Sarah Lawrence College is committed to protecting all data that it receives and maintains in its files and databases. The College has developed this Identify Theft Prevention Program (“Program”) to comply with the requirements of the Federal Trade Commission’s (“FTC”) Red Flags Rule under Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) After consideration of the size and complexity of the College’s operations and account systems, and the nature and scope of the College’s activity, the Audit Committee of the Board of Trustees has determined that this program is appropriate for the College, and therefore approved this initial Program on April 29, 2009.
The purpose of this policy is to establish an Identity Theft Prevention Program that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account, and to provide for continued administration of the Program. The Program shall include reasonable policies and procedures to:
- Identify relevant Red Flags for the covered accounts that the College offers or maintains, and incorporate those Red Flags into the College’s Program;
- Detect Red Flags that have been incorporated into the Program;
- Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
- Ensure the Program is updated periodically to reflect changes in identity theft risks to students and to the safety and soundness of the College in its role as creditor.
1) A consumer account designed to permit multiple payments or transactions, and 2) any other account for which there is a reasonably foreseeable risk from identity theft.
Fraud committed or attempted using the identifying information of another person without authority.
A pattern, practice or specific activity that could indicate the existence of identity theft.
The Audit Committee of the Board of Trustees has designated the Vice President for Finance, or her/his designee, to serve as Program Administrator. Oversight of the program shall include:
- Assignment of specific responsibility for implementation of the program and ensuring appropriate training of College staff, as necessary, to implement the program effectively within the individual department’s needs
- Reporting, at least annually, to the Senior Staff on compliance by the organization with the Program. The report shall address material matters related to the Program and evaluate issues such as:
- The effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening of covered accounts and maintenance of existing accounts;
- Service provider agreements;
- Significant incidents involving identity theft and management’s response;
- Ensuring that the Program is updated at least annually, and making recommendations for material changes to the Program.
Sarah Lawrence College has identified six types of covered accounts listed below. If applicable, accounts are noted as being administered by a service provider.
- Sarah Lawrence College Student Loan program (administered by service provider),
- Accounts with credit balances (including the “One Card”),
- Tuition payment plan, which allows students to pay their bills over a series of installments (administered by service provider)
- Federal Perkins loan accounts (administered by service provider)
- Collection of past due accounts (administered by service provider)
Identification of Relevant Red Flags
The Program shall include relevant Red Flags from the following categories as appropriate:
- Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services.
- Presentation of suspicious documents, including altered, forged or inauthentic documents, or documents which are inconsistent with the person presenting the document.
- Presentation of suspicious personal identifying information, such as a suspicious address change.
- Unusual use of, or other suspicious activity related to, a covered account.
- Notices from students or other customers, victims of identity theft, law enforcement authorities or other persons regarding possible identity theft.
The Program shall incorporate relevant Red Flags from sources such as:
- Incidents of identity theft that have been experienced.
- Methods of identity theft that reflect changes in identity theft risks.
- Applicable regulatory or professional guidance.
The Program shall consider the following risk factors in identifying relevant Red Flags for covered accounts as appropriate:
- The types of covered accounts offered or maintained.
- The methods provided to open covered accounts.
- The methods provided to access covered accounts.
- Previous experience with identify theft.
Detection of Red Flags
The College will take appropriate steps to detect Red Flags in connection with the opening of Covered Accounts and the maintenance of existing Covered Accounts, such as by:
- Obtaining identifying information about, and verifying the identity of, a person opening a Covered Account.
- Authenticating students, monitoring transactions, and verifying the validity of change of address requests, in the case of existing Covered Accounts.
Response to Red Flags
Management will respond appropriately to Red Flags, when detected, to prevent and mitigate identity theft, based upon the degree of risk posed. In determining an appropriate response, management will consider factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a student’s account records, or notice that a student has provided information related to a Covered Account by someone fraudulently claiming to represent Sarah Lawrence College or to a fraudulent website. Appropriate responses may include the following:
- Monitoring a Covered Account for evidence of identity theft;
- Contacting the student or other customer;
- Denying access to the Covered Account until other information is available to eliminate the Red Flag, or close the existing Covered Account;
- Changing any passwords, security codes, or other security devices that permit access to a Covered Account;
- Closing and reopening a Covered Account;
- Refusing to open a Covered Account;
- Notifying law enforcement; or
- Determining that no response is warranted under the particular circumstances.
Oversight of Service Provider Arrangements
The College shall take steps to ensure that the activity of a service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft whenever the organization engages a service provider to perform an activity in connection with one or more covered accounts.
Updating the Program
The Program shall be updated periodically to reflect experience with identity theft, changes in the methods of identity theft, changes in methods of detecting, preventing and mitigating identity theft, changes in covered accounts, and changes in the College’s operations.
The College is committed to informing and educating its students, faculty and staff in the prevention of identity theft and will seek opportunities to promote this important Program.
Approval by the Senior Staff of the College is sufficient to make changes to this policy.