how to protect student against identity theft & new “red flag” regulations
DESCRIPTION
How To Protect Student Against Identity Theft & New “Red Flag” Regulations. FALL KASRO Louisville, Kentucky 2008 BY: KAREN REDDICK NATIONAL CREDIT MANAGEMENT. SANDBOX RULES. This session is open forum Audience participation is encouraged - PowerPoint PPT PresentationTRANSCRIPT
1
How To Protect Student How To Protect Student Against Identity Theft & New Against Identity Theft & New
“Red Flag” Regulations “Red Flag” Regulations
FALL KASRO Louisville, Kentucky
2008
BY: KAREN REDDICKNATIONAL CREDIT MANAGEMENT
Since 19602
SANDBOX RULESSANDBOX RULES
This session is open forum
Audience participation is encouraged
Questions and comments as we move through the presentation are welcome
Since 19603
IDENTITY THEFTIDENTITY THEFT
The fastest growing crime in America
Nearly 10 million people are victims of identify theft per year(4.5% of the Adult Population)
Takes over 600 hours of personal time and $1400 to clear their names
The FTC estimates it takes victims 14-16 months to clear their names
Victims face higher interest rates, insurance rates, rejected loans, and/or unjust accusations of criminal conduct which require costly legal assistance to rectify
$5,686 Per Incident
88% Non-Tech Related
Since 19604
Interesting StatsInteresting Stats
Education is most likely to be hacked This year alone over 50 colleges
and universities have had some sort of security breaches
Main Source off Education Breaches– 50% from lost/stolen PCs, laptops and
media
Since 19605
Interesting StatsInteresting Stats
Another Main Source of Identity Theft is among the student population
The highest rates of identity theft are in the 18-29 age group– Need to education students on how they
handle their personal information Bills laying around in dorms Carrying their social security cards in their
wallets, etc….
Since 19606
What To ProtectWhat To ProtectNameSocial Security #Date of BirthAddressCredit Card#Bank Account #PIN’s or Passwords
Since 19607
How To Protect IdentityHow To Protect Identity Opt out 1-888-5optout or 1-888-567-8688
Remove your name from Credit Bureau ListsGood for 5 years
Monitor Your Credit Report and Your Children’s (Under 18) (www.annualcreditreport.com)
Make copies of your credit cards and contents of wallet
Subscribe to AG No Call List
Guard Your Social Security Number ZealouslyDo not carry social security numberWhen someone asked for it:
• Why do you need?• How do you protect it?• How will it be used?• What happens if I don’t give it you?
Since 19608
ResourcesResourcesCredit Freeze
In some states you can put a freeze on your credit file. So no
one will have access to your information without your
authorizationhttp://fightidentitytheft.com/
security_freeze
Since 19609
Credit FreezeCredit Freeze
Since 196010
What To Do If Someone Is A What To Do If Someone Is A VictimVictim
1. Place a fraud alter on your credit reports and review your reports
2. Close the accounts that you know, or believe, have been tampered with or opened fraudulently
3. File a report with your local police or the police in the community where the identity theft took place
4. File a complaint with the Federal Trade Commission
Since 196011
Tips to rememberTips to remember Look at your physical environment
– Messy vs. clean desk– Reports and files stored out of site– Locking file cabinets and offices– Passwords on post-it notes?– USB drives easily available– Flash Cards, CDs, and disk lying around in plan site– Monitor location/desk direction– Are visitors identified, challenged?– Public access to business areas? Public Fax?– Use Cross Cut Shredders
Since 196012
Tips to rememberTips to remember Information Security Policy
– Do not store sensitive information on workstation or mobile device
– Written justification and approval for sensitive data storage
– Purge sensitive information as soon as its business need no longer exists
Purge Data – Record retention schedules give useful life of each
type of information– Purge info-Wipe, not delete
Security File Deletion Utilities
– Cross cut shred, not store
Since 196013
Tips to rememberTips to rememberIf your office uses cubicles
– Play background music (white noise)– Use fabric sound absorbing covers
Since 196014
EXISTING LAWS THAT EXISTING LAWS THAT REGULATE STUDENT REGULATE STUDENT
PRIVACYPRIVACYFERPA: Family Educational Rights
and Privacy Act
GLBA: Gramm-Leach-Bliley Privacy Act
State SSN Privacy Laws
Since 196015
FERPAFERPA FERPA: Family Educational Rights and
Privacy ActStatue: 20 U.S.C. 1232(g)Regulations: 34CFR Part 99
The intent of the Act is to protect the rights of students and to insure the privacy and accuracy of education records.
Those protected by FERPA are students and former students who have been in attendance at the institution.
Rights belong to the student
Since 196016
SolutionSolution
Have all students sign a release of information form and identify which parties are privy to their information
Since 196017
GLBAGLBA GLBA: Gramm-Leach Bliley Act signed into
law November 1999.– Regulation: Privacy regulations issued by
federal agencies. Compliance required as of 7/1/01
– FTC PART 314-Standards for Safeguarding Customer Information (Effective 5/23/-03)
– Scope: Regulates the sharing of: “Nonpublic personal information” about individuals
who obtain “financial products or services” From “financial institutions” primarily for personal,
family or household purposes.
