This policy was initially approved by the Finance and Facilities Committee of the Board of Trustees of the University of Puget Sound on February 27, 2009. Oversight and approval of subsequent modifications to this policy are the responsibility of the Executive Vice President and Chief Financial Officer, or her/his delegate, in consultation with the President's Cabinet.

POLICY STATEMENT:

The University of Puget Sound, in response to a growing problem of identity theft, endeavors to safeguard personal and private information of all of its constituents, including faculty, staff, students, vendors, volunteers, and donors. Additionally, the university understands the importance of complying with applicable federal regulations under sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003 to establish an Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft in connection with conducting university business, as defined by federal regulations.

Definitions:

Identity theft: Fraud committed or attempted using the identifying information of another person without authority.

Covered Account: A consumer account that involves multiple payments or transactions, such as a loan or account that is billed or payable monthly.

Red Flag: patterns, practices, and specific activities that signal possible existence of identity theft.

The Program

The University of Puget Sound establishes an Identity Theft Prevention Program (the Program) to detect, prevent, and mitigate identity theft. The Program shall include reasonable policies and procedures to:

  1. Identify relevant Red Flags for covered accounts it offers or maintains and incorporate those Red Flags into the Program.
  2. Detect and record Red Flags that have been incorporated into the Program.
  3. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft.
  4. Ensure the Program is updated periodically to reflect changes in identity theft risks to customers and to the safety and soundness of Puget Sound in its role as creditor.

The Program shall, as appropriate, incorporate existing policies and procedures that control reasonably foreseeable risks.

Administration of the Program

  1. The Identity Theft Prevention Program Team shall be responsible for developing and implementing the Program.
  2. The Identity Theft Prevention Program Team members shall train staff, as necessary, to implement the Program effectively within the individual departments needs.
  3. The Chair of the Identity Theft Prevention Program Team will provide a written report annually to the President's Cabinet concerning annual activity and recommendations for continued administration.
  4. Each department shall exercise appropriate and effective oversight of their service provider arrangements.

Identification of Relevant Red Flags

  1. The Program shall include relevant Red Flags from the following categories as appropriate:
    1. Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services.
    2. The presentation of suspicious documents.
    3. The presentation of suspicious personal identifying information.
    4. The unusual use of, or other suspicious activity related to, a covered account.
    5. Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.
  2. The Program shall consider the following risk factors in identifying relevant Red Flags for covered accounts as appropriate:
    1. The types of covered accounts offered or maintained.
    2. The methods provided to open covered accounts.
    3. The methods provided to access covered accounts.
    4. Its previous experience with identity theft.
  3. The Program shall incorporate relevant Red Flags from sources such as:
    1. Incidents of identity theft previously experienced.
    2. Methods of identity theft that reflect changes in risk.
    3. Applicable regulatory or professional guidance

Detection of Red Flags

The Program shall address the detection of Red Flags in connection with the opening of covered accounts and existing covered accounts, such as by:

  1. Obtaining identifying information about, and verifying the identity of, a person opening a covered account.
  2. Authenticating customers, monitoring transactions, and verifying the validity of change of address requests in the case of existing covered accounts.

Response

The Program shall provide for appropriate responses to detected Red Flags to prevent and mitigate identity theft. The response shall be commensurate with the degree of risk posed. Appropriate responses may include:

  1. Monitor a covered account for evidence of identity theft.
  2. Contact the customer.
  3. Change any passwords, security codes or other security devices that permit access to a covered account.
  4. Reopen a covered account with a new account number.
  5. Not open a new covered account.
  6. Close an existing covered account.
  7. Notify law enforcement.
  8. Determine no response is warranted under the particular circumstances.

Updating the Program

The Program shall be updated periodically to reflect changes in risks to customers or to the safety and soundness of the organization from identity theft based on factors such as:

  1. The experiences of the organization with identity theft.
  2. Changes in methods of identity theft.
  3. Changes in methods to detect, prevent and mitigate identity theft.
  4. Changes in the types of accounts that the organization offers or maintains.
  5. Changes in the business arrangements of the organization, including mergers, acquisitions, alliances, joint ventures and service provider arrangements.

Oversight of the Program

  1. Oversight of the Program shall include:
    1. Assignment of specific responsibility for implementation of the Program.
    2. Review of reports prepared by staff regarding compliance.
    3. Approval of material changes to the Program as necessary to address changing risks of identity theft.
  2. Reports shall be prepared as follows:
    1. Staff responsible for development, implementation and administration of the Program shall report to the President's Cabinet at least annually on compliance by the organization with the Program.
    2. The report shall address material matters related to the Program and evaluate issues such as effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts.