Trinity Red Flag Identity Theft Prevention Policy
The Federal Trade Commission (FTC) issued a regulation known as the Red Flag Rule (Sections 114 and 315 of the Fair and Accurate Credit Transactions Act), that is intended to reduce the risk of identity theft. Accordingly, This policy is intended to detect, prevent, and mitigate opportunities for identity theft at Trinity Washington University.
Existing Policies and Procedures
Trinity maintains information in both electronic and paper files, which may contain biographical, academic, health, and/or financial records. These records may also include student billing information including Federal Perkins Loan records. Trinity already has in place policies to insure compliance with Gramm-Leach-Bliley Act (GLB), Family Educational Rights and Privacy Act (FERPA), and Payment Card Industry security standards (PCI), system and application security, and internal control procedures provide an environment where identity theft opportunities are mitigated. Records are safeguarded to ensure the privacy and confidentially of student, parents, alumni and employees. Trinity also has a written policy on protecting the privacy of student information, materials and records in general.
Students are required to give written authorization to the Office of Enrollment Services if their information is permitted to be shared with another party. A FERPA disclosure statement is available to students on Trinity’s website informing them of their rights under FERPA. The student is given the opportunity to provide billing addresses for third party billing (parents, companies, scholarship foundations, etc).
Occasionally, Trinity will extend short term credit to a student for payment of their tuition bill which thus creates a covered account. The student signs a short term promissory note, which is stored in a secured area in the Business Office. If Trinity receives information of an address change (which is a red flag), Trinity staff verify the change by contacting the student before making the change in the administrative database system. Address changes are required to be submitted in writing to the Office of Enrollment Services prior to changes being made in the administrative database system.
Access to student data in Trinity’s computer systems is restricted to those employees of the University with a need to know the information in order to perform their duties.
Social Security numbers are not used as identification numbers.
All paper files are required to be maintained in locked filing cabinets or offices when not in use.
Student disbursement checks can only be obtained in person with picture identification, and disbursements obtained by mail can only be mailed to an address on file within Powercampus.
Identifying Red Flag Activity
Following are activities that raise a red flag about potential identity theft:
- Documents provided for identification appear to have been altered or forged;
- The photograph or physical description on the identification is not consistent with the appearance of the student presenting the identification;
- A request is made from a non-College issued E-mail account;
- A request to mail something to an address not listed on file;
- Unusual or suspicious activity related to covered accounts;
- address discrepancies;
- Notice from customers, victims, of identify theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.
Responding to Red Flags
An employee who identifies a “red flag” (patterns, practices and specific activities that signal possible identify theft) must bring it to the attention of the Vice President of Enrollment Services or the Vice President of Financial Affairs immediately. The administrator will investigate the threat of identity theft to determine if there has been a breach and will respond appropriately to prevent future identity theft breaches. Additional actions may include the following:
- Deny access to the covered account until other information is available to eliminate the red flag;
- Change any passwords, security codes, or other security devices that permit access to a covered account;
- Notify and cooperate with law enforcement officials;
- Notify the student of the attempted fraud.
The responding administrator should send a report on the case to the President as soon as possible and provide ongoing information to the President about the implications and resolution of the case.
Protecting Student Identifying Information
To prevent the likelihood of identify theft occurring with respect to covered accounts described above, the Trinity will take the following additional steps with respect to its internal operating procedures to protect student identifying information:
- Ensure that its Web site is secure or provide clear notice that the website is not secure.
- Ensure complete and secure storage and/or destruction of paper documents and computer files containing student account information.
- Ensure that office computers with access to covered account information are password protected.
Oversight of Service Providers
Trinity employs Campus Partners, a Federal Perkins Loan servicer for the purpose of billing and collection of Federal Perkins Loan payments. The only information that is shared with Campus Partners is information required to properly bill and collect loan payment as established by the Department of Education. This includes student name, address, telephone number, social security number, and date of birth. Trinity will collect and maintain on file documents from Campus Partners confirming their compliance with “Red Flag Rules”.
Trinity also employs Tuitionpay, a tuition billing service, for monthly tuition payment plans. Students contract with Tuitionpay directly, and the only data shared with Tuitionpay from Trinity is information relating to the tuition payment plan established by the student or parent. This includes the following:
- Student ID
- Full name
- Address
- Email Address
Trinity will collect and maintain on file documents from Tuitionpay confirming their compliance with “Red Flag Rules”.
Periodic Update of Plan
This policy will be re-evaluated annually to determine whether all aspects of the program are up to date and applicable in the current business environments, and revised as necessary.
Operational responsibility of the program is delegated to the Vice President, Enrollment Services, and the Vice President, Financial Affairs.
Staff Training
Trinity staff responsible for implementing the Program shall receive training in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected.