Chapter 8: Identity Theft Prevention, Detection and Mitigation Policy (Red Flags Rule)
8.1 Policy Overview
The University of Texas at El Paso ("University") will develop, maintain and update an Identity Theft Prevention, Detection and Mitigation Program ("Program") to detect, prevent and mitigate identity theft in accordance with 16 CFR 681.2, the Federal Trade Commission's "Red Flags Rule."
8.2.1 Account: Any continuing relationship between the University and an Account Holder that permits the Account Holder to obtain a product or service for personal, family, household or business purposes. It may involve the extension of credit for the purchase of a product or service, or a deposit account.
8.2.2 Account Holder: Student, employee, retired employee, patient or other person that has a Covered Account held by or on behalf of the University.
8.2.3 Covered Account: An Account the University offers or maintains or is offered or maintained by a vendor or other third party on behalf of the University primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and any other Account the University offers or maintains for which there is a reasonably foreseeable risk to an Account Holder or to the safety and soundness of the University from Identity Theft, including financial, operational, compliance, reputation, or litigation risks. Examples of Covered Accounts include, but are not limited to: student loans and tuition accounts; patient medical service Accounts; Accounts associated with employee benefits; student debit cards; and meal plans.
8.2.4 Identity Theft: Any use or attempt by an individual to use another person’s individual identifying information to obtain a thing of value including: money; credit; items; or services, such as medical care or education services; to which the individual is not entitled.
8.2.5 Individual Identifying Information is any information that may be used alone or with other information to identify an individual, including, but not limited to:
- social security number;
- date of birth;
- telephone/cell number;
- government issued driver’s license or identification number;
- alien registration number;
- passport number;
- employer or taxpayer identification number;
- credit/debit/banking account numbers;
- unique biometric data such as fingerprint, voice print, retina or iris image or other unique physical representation;
- unique electronic identification number; address or routing code; IP or other computer identifying address; or telecommunication identifying information or other access device.
8.2.6 Red Flag: Suspicious patterns or practices, or specific activities that indicate the possibility that identity theft may occur or is occurring in connection with the University’s Covered Accounts.
8.2.7 Responsible Party: Appropriate senior officer or employee with sufficient training, experience and authority to develop, maintain, and oversee compliance with the University’s Program.
8.3 Policy Contact(s)
The Office of the Vice President for Business Affairs (VPBA) is responsible for this policy.
8.4.1 Responsible Party
22.214.171.124 The President shall appoint the Responsible Party.
126.96.36.199 The President has appointed the Vice President for Business Affairs (VPBA) as the Responsible Party under this policy.
188.8.131.52 The VPBA has assigned the Associate Vice President for Business Affairs (AVPBA) as the program administrator and is responsible for developing, implementing and maintaining the Identity Theft Prevention, Detection and Mitigation Program. A copy of this Program is maintained on file.
184.108.40.206 The AVPBA is also responsible for identifying those areas where covered accounts are held by the University, ensuring University personnel are appropriately trained and providing an annual report to the President on compliance with the program. A copy of this report is maintained on file.
8.4.2 Risk Assessment and Program Review
220.127.116.11 An annual risk assessment shall be performed to determine if additional departments and/or areas have become responsible for opening or maintaining covered accounts. Each department must determine the following:
- Types of covered accounts offered and maintained
- Existing account opening processes
- Methods for accessing existing accounts
- Previous instances where identity theft has occurred
18.104.22.168 The program administrator shall complete an annual program and review any incidents of identity theft occurring since last review, changes in methods of identity theft and to the methods of identifying and preventing identity theft.
22.214.171.124 The VPBA shall submit an annual report to the President illustrating the program's effectiveness, any third party service provider agreements, significant incidents of identity theft, management's response, and any recommended changes to the Program.