListsGood for 5 years

Monitor Your Credit Report and Your Children’s (Under 18) (www.annualcreditreport.com)

Make copies of your credit cards and contents of wallet

Subscribe to AG No Call List

Guard Your Social Security Number ZealouslyDo not carry social security numberWhen someone asked for it:

• Why do you need?• How do you protect it?• How will it be used?• What happens if I don’t give it you?

Since 19608

ResourcesResourcesCredit Freeze

In some states you can put a freeze on your credit file. So no

one will have access to your information without your

authorizationhttp://fightidentitytheft.com/

security_freeze

Since 19609

Credit FreezeCredit Freeze

Since 196010

What To Do If Someone Is A What To Do If Someone Is A VictimVictim

1. Place a fraud alter on your credit reports and review your reports

2. Close the accounts that you know, or believe, have been tampered with or opened fraudulently

3. File a report with your local police or the police in the community where the identity theft took place

4. File a complaint with the Federal Trade Commission

Since 196011

Tips to rememberTips to remember Look at your physical environment

– Messy vs. clean desk– Reports and files stored out of site– Locking file cabinets and offices– Passwords on post-it notes?– USB drives easily available– Flash Cards, CDs, and disk lying around in plan site– Monitor location/desk direction– Are visitors identified, challenged?– Public access to business areas? Public Fax?– Use Cross Cut Shredders

Since 196012

Tips to rememberTips to remember Information Security Policy

– Do not store sensitive information on workstation or mobile device

– Written justification and approval for sensitive data storage

– Purge sensitive information as soon as its business need no longer exists

Purge Data – Record retention schedules give useful life of each

type of information– Purge info-Wipe, not delete

Security File Deletion Utilities

– Cross cut shred, not store

Since 196013

Tips to rememberTips to rememberIf your office uses cubicles

– Play background music (white noise)– Use fabric sound absorbing covers

Since 196014

EXISTING LAWS THAT EXISTING LAWS THAT REGULATE STUDENT REGULATE STUDENT

PRIVACYPRIVACYFERPA: Family Educational Rights

and Privacy Act

GLBA: Gramm-Leach-Bliley Privacy Act

State SSN Privacy Laws

Since 196015

FERPAFERPA FERPA: Family Educational Rights and

Privacy ActStatue: 20 U.S.C. 1232(g)Regulations: 34CFR Part 99

The intent of the Act is to protect the rights of students and to insure the privacy and accuracy of education records.

Those protected by FERPA are students and former students who have been in attendance at the institution.

Rights belong to the student

Since 196016

SolutionSolution

Have all students sign a release of information form and identify which parties are privy to their information

Since 196017

GLBAGLBA GLBA: Gramm-Leach Bliley Act signed into

law November 1999.– Regulation: Privacy regulations issued by

federal agencies. Compliance required as of 7/1/01

– FTC PART 314-Standards for Safeguarding Customer Information (Effective 5/23/-03)

– Scope: Regulates the sharing of: “Nonpublic personal information” about individuals

who obtain “financial products or services” From “financial institutions” primarily for personal,

family or household purposes.

Since 196018

GLBA-Implementing GLBA-Implementing the Safeguards Rulethe Safeguards Rule

The Gramm Leach Bliley Act requires financial institutions to ensure the security and confidentiality of customer personal information.

The Federal Trade Commission (FTC) implemented GLBA by issuing the Privacy Rule and the Safeguards Rule.

Colleges and universities are considered “financial institutions” primarily due to student loan making activities.

Since 196019

SolutionsSolutions Design and implement a written security plan

– Select a group or committee to implement program– Identify all foreseeable risks

Training/Human Resources/Management Information Systems System Failures/Intrusions-Disaster Plans

– Put together a written program to control these risks– Oversee service providers to make sure they are

capable of maintaining appropriate safeguards and require by contract to implement and maintain such safeguards

– Evaluate program each year as environment changes

Since 196020

SSN STATE PRIVACY LAWSSSN STATE PRIVACY LAWS– May not print SSN on any card required to

access products or services– May not require transmission of SSN over an un-

secure Internet Connection– May not require the SSN to access an Internet

web site unless other unique identification or authentication is used

– May not print SSN on any material mailed to the individual unless state or federal law requires the SSN to be on the document, applications and forms excluded

Since 196021

SolutionsSolutions

Create environment that will accommodate all State/Federal Laws– Use student ID Numbers verses

social security numbers

Since 196022

NEW RED FLAG RULESNEW RED FLAG RULES New Red Flag Requirements For Financial Institutions

– Require financial institutions to develop and implement written identity theft prevention programs as part of the Fair and Accurate Credit Transactions Act of 2003

Under the Rule, each institution must develop and implement a written Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft in connection with new or existing accounts

Effective date is January 1, 2008 Mandatory compliance date is November 2, 2008

Since 196023

Identity Theft Red Identity Theft Red Flags RegulationsFlags RegulationsDoes Higher Education have to comply?

– Yes, the FTC has confirmed that “Higher Educational Institutions do have to comply due to student loans, defer payment plans, or multiple payments on tuition accounts (extension of credit)”

– As stated in the GLBA-The rule under this law considers Higher Education Institutions financial institutions due to their “loan making activities”.

– The only way schools would not have to comply if these federal agencies would make an exception

DON’T HOLD YOUR BREATH!!!!!!

Since 196024

NEW RED FLAG RULESNEW RED FLAG RULES The program must provide for the identification, detection,

and response to patterns, practices, or specific activities-known as “red flags”-that could indicate identity theft

Under these new rules, institutions must develop a written program that identifies and detects the relevant warning signs (red flags) or identity theft.

– Examples of these Warning Signs: Unusual account activity Fraud Alerts Attempted use of suspicious account application documents

It must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program.

Program must be managed by senior employees, include appropriate staff training, and provide for oversight of any service providers

Since 1960

Elements on How to Elements on How to Comply W/Red Flag Comply W/Red Flag

RequirementsRequirements4 Elements:1. Identity patterns, practices or activities that indicate

the possible existence of identity theft (red flags)2. Detect Red Flags3. Respond to detected Red Flags to prevent and

mitigate identity theft4. Update the Program periodically to reflect changes in

risks to customers and the institution.

This initial plan needs to be approved by the institutionsBoard of Directors or “Committee”.

25

Since 196026

HOW TO IDENTIFY HOW TO IDENTIFY THESE RED FLAGSTHESE RED FLAGS

The FTC has identified 26 possible red flags– 5 Categories

Alerts, notifications, or warnings from a consumer reporting agency

Suspicious documents Suspicious personally identifying information,

such as suspicious address Unusual use of or suspicious activity relating to a

covered account Notices from customers, victims of identity theft,

law enforcement authorities, or other businesses about identity theft in connection with covered accounts

Since 196027

So Now What?So Now What? Don’t panic! Don’t recreate the wheel Evaluate your existing security plans (GLBA) Incorporate these new rules into your existing security

plan Have your service providers incorporate these new

rules into your contracts and their existing plans Whether this law is relevant to Higher Education or not

it is imperative to know how to prevent or mitigate identity theft

Human Resources-Training is essential in any successful program

Be proactive and have a plan to prevent future liability

Since 196028

CONTACT INFORMATIONCONTACT INFORMATIONRed Flag Regulations

www.ftc.gov/opa/2007/10/redflag.shtmRed Flag Questions/Comments

Email:RedFlags@ftc.gov

GLBAwww.ftc.gov/privacy/privacyinitiatives/glbact.html

Laura D. Berger, Attorney Division of Financial Practices FTC (202) 326-3224

NACUBO http://www.nacubo.org/x2152.xml

FERPAFamily Policy Compliance Office

LeRoy Rooker, Director of Family Policy(202) 260-3887

www.ed.gov/policy/gen/guid/fpco/ferpa

Since 196029

CONTACT INFORMATIONCONTACT INFORMATIONCREDIT BUREAUS

Equifax1-800-525-6285

www.equifax.com

Experian1-888-397-3742

www.experian.com

TransUnion1-800-680-7289

www.transunion.com