Policies and Procedures

E0102p Protection of Student Information Procedure


LEGAL REQUIREMENTS

Section 114 of the Federal Trade Commission's Fair and Accurate Credit Transactions Act of 2003 created the Red Flags Rule. The Fair Credit Reporting Act: Identity Theft Rules are identified in 16 CFR Part 681. These rules and regulations require Western Technical College (Western)to develop and provide for the continued administration of a written Program to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account and to provide administration of the procedure. The College's procedure must: 

  • Identify relevant Red Flags for covered accounts it offers or maintains and incorporate those Red Flags into the program
  • Detect Red Flags that have been incorporated into the procedure
  • Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft
  • Ensure the procedure is updated periodically to reflect changes in risks to students and to the safety and soundness of the creditor from Identity Theft

DEFINITIONS

The following definitions are included as part of this procedure:

  • Identity theft – is fraud committed or attempted using the identifying information of another person without authority. 
  • Covered account – is an account that a creditor offers or maintains, primarily for personal, family, or household purposes that involves multiple payments or transactions; and, any other account the College offers or maintains for which there is reasonably foreseeable risk to customers or to the safety and soundness of the College from identity theft. A student account and the corresponding student account number is considered a covered account. 
  • Red flag – is a pattern, practice or specific activity that indicates the possible existence of identity theft.
  • Personal Identifying Information (PII) – is any name or number that may be used, alone or in conjunction with any other information, to identify a specific person. PII may include: name, address, telephone number, social security number, date of birth, driver license, identification number, alien registration number, government passport, employer or taxpayer identification number, student identification number, computer's Internet Protocol address, or routing code.

IDENTITY THEFT PREVENTION PROGRAM

To ensure compliance with the Identity Theft Rules, Western employees will verify student identity when fulfilling information requests. These requests can be, but are not limited to, any of the following services:

ITEMS REQUIRING STUDENT IDENTIFICATION
  1. Student Admissions Information including test results
  2. Student Record Information including schedules, transcripts, grades, etc.
  3. Student Account information including billing inquiries, balance owed, authorizations, etc.
  4. Student Financial Aid Information
  5. Parking Permits
  6. Student ID Cards or ID Badge
  7. Student Residence Hall Information
  8. Any other information or document requiring student account access
FORMS OF ACCEPTABLE ID
“One” form of Government or Agency issued photo ID
  1. Student ID
  2. Valid Driver’s License
  3. Passport
  4. DMV Authorized ID Card
  5. High School issued ID card
 OR

“One” of the following student specific pieces of information
  1. Date of Birth
  2. Student ID Number; AND

“Two” of the following presented verbally or in writing:

  1. Classes Registered – past or current
  2. Personal Email
  3. Final Grades – past or current
  4. Address on File
  5. Last 4 Digits of Phone Number on File
RED FLAGS FOR COVERED ACCOUNTS

Western staff members should use the following risk factors to identify relevant red flags for covered accounts:

Suspicious Documents
  • Identification document or card that appears to be forged, altered or inauthentic
  • The photograph or physical description on the identification is not consistent with the appearance of the student presenting the identification
  • A request for service that appears to have been altered or forged
  • A request made from a non-college issued e-mail account
  • A request to mail something to an address not listed on the file
Suspicious Identifying Information
  • Identifying information presented that is inconsistent with other information the student provides (example: inconsistent birth dates)
  • Identifying information presented that is inconsistent with other sources of information (example: address mismatch on personal documents)
  • Identifying information presented that is the same information shown on other applications that were found to be fraudulent
  • Identifying information presented that is consistent with fraudulent activity (example: invalid phone number or fictitious billing address)
  • Social security number presented that is the same as one given by another person
  • A person fails to provide complete personal identifying information
  • A person's identifying information is not consistent with the information that is on file for the student
Suspicious Account Activity
  • Account used in a way that is not consistent with prior use
  • Notice to the College that a student is not receiving mail sent by the College
  • Notice to the College that an account has unauthorized activity
  • Breach in the College's computer security system
  • Unauthorized access to or use of student account information
Alerts from Others Notice to the College from a student, Identity Theft victim, law enforcement or other person that the College has opened or is maintaining a fraudulent account for a person engaged in Identity Theft.

PROCEDURE FOR REPORTING SUSPECTED OR REPORTED RED FLAG ISSUES

When a case of identity theft is reported or suspected, Western employees shall do the following:
  1. Employee will inform supervisor and immediately submit an incident report through the online report system (https://cm.maxient.com/reportingform.php?WesternTC&layout_id=14)
  2. Maxient report will automatically forward to the Cyber Breach Response Team
  3. The Cyber Breach Response Team will determine necessary action

BEST PRACTICES FOR KEEPING STUDENT INFORMATION CONFIDENTIAL

To reduce the risk of identity theft, Western staff members should practice the following:
  1. Never ask a student to instant message or e-mail sensitive personal information or credit card information.
  2. Never ask a student to verbally declare their personal information in the presence of others.
  3. Don’t leave documents containing sensitive information lying around.
  4. Sensitive personal documents should be placed in secured shred boxes
  5. Drop off should be used to email sensitive personal documents or information
  6. When leaving your workstation, lock or sign-off your computer.
  7. Be sure documents at the printer are secure. If a document is printed and lying on the printer, contact the owner or deliver the document immediately.
PROGRAM ADMINISTRATION

Oversight

The Dean of Students will serve as the Program Administrator and is responsible for developing, implementing and updating this program. The Program Administrator will be responsible for ensuring appropriate training of College staff on the program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the program.

Service Provider Arrangements

In the event the College engages a service provider to perform an activity in connection with one or more covered accounts, the College will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of Identity Theft
  • Require, by contract, that service providers have such policies and procedures in place; and
  • Require, by contract, that service providers review the College's program and report any Red Flags to the Program Administrator
Program Updates

The Program Administrator will periodically review and update this program to reflect changes in risks to students and the soundness of the College from Identity Theft. In doing so, the Program Administrator will consider the College's experiences with Identity Theft situations, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in the College's business arrangements with other entities. After considering these factors, the Program Administrator will determine whether changes to the program, including the list of Red Flags, are warranted. If warranted, the Program Administrator will update the program.



Approved June 16, 2009
Updated January 8, 2020