• Home
  • Identity Theft Prevention Program

Identity Theft Prevention Program

Policy
Purpose: 

Pursuant to the regulations implementing the federal Fair and Accurate Credit Transactions Act of 2003 (FACTA), the University is required to establish an “Identity Theft Prevention Program” with reasonable policies and procedures to detect, identify, and mitigate identity theft in its Covered Accounts.

Applies to: 

Lawrence-campus University employees (faculty, staff, and student employees), contractors, consultants, and temporary workers in their handling of University Covered Accounts.

Campus: 
Lawrence
Policy Statement: 
  1. Program Adoption

    The University of Kansas has adopted an Identity Theft Prevention Program ("Program") in compliance with the “Red Flags” rules issued by the Federal Trade Commission pursuant to the Fair and Accurate Credit Transactions Act (“FACTA”). The University engages in some activities that are covered by the FACTA Red Flag rules; therefore, offices or units subject to the provisions of the rules are required to develop and implement procedures in compliance with this policy. For purposes of this policy, “Red Flag” means a pattern, practice, or specific activity that indicates the possible existence of Identity Theft.

  2. Responsible University Official

    The Chancellor designates the Vice Provost for Finance to serve as the Program Administrator. The Vice Provost for Finance shall exercise appropriate and effective oversight over the Program. The Vice Provost for Finance may delegate day-to-day responsibility for aspects of the program to the KU Privacy Office and others as appropriate.

  3. Program Administration and Maintenance
    1. The Vice Provost for Finance is responsible for developing, implementing and on a periodic basis updating the Program throughout the University. The KU Privacy Office will provide staff support, including the following:
        • development of training materials for University staff (in collaboration with other units as appropriate),
        • periodic identification of Covered Accounts,
        • review of public reports regarding the detection of Red Flags,
        • establishment of processes for identifying, preventing and mitigating identity theft,
        • determination of prevention and mitigation steps, and
        • periodic review of the overall Program.
    2. The Program will be periodically reviewed and updated to reflect changes in identity theft risks and technological changes, and in consideration of the University’s experiences with identity theft, changes in identity theft methods, changes in identity theft detection, mitigation and prevention methods, changes in types of accounts the University maintains, changes in the University’s business arrangements with other entities, and any changes in legal requirements in the area of identity theft. After considering these factors, the Vice Provost for Finance, in consultation with others, will determine whether changes to the Program, including the listing of Red Flags, are warranted.
    3. Consistent with the Program requirements set forth in sections IV through VI below, all units of the University with Covered Accounts are required to:
      1. Identify relevant Red Flags, as described further below, for Covered Accounts it offers or maintains and incorporate those Red Flags into its unit-level policies and procedures;
      2. Detect Red Flags that have been incorporated into the unit-level policies and procedures, as described further below;
      3. Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft, as described further below;
      4. Update periodically unit-level policies and procedures to reflect changes in risks to students, staff, faculty, the University and others from Identity Theft;
      5. Train unit staff appropriately to effectively implement the program; and
      6. Review and exercise appropriate and effective oversight of Service Provider arrangements. Such oversight shall include steps to ensure that the activity of the Service Provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of Identity Theft.
    4. Affected units should designate an appropriate Identity Theft and or Privacy Liaison for coordination of activities under this Program. Units may incorporate, as appropriate, existing policies, procedures and other arrangements that control reasonably foreseeable risks from Identity Theft. Units shall report to the Vice Provost for Finance at least annually on compliance with the Program, including the effectiveness of unit policies and procedures in addressing the risk of Identity Theft, Service Provider Arrangements, management response to significant incidents involving Identity Theft and recommendations for material changes to the Program.
    5. Any unit or department that requires access to a Consumer Report must obtain prior approval from the Office of the Vice Provost for Finance.
  4. Identification of Relevant Red Flags
    1. The Program shall include relevant Red Flags from the following categories, as appropriate:
      1. Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services.
      2. The presentation of suspicious documents.
      3. The presentation of suspicious personal Identifying Information, such as a suspicious address change.
      4. The unusual use of, or other suspicious activity related to, a Covered Account.
      5. Notice from Customers, victims of Identity Theft, law enforcement authorities, or other persons regarding possible Identity Theft in connection with Covered Accounts.
    2. The Program shall include the consideration of the following risk factors in identifying relevant Red Flags for Covered Accounts, as appropriate:
      1. The types of Covered Accounts offered or maintained;
      2. The methods provided to open Covered Accounts;
      3. The methods provided to access Covered Accounts; and
      4. Its previous experience with Identity Theft.
    3. The Program shall incorporate relevant Red Flags from sources such as:
      1. Incidents of Identity Theft previously experienced;
      2. Methods of Identity Theft that reflect changes in risk; and
      3. Applicable supervisory guidance.
  5. Detection of Red Flags

    The Program shall address the detection of Red Flags in connection with the opening of Covered Accounts and existing Covered Accounts. At minimum, the Program Administrator and each campus department/unit administering Covered Accounts will develop and implement procedures appropriate to meet the requirements of this Program.

    1. New Covered Accounts

      In order to detect any of the Red Flags associated with the opening of a new Covered Account, University personnel will take steps to obtain and verify the identity of the person opening the Covered Account.

