290 likes | 458 Views
How To Protect Student Against Identity Theft & New “Red Flag” Regulations. FALL KASRO Louisville, Kentucky 2008 BY: KAREN REDDICK NATIONAL CREDIT MANAGEMENT. SANDBOX RULES. This session is open forum Audience participation is encouraged
E N D
How To Protect Student Against Identity Theft & New “Red Flag” Regulations FALL KASRO Louisville, Kentucky 2008 BY: KAREN REDDICK NATIONAL CREDIT MANAGEMENT
SANDBOX RULES • This session is open forum • Audience participation is encouraged • Questions and comments as we move through the presentation are welcome
IDENTITY THEFT • The fastest growing crime in America • Nearly 10 million people are victims of identify theft per year (4.5% of the Adult Population) • Takes over 600 hours of personal time and $1400 to clear their names • The FTC estimates it takes victims 14-16 months to clear their names • Victims face higher interest rates, insurance rates, rejected loans, and/or unjust accusations of criminal conduct which require costly legal assistance to rectify • $5,686 Per Incident • 88% Non-Tech Related
Interesting Stats • Education is most likely to be hacked • This year alone over 50 colleges and universities have had some sort of security breaches • Main Source off Education Breaches • 50% from lost/stolen PCs, laptops and media
Interesting Stats • Another Main Source of Identity Theft is among the student population • The highest rates of identity theft are in the 18-29 age group • Need to education students on how they handle their personal information • Bills laying around in dorms • Carrying their social security cards in their wallets, etc….
What To Protect • Name • Social Security # • Date of Birth • Address • Credit Card# • Bank Account # • PIN’s or Passwords
How To Protect Identity • Opt out 1-888-5optout or 1-888-567-8688 • Remove your name from Credit Bureau Lists • Good for 5 years • Monitor Your Credit Report and Your Children’s (Under 18) (www.annualcreditreport.com) • Make copies of your credit cards and contents of wallet • Subscribe to AG No Call List • Guard Your Social Security Number Zealously • Do not carry social security number • When someone asked for it: • Why do you need? • How do you protect it? • How will it be used? • What happens if I don’t give it you?
Resources Credit Freeze In some states you can put a freeze on your credit file. So no one will have access to your information without your authorization http://fightidentitytheft.com/security_freeze
What To Do If Someone Is A Victim • Place a fraud alter on your credit reports and review your reports • Close the accounts that you know, or believe, have been tampered with or opened fraudulently • File a report with your local police or the police in the community where the identity theft took place • File a complaint with the Federal Trade Commission
Tips to remember • Look at your physical environment • Messy vs. clean desk • Reports and files stored out of site • Locking file cabinets and offices • Passwords on post-it notes? • USB drives easily available • Flash Cards, CDs, and disk lying around in plan site • Monitor location/desk direction • Are visitors identified, challenged? • Public access to business areas? Public Fax? • Use Cross Cut Shredders
Tips to remember • Information Security Policy • Do not store sensitive information on workstation or mobile device • Written justification and approval for sensitive data storage • Purge sensitive information as soon as its business need no longer exists • Purge Data • Record retention schedules give useful life of each type of information • Purge info-Wipe, not delete • Security File Deletion Utilities • Cross cut shred, not store
Tips to remember • If your office uses cubicles • Play background music (white noise) • Use fabric sound absorbing covers
EXISTING LAWS THAT REGULATE STUDENT PRIVACY • FERPA: Family Educational Rights and Privacy Act • GLBA: Gramm-Leach-Bliley Privacy Act • State SSN Privacy Laws
FERPA • FERPA: Family Educational Rights and Privacy Act Statue: 20 U.S.C. 1232(g) Regulations: 34CFR Part 99 • The intent of the Act is to protect the rights of students and to insure the privacy and accuracy of education records. • Those protected by FERPA are students and former students who have been in attendance at the institution. • Rights belong to the student
Solution • Have all students sign a release of information form and identify which parties are privy to their information
GLBA • GLBA: Gramm-Leach Bliley Act signed into law November 1999. • Regulation: Privacy regulations issued by federal agencies. Compliance required as of 7/1/01 • FTC PART 314-Standards for Safeguarding Customer Information (Effective 5/23/-03) • Scope: Regulates the sharing of: • “Nonpublic personal information” about individuals who obtain “financial products or services” • From “financial institutions” primarily for personal, family or household purposes.
GLBA-Implementing the Safeguards Rule • The Gramm Leach Bliley Act requires financial institutions to ensure the security and confidentiality of customer personal information. • The Federal Trade Commission (FTC) implemented GLBA by issuing the Privacy Rule and the Safeguards Rule. • Colleges and universities are considered “financial institutions” primarily due to student loan making activities.
Solutions • Design and implement a written security plan • Select a group or committee to implement program • Identify all foreseeable risks • Training/Human Resources/Management • Information Systems • System Failures/Intrusions-Disaster Plans • Put together a written program to control these risks • Oversee service providers to make sure they are capable of maintaining appropriate safeguards and require by contract to implement and maintain such safeguards • Evaluate program each year as environment changes
SSN STATE PRIVACY LAWS • May not print SSN on any card required to access products or services • May not require transmission of SSN over an un-secure Internet Connection • May not require the SSN to access an Internet web site unless other unique identification or authentication is used • May not print SSN on any material mailed to the individual unless state or federal law requires the SSN to be on the document, applications and forms excluded
Solutions • Create environment that will accommodate all State/Federal Laws • Use student ID Numbers verses social security numbers
NEW RED FLAG RULES • New Red Flag Requirements For Financial Institutions • Require financial institutions to develop and implement written identity theft prevention programs as part of the Fair and Accurate Credit Transactions Act of 2003 • Under the Rule, each institution must develop and implement a written Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft in connection with new or existing accounts • Effective date is January 1, 2008 • Mandatory compliance date is November 2, 2008
Identity Theft Red Flags Regulations Does Higher Education have to comply? • Yes, the FTC has confirmed that “Higher Educational Institutions do have to comply due to student loans, defer payment plans, or multiple payments on tuition accounts (extension of credit)” • As stated in the GLBA-The rule under this law considers Higher Education Institutions financial institutions due to their “loan making activities”. • The only way schools would not have to comply if these federal agencies would make an exception • DON’T HOLD YOUR BREATH!!!!!!
NEW RED FLAG RULES • The program must provide for the identification, detection, and response to patterns, practices, or specific activities-known as “red flags”-that could indicate identity theft • Under these new rules, institutions must develop a written program that identifies and detects the relevant warning signs (red flags) or identity theft. • Examples of these Warning Signs: • Unusual account activity • Fraud Alerts • Attempted use of suspicious account application documents • It must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. • Program must be managed by senior employees, include appropriate staff training, and provide for oversight of any service providers
Elements on How to Comply W/Red Flag Requirements 4 Elements: 1. Identity patterns, practices or activities that indicate the possible existence of identity theft (red flags) 2. Detect Red Flags 3. Respond to detected Red Flags to prevent and mitigate identity theft 4. Update the Program periodically to reflect changes in risks to customers and the institution. This initial plan needs to be approved by the institutions Board of Directors or “Committee”.
HOW TO IDENTIFY THESE RED FLAGS • The FTC has identified 26 possible red flags • 5 Categories • Alerts, notifications, or warnings from a consumer reporting agency • Suspicious documents • Suspicious personally identifying information, such as suspicious address • Unusual use of or suspicious activity relating to a covered account • Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about identity theft in connection with covered accounts
So Now What? • Don’t panic! • Don’t recreate the wheel • Evaluate your existing security plans (GLBA) • Incorporate these new rules into your existing security plan • Have your service providers incorporate these new rules into your contracts and their existing plans • Whether this law is relevant to Higher Education or not it is imperative to know how to prevent or mitigate identity theft • Human Resources-Training is essential in any successful program • Be proactive and have a plan to prevent future liability
CONTACT INFORMATION Red Flag Regulations www.ftc.gov/opa/2007/10/redflag.shtm Red Flag Questions/Comments Email: RedFlags@ftc.gov GLBA www.ftc.gov/privacy/privacyinitiatives/glbact.html Laura D. Berger, Attorney Division of Financial Practices FTC (202) 326-3224 NACUBO http://www.nacubo.org/x2152.xml FERPA Family Policy Compliance Office LeRoy Rooker, Director of Family Policy (202) 260-3887 www.ed.gov/policy/gen/guid/fpco/ferpa
CONTACT INFORMATION CREDIT BUREAUS Equifax 1-800-525-6285 www.equifax.com Experian 1-888-397-3742 www.experian.com TransUnion 1-800-680-7289 www.transunion.com