Identity Theft Prevention Program
University Policy Number 1125
Categorized: General Policies
Related Law & Policy:
This policy applies to all George Mason University employees and service providers at all locations.
II. POLICY STATEMENT
This policy implements an Identity Theft Prevention Program (the “Program”) at George Mason University, pursuant to the Federal Trade Commission’s Red Flags Rule under section 114 and 315 of the Fair and Accurate Credit Transactions Act, which amended the Fair Credit Reporting Act. This policy and its related procedures are determined to be appropriate to the size and complexity of the university’s operations and the nature and scope of its activities.
The purpose of the Program is to detect identity theft attempts and stop identity thieves from using someone else’s identifying information at the university to commit fraud. This policy and related procedures are designed to identify relevant red flags and incorporate them into the Program; detect red flags that are part of the Program; respond appropriately to any red flags that are detected; and ensure the Program is updated periodically to address changing risks.
Covered Account. The law defines this as a consumer account designed to permit multiple payments or transactions, and any other account for which there is a reasonably foreseeable risk of identity theft. This includes all student accounts for payment of tuition and fees, all employee accounts for receipt of wages and reimbursed expenses, and Mason Money accounts.
Identity Theft. Identity theft is a fraud committed or attempted using the identifying information of another person without authority.
Identity Theft Committee (“Committee”). The Committee will be chaired by the University Controller, who will serve as the Program Administrator. Members of the committee may include representatives from Auxiliary Enterprises, Human Resources and Payroll, Information Technology Services Security, Office of Admissions, Office of Financial Aid, Office of the Registrar, and Office of Student Accounts. Other members may be appointed by the Program Administrator.
Program Administrator. The Program Administrator is the individual designated with primary responsibility for oversight of the program.
Red Flag. A red flag is a pattern, practice, or specific activity that could indicate identity theft.
Service Provider. A Service Provider is a third party who performs an activity in connection with one or more covered accounts.
Committee. The Committee is responsible for ensuring appropriate training of university staff on the program, reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances, and considering periodic changes to the Program. The Committee also is responsible for providing an annual report of Program activity to the President, Senior Vice President and Provost.
Employees. Employees are expected to notify a Committee member once they become aware of an incident of identity theft or of the university’s failure to comply with this Program.
Program Administrator. The Program Administrator is responsible for developing, implementing and updating the Program through his/her chairmanship of the Committee.
Purchasing. Purchasing is responsible for ensuring that contracts with service providers who perform an activity in connection with one or more covered accounts require that the service provider has policies and procedures in place to detect, prevent and mitigate the risk of identity theft.
In order to identify relevant red flags, the university considers the types of covered accounts it offers or maintains, methods it provides to open or access its accounts, and its previous experiences with identity theft.
Categories of red flags defined under FTC guidelines are:
A. Alerts, notifications, or other warnings received from consumer reporting agencies or service providers;
B. presentation of suspicious documents;
C. presentation of suspicious personal identifying information;
D. unusual use of, or other suspicious activity related to, a covered account; and
E. notice from customers, victims of identity theft, or law enforcement authorities.
Red Flags detection will involve procedures to verify identity and monitor transactions associated with enrollment, existing accounts, and consumer (credit) report requests. Responses to prevent and mitigate identity theft may include: continue to monitor the account; contact the student or employee; change passwords; close and reopen account; refuse to open a new covered account; notify law enforcement or Internal Audit, or determine that no response is warranted under the particular circumstances.
VI. EFFECTIVE DATE AND APPROVAL
The initial program was approved by the Board of Visitors and is effective May 1, 2009. The Board of Visitors hereby delegates to the Program Administrator the responsibility to oversee development, implementation, and administration of the Program; training of appropriate staff; and service provider arrangements. This policy shall be reviewed and revised, if necessary, annually by the Committee to become effective at the beginning of the university’s fiscal year, unless otherwise noted.
Maurice W. Scherrens
Senior Vice President
Peter N. Stearns