This policy applies to George Mason University students, employees and service providers at all locations.
II. POLICY STATEMENT
George Mason University is committed to protecting the personal information entrusted to it by its students, faculty, staff and others. This policy establishes the University’s Identity Theft Prevention Program (the “Program”) to protect individuals who have certain accounts with the University. The program is designed to detect, prevent and mitigate identity theft in connection with covered accounts in a manner consistent with the Federal Trade Commission’s Red Flags Rule under section 114 and 315 of the Fair and Accurate Credit Transactions Act.
Covered Account. A consumer account designed to permit multiple payments or transactions, and any other account for which there is a reasonably foreseeable risk of identity theft. This includes all student accounts for payment of tuition, fees, room, board and other charges related to University activities, all employee accounts for receipt of wages and reimbursed expenses, and Mason Money accounts.
Designated Units. University departments with identity theft program compliance and reporting responsibility. This includes Auxiliary Enterprises, Human Resources and Payroll, Information Technology Security Office, Office of Admissions, Office of Financial Aid, Office of the Registrar, and Office of Student Accounts. Other units may be designated by the Program Administrator as appropriate. Each Designated Unit must assign a coordinator responsible for Program activities.
Identity Theft. A fraud committed or attempted using the identifying information of another person without authority.
Program Administrator. The individual(s) designated with primary responsibility for oversight of the program.
Red Flag. A pattern, practice, or specific activity that could indicate identity theft.
Service Provider. A third party who performs an activity in connection with one or more covered accounts.
Designated Unit Coordinators. The Designated Unit Coordinators are responsible for ensuring appropriate training of departmental staff on the program, reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances, and providing input into identity theft activity reporting and periodic changes to the Program policy or procedures.
Employees. Employees are expected to notify their Designated Unit Coordinator if they become aware of an incident of identity theft or of the university’s failure to comply with this Program.
Program Administrator. The Program Administrator is responsible for program development, oversight and monitoring.
Purchasing. Purchasing ensures that relevant contracts with service providers include a data security addendum.
In order to identify relevant red flags, the university considers the types of covered accounts it offers, methods it provides to open, access or maintain its accounts, and its previous experiences with identity theft.
Common red flags include:
- Receipt of Alerts or Notices of Dispute from a credit agency;
- Identification documents or cards that appear to be forged or altered;
- Identification documents or cards on which a person’s photograph or physical description is not consistent with the person presenting the document;
- Inconsistencies in information among different documents presented;
- Presentation of identifying information that is inconsistent with information from other sources;
- Social security number presented that is the same as one given by another student or employee;
- Notice to the University of unauthorized student or employee account activity.
Red Flags detection will involve procedures to verify identity and monitor transactions associated with enrollment into and maintenance of existing covered accounts. Responses to prevent and mitigate identity theft may include: continue to monitor the account; contact the student or employee; change passwords; close and reopen account; refuse to open a new covered account; notify law enforcement or Internal Audit, or determine that no response is warranted under the particular circumstances.
VI. EFFECTIVE DATE AND APPROVAL
The initial program was approved by the Board of Visitors and is effective May 1, 2009. The Board of Visitors hereby delegates to the Program Administrator the responsibility to oversee development and administration of the Program; training of appropriate staff; and service provider arrangements. This policy shall be reviewed and revised as necessary.
Carol D. Kissal
Senior Vice President, Administration and Finance
Mark R. Ginsberg
Provost and Executive Vice President
Reviewed: September 23, 2016
Revised: February 17, 2017
Revised: May 18, 2021