Helpful Links

Navigate OHIO

Connect With Us

Office of the Bursar
010 Chubb Hall
Athens, OH 45701
Directions
740.593.0767

Ohio University Identity Theft Prevention

Ohio University developed this Identity Theft Prevention Program (“Program”) pursuant to the Federal Trade Commission’s (“FTC”) Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003.

The purpose of this Program is to document the protocol adopted by Ohio University in compliance with the Red Flags Rules. Many offices at the university maintain files on students, employees and patients, both in paper and electronic form with identity information. These files include, but are not limited to: admission information, financial aid information, billing information, employee personal information, academic and financial records, and patient records. In addition, the university hires outside service providers to perform institutional functions which may contain identity information.

This program will identify the areas of risk associated with identity theft on campus; will address the means whereby those risks will be identified; and will identify the methods of response to such Red Flags in order to mitigate the effects of identity theft.

Applying the Red Flags Rules to Ohio University

Per the Federal Trade Commission guidelines, the university would be a low risk entity for identity theft because:

  1. The university has privacy protocol and data security protocol in place.
  2. The university is a low priority target for identity theft or financial theft due to the nature of its transactions.

Definitions

“Identity Theft” is a “fraud” committed or attempted using the identifying information of another person without authority.”

A “Red Flag” is a “pattern, practice, or specific activity that indicates the possible existence of Identity Theft.”

A “Covered Account” includes all student, patient, and employee accounts or loans that are administered by Ohio University.

“Program Administrator” is the individual designated with primary responsibility for oversight of the program.

Covered Accounts

Ohio University has identified various types of accounts that fall within the definition of a covered account as set forth below:

  • Federal Perkins Loan Program
  • Health Professional Loan Program
  • Institutional Loans
  • Student Accounts
  • Patient Accounts

Program Steps

Step 1 – Identify Relative Red Flags (Red Flags of identity theft the University is likely to come across)

  1. Notice from a customer, a victim of identity theft, law enforcement agency, or some other entity that an account has been has been used fraudulently or opened for a person engaged in identity theft.
  2. Suspicious documents – Examples include but are not limited to the following:
    1. Documents provided for identification purposes that appear to have been altered, forged or are inauthentic.
    2. The photograph or physical description on the identification document is not consistent with the appearance of the individual presenting the identification.
    3. Information on the identification is not consistent with information provided by the person opening a new covered account or with the individual presenting the identification.
    4. An application appears to have been altered, forged, or gives the appearance of having been destroyed and reassembled.
  3. Suspicious personally identifying information – Examples include but are not limited to the following:
    1. Personal identifying information provided is inconsistent when compared against other sources of information used by the university, such as the Social Security Number (SSN) has not been issued or is listed in the Social Security Administrations Death Master File.
    2. Personal identifying information provided by the individual is not consistent with other information previously provided.
    3. Personal identifying information provided is associated with known fraudulent activity, such as addresses or phone numbers that have been previously submitted on fraudulent applications.
    4. Personal identifying information provided is of a type that is commonly associated with fraudulent activity. Examples are addresses submitted that are fictitious, a mail drop, or a prison, and phone numbers submitted that are invalid or are associated with a pager or answering service.
    5. The SSN provided is the same as that submitted by another person applying.
    6. The address or telephone number provided is the same or similar to the address or telephone number submitted by that of another person.
    7. The individual opening the covered account fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
    8. When establishing security questions and answers, the person opening the covered account cannot provide authenticating information beyond that which would generally be available from a wallet or consumer report.
  4. Suspicious covered account activity – Examples include but are not limited to the following:
    1. Shortly following the notice of a change of address for a covered account, the university receives a request for a new, additional, or replacement card, or for the addition of authorized users on the account.
    2. A covered account is used in a manner that is not consistent with established patterns of activity. Examples would be nonpayment when there is no history of late or missed payments or a material change in purchasing or usage patterns.
    3. The activation or use of a covered account that has been inactive for a lengthy period of time. The type of account, expected pattern of usage, along with other relevant factors should be considered when evaluating the usage.
    4. Mail sent to the individual is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the individuals covered account.
    5. Notification of unauthorized charges or transactions in connection with an individual’s covered account.
    6. A breach of the University’s computer system.
  5. Notifications or warnings from credit reporting agencies.

