(A) Purpose (1) The college creates, obtains, and stores personally-identifiable financial and other sensitive information, and desires to ensure appropriate measures are taken to prevent identity theft involving such information. Therefore, the college shall maintain an active identity theft prevention program in accordance with federal Trade commission regulations enacted under 16 CFR 681.2 (often referenced as the "Red Flag Rule").(2) The controller and bursar shall serve as "Compliance Officer" leading development, implementation, and oversight of the identity theft program.(B) Definitions(1) "Covered accounts" are the college's tuition loan plans, emergency loans, Perkins loans, Nursing loans, federal family education loans (FFEL), and employee computer loans, and any other future accounts and/or transaction credits into the future.(2) "Identifying information" is "any name or number that may be used, alone or in conjunction with any other information, to identify a specific person," including without limitation: name, address, telephone number, social security number, date of birth, government issued driver's license or identification number, student identification number, employee identification number, computer's internet protocol address, and routing code.(3) "Identity theft" is a "fraud committed or attempted using the identifying information of another person without authority."(4) "Red Flag" means a "pattern, practice, or specific activity that indicates the possible existence of identity theft."(C) Identifying red flags The program should identify red flags for covered accounts and incorporate those red flags into the program.
(1) The program should incorporate the following risk factors in identifying relevant red flags for covered accounts: (a) The types of covered accounts offered or maintained by the college.(b) The methods provided by the college to open covered accounts.(c) The methods provided by the college to access covered accounts.(d) The college's experience, if any, with identity theft.(2) The program should incorporate appropriate red flags from relevant experiences and sources, including without limitation: (a) Incidents of identity theft previously experienced. (b) Methods of identity theft that reflect changes in risk.(c) Regulatory or professional guidance.(3) As appropriate, the program shall include relevant red flags from the following categories of risk factors: (a) Alerts, notifications, or other warnings received from consumer reporting agencies or service providers.(b) The presentation of suspicious documents. (c) The presentation of suspicious personal identifying information.(d) The unusual use of, or other suspicious activity related to, a covered account.(e) Notice from customers, employees, students, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.(D) Detecting and responding to red flags The college's identity theft prevention Program should address the detection of red flags in connection with the opening of new covered accounts and existing covered accounts.
The program should provide for appropriate responses to detected red flags to prevent and mitigate identity theft. The responses should be commensurate with the degree of risk posed, and may include:
(1) Monitoring a covered account for evidence of identity theft.(2) Denying access to the covered account until other information is available to eliminate the red flag, or close the existing covered account.(3) Contacting the student, former student, current employee, or former employee.(4) Changing any passwords, security codes or other security devices that permit access to a covered account. (5) Reopening a covered account with a new account number.(6) Notifying a college administrator and the relevant compliance officer (controller and Bursar). (E) Updating the identity theft prevention program The College should periodically, and at least annually, update the program in accordance with appropriate factors, which may include:
(1) The experiences of the organization with identity theft.(2) Changes in methods of identity theft. (3) Changes in methods to detect, prevent and mitigate identity theft.(4) Changes in the types of accounts that the organization offers or maintains.(5) Changes in the business arrangements of the organization, including without limitation, service provider agreements.(F) Methods of administering the program In administering the Identity Theft Prevention Program, the Compliance Officer shall be responsible for:
(1) Training of College staff on the program.(2) Requiring and reviewing reports on compliance with this program. The Identity Theft Program should include appropriate details about this reporting process. (3) Leading prevention and mitigation efforts in particular circumstances.(4) Monitoring and ensuring College compliance with the Identity Theft Prevention Policy and Program.(5) Overseeing the activities of service providers performing activities related to covered accounts to ensure that such activities are conducted pursuant to reasonable policies and programs designed to detect, prevent, and mitigate the risk of identity theft. Replaces: 3354:2-11-05
Ohio Admin. Code 3354:2-11-05
Effective: 4/14/2003
Promulgated Under: 111.15
Statutory Authority: 3354
Rule Amplifies: 3354
Prior Effective Dates: 4/14/2003