Policy Number: Business Related Policy

Subject: Identity Theft detection, prevention, and mitigation

Purpose: To establish an Identity Theft Prevention Program designed to detect, prevent, and mitigate identify theft in connection with opening a covered account or an existing covered account at the University of Iowa.

Definitions:

Account: A continuing relationship established as a result of becoming a student, accepting employment or obtaining goods or service which includes an extension of credit involving a deferred payment.

Covered Account: Accounts allowed by the University of Iowa are primarily for students, faculty and staff and allow multiple payments or transactions; and any other accounts the University of Iowa maintains for which there is a foreseeable risk to customers or to the safety and soundness of the University of Iowa from identity theft, including financial, operational, compliance, reputation, or litigation risks.

Red Flag: A pattern, practice or specific activity that indicates the possible existence of identity theft.

Identity Theft: A fraud committed or attempted using the identifying information of another person without authority.

Identifying Information: Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person.

Policy:

A. Identification of Covered Accounts

Student – Accounts opened as part of being a registered student
Faculty and Staff – Accounts opened as a result of accepting employment
Non-Student – Accounts opened as a result of obtaining goods or services

B. Establishment of an Identify Theft Prevention Program

The University of Iowa establishes its program through the implementation of this policy. The Program is designed to detect, prevent, and mitigate identify theft in connection with the opening of a covered account or any existing covered account.

C. Elements of the Program

1. The University of Iowa will identify relevant Red Flags for covered accounts that the University of Iowa offers or maintains and will incorporate those Red Flags into the Program.
2. The University of Iowa will put process and procedures in place to detect Red Flags that have been incorporated into the Program.
3. The University of Iowa will respond appropriately to any Red Flags that are detected in order to prevent and mitigate identity theft.
4. The University of Iowa will ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the University of Iowa systems and services from identity theft.

D. Administration of the Program

1. The initial program shall be approved by the University of Iowa Provost and Vice-President for Finance and Operations.
2. Program oversight shall be the responsibility of the Vice President for Finance and Operations and responsibility for the implementation of the program shall be assigned to the Controller of the University of Iowa.
3. At least annually, the Controller shall report to the Vice President for Finance and Operations on the University of Iowa’s compliance with the detection, prevention, and mitigation of identity theft.

E. Service Provider Arrangements

When the University of Iowa engages a service provider for an activity in connection with one or more covered accounts, The University of Iowa will require the service provider by contract to have policies and procedures in place to detect relevant Red Flags that may arise in the performance of the service provider’s activities, and to report the Red Flags to the University of Iowa, as well as to take appropriate steps to prevent or mitigate identity theft.

F. Identification of Red Flags

When identifying relevant Red Flags, the University of Iowa will consider, as appropriate, the types of covered accounts it offers or maintains, the methods it provides to open its covered accounts, the methods it provides to access its covered accounts, and its previous experiences with identity theft.

G. Identified Potential Red Flags and Corresponding Response Policies

Red Flag Response Policy
Documents provided for identification appearing altered or forged 1) Refuse Service
2) Notify University Police
3) Retain altered or forged card if University ID card
Photograph on ID inconsistent with appearance of customer 1) Request additional form of Photo ID to resolve inconsistency
2) If not resolved with additional form or additional form not provided - refuse service
3) Notify University Police
Photograph on University ID inconsistent with appearance of customer 1) Request additional form of Photo ID to resolve inconsistency
2) If not resolved with additional form or not provided, refuse service
3) Notify University Police
4) Retain University ID
Information on ID inconsistent with information provided by person opening account 1) Ask account holder to provide additional information to resolve inconsistency.
2) refuse service if not resolved
Information on ID such as signature, inconsistent with information on file at financial institution 1) Ask account holder to provide additional information to resolve inconsistency.
2) refuse service if not resolved
Information on ID not matching any address in the consumer report, Social Security number has not been issued or appears on the Social Security Administration's Death master File, a file of information associated with Social security numbers of those who are deceased 1) Notification of a social security number not matching can be received by either Social Security Office or Department of Education
2) Request additional information to resolve why there is no match
3) Resolution required or refuse service
4) If service refused, report to University Police
Lack of Correlation between Social Security number range and date of birth 1) Notification of a social security number not matching can be received by either Social Security Office or Department of Education
2) Request additional information to resolve why there is no match
3) Resolution required or refuse service
4) If service refused, report to University Police
Personal Identifying information associated with known Fraud activity 1) Follow University Police procedures and policies
Social Security numbers provided matching that submitted by another person opening an account or other customers 1) Ask for additional information to resolve
2) Refuse service until resolved
Personal information inconsistent with information already on file at financial institution or creditor. (i.e. address) 1) Request additional information to resolve
2) Refuse service
3) Verify with National Database (i.e. credit bureaus) to resolve inconsistency.
Person opening account or customer unable to correctly answer challenge questions. 1) Refuse service
Most of available credit used for cash advances, jewelry or electronic, plus customer fails to make first payment. 1) Student ID cards not allow to purchase electronic gaming systems. In the Apple Store, purchases limited to $200.
2) Students or staff not making payments, account will become past due and further charging is suspended until account is current.
Drastic change in payment patterns, use of available credit or spending patterns 1) Detection from reports by IMU Business Office for accounts with excessive spending, itemized receipts are pulled
2) Customer is contacted to verify purchases are legitimate and card not stolen
3) If any suspicion of fraud as a result of receipt examination, suspend charging ability on card.
4) Report to University Police
Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions on active account 1) Contact Customer to determine correct address
2) If unable to determine correct address, suspend activity on account until resolved
3) When possible, verify address through credit bureau and/or review account activity for departmental help in verifying correct address.
Financial institution or creditor notified that customer is not received paper account statements 1) Student and Staffs bills will be delivered electronically beginning 2/1/09
2) If paper bill still mailed, verify customer, verify address.
Financial institution or creditor notified of unauthorized charges or transactions on customer's account 1) Report to University Police for investigation
2) Advise department that submitted charge to billing system
3) Suspend charging ability on account
Information discovered from a background check not consistent with information already on file 1) Applicant is given report to respond or provide additional documentation.
2) If applicant says incorrect, vendor is asked to run report again using additional identifiers.
3) If information is verified with applicant to be correct, reviewed by Dean of College so a decision can be made on what action should be taken regarding the applicant