Step 2 – Detecting Red Flags (Current procedures designed to detect red flags in day to day operations)

  1. Student Enrollment
    1. Require specific identifying information such as name, date of birth, home address, or other identification; and
    2. Verify the student’s identity at the time of issuance of the student identification card by reviewing the student’s driver license or other approved government issued photo identification.
  2. Existing covered accounts
    1. Verify the identification of the student, faculty/staff member, patient, or any other covered account holder if information is requested. Information requests may come in person, via phone, via fax, or via email.
    2. Verify the validity of requests to change billing addresses by mail or email, and provide the covered account holder a reasonable means of promptly reporting incorrect billing address changes.
    3. Verify the validity of changes in banking information given for billing and payment purposes.
  3. Notifications from Consumer Credit Reporting Agencies
    1. Require written confirmation from candidate that address provided on application is accurate at the time of the request for the credit report is made to the consumer reporting agency.
    2. If, in the event that a notice of address discrepancy is received, verify that the credit report pertains to the candidate for whom the requested report was made and report back to the consumer reporting agency an address for the candidate that the Institution has reasonably confirmed is accurate.

Step 3 – Responding to Red Flags (Responses to prevent and mitigate identity theft)

In the event a red flag or potential red flag is identified, the university must act quickly to assess the risk posed by the red flag. All related documents should be gathered and a description of the situation should be summarized and reported to the Program Administrator. The Program Administrator, with assistance from appropriate university personnel, will determine whether the attempted transaction was fraudulent or authentic. At such time, the University may take the following steps as deemed appropriate:

  1. Determine that no response is warranted under the circumstances.
  2. Continue to monitor the covered account for evidence of identity theft.
  3. In the event of a credit warning, contact the affected individual.
  4. Change any passwords or other security devices that permit access to covered accounts.
  5. Close and reopen the account.
  6. Cancel the transaction.
  7. Determine not to open a new covered account.
  8. Provide the student, patient, faculty, or staff member with a new university identification number.
  9. Notify law enforcement.

Step 4 – Administering the Red Flag Program (Maintain program and educate staff)

Program Oversight

The Red Flag Program is administered by the designated Program Administrator, currently the Associate Vice President for Finance, and members of the committee representing key units within the university. Because the program is evolving, the committee will meet periodically (a minimum of once per year) to review current processes, determine their effectiveness, and implement changes to the Red Flag Program as needed. The committee is comprised of representatives of the following units:

  • Academic Affairs Bursar
  • Controller
  • Human Resources
  • Information Technology Services Internal Audit
  • Graduate Admissions Undergraduate Admissions Student Financial Aid Legal Affairs
  • Registrar Student Affairs

The committee membership is also subject to change as needed if warranted by changes in the Red Flag program.

The Program Administrator is also responsible for ensuring that needed steps are taken to prevent and mitigate identity theft, review any staff reports regarding the detection of red flags, and determine which steps should be taken in particular circumstances when red flags are suspected or detected.

Staff Training

Training will be provided to all university employees for whom it is reasonably foreseeable that the employee may come into contact with covered accounts or other identifying information.

Service Providers

In the event the university engages a service provider to perform an activity in connection with one or more accounts, the university will require by contract that the service provider either:

  1. Have policies and procedures in place to comply with the Red Flag Rule; or
  2. Review the institutional policy and report any red flags to the Program Administrator.

Program Updates

The committee will meet periodically to review and re-evaluate the program to determine whether all aspects of the program are up to date and applicable. Consideration will be given the university’s experiences with identity theft situations, changes in identity theft methods (both detection methods and prevention methods), and changes in the university’s business arrangements with other entities. These reviews will also include an assessment of which accounts are covered by the program. Also, red flags may be revised, replaced, or eliminated with new red flags defined as appropriate.

Additional Measures

Best Practices for the Safeguard of Personally Identifiable Information

In order to limit the risk of identity theft, employees should take the following steps with respect to covered accounts:

  • Lock file cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with covered account information when not in use.
  • Lock storage rooms containing documents with covered account information and record retention areas at the end of each workday or when unsupervised.
  • Clear desks, workstations, work areas, printers, fax machines, and common shared work areas of all documents containing covered account information when not in use.
  • Review and adhere to recommended security best practices as identified in the university’s campus data security policy.
  • Documents or computer files containing covered account information will be destroyed in a secure manner.
  • Ensure you share information only in the course of authorized university business.
  • Turn your computer monitor away from the view of others who may enter your office or workspace.
  • Do not leave your computer unattended when logged into a system containing covered account information.
  • Avoid the use of social security numbers. Use the students OHIO ID, employee ID number, or patient number.
  • Utilize encryption devices when transmitting covered account information.
  • Shred documents that are to be disposed of which contain personally identifiable information.
  • Use common sense when working with personal identifying data. If an employee is uncertain of the sensitivity of a particular piece of information they should contact their supervisor.