Since 196018
GLBA-Implementing GLBA-Implementing the Safeguards Rulethe Safeguards Rule
The Gramm Leach Bliley Act requires financial institutions to ensure the security and confidentiality of customer personal information.
The Federal Trade Commission (FTC) implemented GLBA by issuing the Privacy Rule and the Safeguards Rule.
Colleges and universities are considered “financial institutions” primarily due to student loan making activities.
Since 196019
SolutionsSolutions Design and implement a written security plan
– Select a group or committee to implement program– Identify all foreseeable risks
Training/Human Resources/Management Information Systems System Failures/Intrusions-Disaster Plans
– Put together a written program to control these risks– Oversee service providers to make sure they are
capable of maintaining appropriate safeguards and require by contract to implement and maintain such safeguards
– Evaluate program each year as environment changes
Since 196020
SSN STATE PRIVACY LAWSSSN STATE PRIVACY LAWS– May not print SSN on any card required to
access products or services– May not require transmission of SSN over an un-
secure Internet Connection– May not require the SSN to access an Internet
web site unless other unique identification or authentication is used
– May not print SSN on any material mailed to the individual unless state or federal law requires the SSN to be on the document, applications and forms excluded
Since 196021
SolutionsSolutions
Create environment that will accommodate all State/Federal Laws– Use student ID Numbers verses
social security numbers
Since 196022
NEW RED FLAG RULESNEW RED FLAG RULES New Red Flag Requirements For Financial Institutions
– Require financial institutions to develop and implement written identity theft prevention programs as part of the Fair and Accurate Credit Transactions Act of 2003
Under the Rule, each institution must develop and implement a written Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft in connection with new or existing accounts
Effective date is January 1, 2008 Mandatory compliance date is November 2, 2008
Since 196023
Identity Theft Red Identity Theft Red Flags RegulationsFlags RegulationsDoes Higher Education have to comply?
– Yes, the FTC has confirmed that “Higher Educational Institutions do have to comply due to student loans, defer payment plans, or multiple payments on tuition accounts (extension of credit)”
– As stated in the GLBA-The rule under this law considers Higher Education Institutions financial institutions due to their “loan making activities”.
– The only way schools would not have to comply if these federal agencies would make an exception
DON’T HOLD YOUR BREATH!!!!!!
Since 196024
NEW RED FLAG RULESNEW RED FLAG RULES The program must provide for the identification, detection,
and response to patterns, practices, or specific activities-known as “red flags”-that could indicate identity theft
Under these new rules, institutions must develop a written program that identifies and detects the relevant warning signs (red flags) or identity theft.
– Examples of these Warning Signs: Unusual account activity Fraud Alerts Attempted use of suspicious account application documents
It must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program.
Program must be managed by senior employees, include appropriate staff training, and provide for oversight of any service providers
Since 1960
Elements on How to Elements on How to Comply W/Red Flag Comply W/Red Flag
RequirementsRequirements4 Elements:1. Identity patterns, practices or activities that indicate
the possible existence of identity theft (red flags)2. Detect Red Flags3. Respond to detected Red Flags to prevent and
mitigate identity theft4. Update the Program periodically to reflect changes in
risks to customers and the institution.
This initial plan needs to be approved by the institutionsBoard of Directors or “Committee”.
25
Since 196026
HOW TO IDENTIFY HOW TO IDENTIFY THESE RED FLAGSTHESE RED FLAGS
The FTC has identified 26 possible red flags– 5 Categories
Alerts, notifications, or warnings from a consumer reporting agency
Suspicious documents Suspicious personally identifying information,
such as suspicious address Unusual use of or suspicious activity relating to a
covered account Notices from customers, victims of identity theft,
law enforcement authorities, or other businesses about identity theft in connection with covered accounts
Since 196027
So Now What?So Now What? Don’t panic! Don’t recreate the wheel Evaluate your existing security plans (GLBA) Incorporate these new rules into your existing security
plan Have your service providers incorporate these new
rules into your contracts and their existing plans Whether this law is relevant to Higher Education or not
it is imperative to know how to prevent or mitigate identity theft
Human Resources-Training is essential in any successful program
Be proactive and have a plan to prevent future liability
Since 196028
CONTACT INFORMATIONCONTACT INFORMATIONRed Flag Regulations
www.ftc.gov/opa/2007/10/redflag.shtmRed Flag Questions/Comments
Email:[email protected]
GLBAwww.ftc.gov/privacy/privacyinitiatives/glbact.html
Laura D. Berger, Attorney Division of Financial Practices FTC (202) 326-3224
NACUBO http://www.nacubo.org/x2152.xml
FERPAFamily Policy Compliance Office
LeRoy Rooker, Director of Family Policy(202) 260-3887
www.ed.gov/policy/gen/guid/fpco/ferpa
Since 196029
CONTACT INFORMATIONCONTACT INFORMATIONCREDIT BUREAUS
Equifax1-800-525-6285
www.equifax.com
Experian1-888-397-3742
www.experian.com
TransUnion1-800-680-7289
www.transunion.com