    2. Existing Covered Accounts

      In order to detect any of the Red Flags identified for an existing Covered Account, University personnel will take steps to authenticate customers, such as by verifying identity, and to monitor transactions with a Covered Account.

  6. Response

    The Program shall provide for appropriate responses to detected Red Flags that are commensurate with the degree of risk posed.

    1. Appropriate responses may include, but are not limited to, the following:
      1. Monitoring a Covered Account for evidence of Identity Theft;
      2. Contacting the Customer, student or applicant (for or about which a consumer report was run);
      3. Changing any passwords, security codes or other security devices that permit access to a Covered Account;
      4. Reopening a Covered Account with a new account number;
      5. Not opening a new Covered Account;
      6. Closing an existing Covered Account;
      7. Not attempting to collect on a Covered Account.
      8. Notifying law enforcement; or
      9. Determining no response is warranted under the particular circumstances.
  7. Duties of card issuers regarding changes of address
    1. The Red Flag rules issued by the Federal Trade Commission provide, in part, that a debit or credit card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer’s debit or credit card account and, within a short period of time afterwards, the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional replacement card, until, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer notifies the cardholder of the request.
    2. The University Card Center operates the University’s Beak ‘Em Bucks program. In order to be issued a card, the students, faculty, and staff must physically go to the Card Center Office with a valid driver’s license, state issued photo identification card, military identification card, green card or passport. Individuals are required to show their identification to the office staff to verify their identity. No cards are issued through the mail. Students wishing to change their address in University records must do so through the University’s Registrar’s Office or through Enroll & Pay; faculty and staff must do so through their department personnel-related staff or through the central Payroll Office.
    3. Issuance of credit or debit cards by a University unit other than the University Card Center is prohibited.
  8. Non-disclosure of Specific Practices

    To ensure the effectiveness of this Identity Theft Prevention Program, it may be necessary to limit knowledge about specific Red Flag identification, detection, mitigation and prevention practices to the Program Administrator who developed this Program and to those employees with a need to know them. Any documents that may have been produced or are produced in order to develop or implement this program that list or describe such specific practices and the information those documents contain are considered “confidential” and should not be shared with other University employees or the public.

  9. Security Procedures

    Departments/units with Covered Accounts must ensure they have sufficient physical, technical and administrative safeguards to protect the information in accordance with applicable University policies and procedures.

  10. Service Provider Arrangements

    In the event a University unit engages a Service Provider to perform an activity in connection with one or more Covered Account(s), the University unit should take steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. These steps should include a requirement in the contract that the Service Provider have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider’s activities, and that the Service Provider either report the Red Flags to the unit or take appropriate steps to prevent or mitigate identity theft.

Exclusions or Special Circumstances: 

Any questions regarding interpretations and applicability of the Identity Theft Red Flag requirements and implementing the federal regulations will be coordinated with the Office of the Vice Provost for Finance, the Office of the General Counsel, the Privacy Office and the IT Security Office.

Consequences: 

Faculty, staff and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.

Contact: 

Office of the Vice Provost for Finance
250 Strong Hall
785-864-4904
provost@ku.edu

KU Privacy Office
Office of the Provost
250 Strong Hall
785-864-9528
privacy@ku.edu

KU IT Security Office
Computer Center
785-864-8080
itsec@ku.edu

Approved by: 
Chancellor
Approved on: 
Wednesday, October 21, 2009
Effective on: 
Sunday, November 1, 2009
Review Cycle: 
Annual (As Needed)
Definitions: 

The following definitions are adapted from the definitions contained in the Red Flag regulations, found at 16 C.F.R. Part 681, and shall apply to this Program:

Covered Account: a consumer account designed to permit multiple payments or transactions. These are accounts where payments are deferred and made periodically over time such as tuition or fee installment payment plan. It also includes any other account the University offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the University from Identity Theft.

Customer: any person with a Covered Account with the University.

Identifying Information: any name or number that may be used alone or in conjunction with any other information, to identify a specific person, including:

  • name
  • address
  • telephone number
  • social security number
  • date of birth
  • government issued driver’s license or identification number
  • alien registration number
  • government passport number
  • employer or taxpayer identification number
  • unique electronic identification number
  • computer’s Internet Protocol address or routing code

Identity Theft: a fraud committed using the identifying information of another person.

Red Flag: a pattern, practice or specific activity that indicates the possible existence of identity theft.

Service Provider: a person that provides a service directly to the University.

Keywords: 
Red Flag, Identity Theft, Address Change, Detect, FACTA, Accounts
Review, Approval & Change History: 

12/10/2014: Policy formatting cleanup (e.g., bolding, spacing).

10/30/2014: Updated to fix broken link in Related Policies.

06/08/2010: Updated.

10/21/2009: Approved.

Information Access & Technology Categories: 
Privacy & Security

Can't Find What You're Looking For?
Policy Library Search
KU Today
One of 34 U.S. public institutions in the prestigious Association of American Universities
44 nationally ranked graduate programs.
—U.S. News & World Report
Top 50 nationwide for size of library collection.
—ALA
23rd nationwide for service to veterans —"Best for Vets," Military Times