|Document Title||Identity Theft Prevention Program|
|Office/Unit||Vice President for Administration|
May 11, 2011
|Approved by||President's Cabinet (Policy Number 019)|
May 11, 2011
REASON FOR POLICY
The Federal Trade Commission (FTC), under the authority granted by the Fair and Accurate Credit Transaction Act (FACTA), has issued a Red Flags Rule (16 CFR 681.2) requiring that any financial institution and creditor develop an Identity Theft Prevention Program ("Program") focused on recognizing and preventing activity related to identity theft. All SUNY campuses, including SUNY Fredonia, fall within the definition of a creditor and, therefore, must develop an Identity Theft Prevention Program. Each Program must include written policies and procedures for: (1) identifying "covered accounts"; (2) identifying relevant patterns, practices, and types of activity within those accounts that are “red flags” indicating possible identity theft; (3) detecting red flags; (4) responding appropriately to any red flags that are detected in order to prevent and mitigate identity theft; and, (5) administering the program in a manner that ensures proper staff training, implementation, oversight, and updating.
This Policy was developed in order to comply with the Federal Trade Commission's Red Flags Rule (16 CFR 681.2). The purpose of this Policy is to prevent frauds committed by the misuse of identifying information (i.e. identity theft). The Policy intends to accomplish such by identifying accounts maintained by the University which may be susceptible to fraud (hereinafter "Covered Accounts"), identifying possible indications of identity theft activity associated with those accounts (hereinafter "Red Flags"), developing methods to detect such activity, and responding suitably when such activity has occurred.
B. Program Administration and Oversight
The President has designated the Vice President for Administration as Program Administrator to oversee administration of this Policy and Program. The Program Administrator may designate additional staff of the University to undertake responsibility for training personnel, monitoring service providers, and updating the Program, all under the supervision of the Program Administrator.
The Program Administrator or designees shall identify and train responsible staff, as necessary, to effectively implement and apply the Program. All University personnel are expected to assist the Program Administrator in implementing and maintaining the Program.
The Program Administrator or designees shall review service provider agreements and monitor service providers, where applicable, to ensure that such providers have adequate identity theft prevention programs in place. When the Program Administrator determines that a service provider is not adequately guarding against threats of identity theft, he/she shall have the authority to take necessary corrective action, including termination of the service provider's relationship with the University.
On an annual basis, the Program Administrator shall evaluate the Program to determine whether it is functioning adequately. This evaluation shall include: a case-by-case assessment of incidents of identity theft or attempted identity theft that occurred during the previous year; interviews with Responsible Staff; and a survey of all accounts maintained by the University to identify any additional Covered Accounts. In response to this annual evaluation, the Program Administrator shall recommend amendments to this Program for approval by the President.
The Program Administrator shall maintain records relevant to the Program, including: the Written Policy; documentation on training; documentation on instances of identity theft and attempted identity theft; contracts with service providers that perform activities related to Covered Accounts; and updates to the Written Program. Occasionally, the Vice President for Administration, or other designated internal control officer, may perform audits to determine if various segments of the University are in compliance with the Policy and Program.
C. Process: Covered Accounts; Responsible Staff; Red Flags; Responses: