The version of this rule that includes live links to associated resources is online at https://www.ohio.edu/policy/48-001
(A) Overview The red flags rule was issued in 2007 under Section 114 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003 and published at 16 CFR 681.1. The red flags rule was established to protect consumers from the incidence of identity theft. The purpose of this policy is to assist employees in identifying, detecting and responding to patterns, practices and/or specific activities known as red flags that could indicate identify theft.
(B) Definitions (1) Covered account: Includes all student, patient, and employee accounts or loans that are administered by Ohio University. (a) Any account that involves or is designated to permit multiple payments or transactions; or(b) Any other account maintained by the university for which there is a reasonably foreseeable risk of identity theft to students, faculty, staff, customers or other applicable constituents, or for which there is a reasonably foreseeable risk to the safety or soundness of the university from identity theft, including financial, operational, compliance, reputation or litigation risks.(2) Identifying information: Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including but not limited to: name, address, telephone number, social security number, date of birth, government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer internet protocol address or routing code, credit card number or other credit card information.(3) Red flag: A pattern, practice or specific activity that indicates the possible existence of identity theft.(4) Identity theft: A fraud committed or attempted using the identifying information of another person without authority.(5) Service provider: A person or entity that performs an activity in connection with a covered account on behalf of the university (examples: collection agencies, billing servicers).(C) Covered account(1) Covered accounts maintained by Ohio university include, but are not limited to, the following:(a) Student loans (including Perkins loans and institutional loans)(b) Student accounts (including bobcat cash)(c) Patient/client accounts (including well works, clinics, etc.)(D) Identification and detection of red flags (1) Ohio university's identity theft prevention program addresses the detection of red flags in connection with the opening of covered accounts and existing covered accounts, such as by: (a) Obtaining identifying information about, and verifying the identity of a person. For example, requiring persons to show a valid photo ID or other proof of identity for any person conducting business with the university when opening a covered account and with existing accounts.(b) Authenticating customers, monitoring transactions, and verifying the validity of change of address requests in the case of existing accounts.(2) The following examples of red flags are potential indicators of fraud or identity theft. The risk factors for identifying relevant red flags include the types of covered accounts offered or maintained; the methods provided to open or access covered accounts; and, previous experience with identity theft. Any time a red flag or a situation closely resembling a red flag is apparent, it must be investigated for verification. Some examples are:(a) Alerts, notifications or warnings from a credit or consumer reporting agency.(b) Suspicious documents.(c) Suspicious personal identifying information.(d) Unusual use of, or suspicious activity related to, the covered account.(E) Responding to red flags Once a red flag or potential red flag is detected, the employee must act quickly with consideration of the risk posed by the red flag. The employee detecting the red flag must gather all related documentation, write a description of the situation and present this information to the program administrator for determination. The program administrator will complete additional authentication to determine whether the attempted transaction was fraudulent or authentic.
(F) Protecting personal information Employees designated by the program administrator must review on an annual basis the university's red flag program. University personnel are also encouraged to use good judgment in securing covered account information. Furthermore, designated employees must review policy 12.020 student records, policy 93.001 data classification, policy 40.007 public records requests, and other applicable laws and policies. If an employee is uncertain of the sensitivity of a particular piece of information, he/she must contact his/her supervisor. If the supervisor is uncertain, they must contact the program administrator for further advice.
(G) Program administration Operational responsibility of the program at the university is delegated to a program administrator. The duties of the program administrator are oversight, development, implementation and administration of the program; approval and implementation of needed changes to the program; and staff training. The program administrator is also responsible for ensuring that appropriate steps are taken for preventing and mitigating identity theft, for reviewing any staff reports regarding the detection of red flags, and for determining which steps must be taken in particular circumstances when red flags are suspected or detected.
(H) Staff training Staff training must be conducted for all employees who may come into contact with covered accounts or identifying information, as determined by the program administrator. The program administrator must retain training records for all designated employees showing that all designated employees have received annual training.
(I) Periodic updates to the program(1) The program will be re-evaluated annually to determine whether the program addresses currently relevant and emerging risks for identity theft. Consideration will be given to the university's experiences with identity theft situations; changes in identity theft methods, detection methods or prevention methods; and, changes in the university's business arrangements with other entities.(2) Periodic reviews will include an assessment of which accounts are covered by the program. As part of the review, red flags may be revised, replaced or eliminated. Defining new red flags may also be appropriate. Actions to take in the event that fraudulent activity is suspected or discovered may also require revision to the program.(J) Overview of service provider arrangements It is the responsibility of the university to ensure that the activities of all service providers are conducted in accordance with reasonable policies and procedures designated to detect, prevent, and mitigate the risk of identity theft. In the event the university engages a service provider to perform an activity in connection with one or more covered accounts, the university will take steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.
The version of this rule that includes live links to associated resources is online at https://www.ohio.edu/policy/48-001
Ohio Admin. Code 3337-48-01
Effective: 5/17/2019
Promulgated Under: 111.15
Statutory Authority: 3337.01
Rule Amplifies: 3337.01