I. OBJECTIVE & PURPOSE
The University of North Florida developed this Identity Theft Prevention Program ("Program") pursuant to the Federal Trade Commission's (FTC") Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. This Program was developed with oversight and approval of the Board of Trustees after consideration of the size and complexity of the University's operations, account systems, and the nature and scope of the University's activities.
II. STATEMENT OF POLICY
Red Flags Rule Definitions Used in this Program
Identity theft - Fraud committed or attempted using the identifying information of another person without authority.
Red flag - A pattern, practice, or specific activity that indicates the possible existence of Identity Theft.
Covered account - Potentially includes all accounts or loans that are administered by the University.
Identifying information - Any namy or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address, telephone number, social security number, date of birth, government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer's Internet Protocol address, or routing code.
Fulfilling Requirements of the Red Flags Rule
In compliance with provisions of the FTC's Red Flags Rule, the University established an "Identity Theft Prevention Program". In compliance with the FTC's Rule, the University's program incorporates procedures to identify relevant red flags for new and existing covered accounts, detect red flags, and respond appropriately to prevent and mitigate identity theft.
Details of the program are included in the "Red Flag Program Procedures" document.
Responsibility for implementing and updating this program will lie with a working committee made up of the Controller's Office, ITS, General Counsel, Internal Audit and others as deemed appropriate.
University staff responsible for implementing the program shall be educated in the detection of Red Flags and the responsive steps to be taken when a Red Flag is detected. University staff shall be trained, as necessary, to effectively implement the program. University employees are expected to notify the Program Administrator once they become aware of an incident of identity theft or of the University's failure to comply with this program.
Service Provider Arrangements
In the event the University engages a service provider to perform an activity in connection with one or more covered accounts, the University will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of Identity Theft.
1. Require, by contract, that service providers have such policies and procedures in place; and
2. Require, by contract, that service providers review the University's Program and report any Red Flags to the Controller's Office or the University employee with primary oversight of the service provider relationship.
The Program will be periodically reviewed and updated as appropriate to reflect changes in risks to students and the soundness of the University from identity theft. In doing so, the University's experiences with identity theft situations, changes in identity theft methods, changes in identity theft detection and prevention methods, and changes in the University's business arrangements with other entities will be considered.
Approved by BOT 3/15/11