Northeastern State University has adopted this initial Identity Theft Prevention Program ("Program") in compliance with the “Red Flag” rules issued by the Federal Trade Commission pursuant to the Fair and Accurate Credit Transactions ACT (“FACTA”). The University is engaging in activities which are covered by the FACTA Red Flag rules. After consideration of the size and complexity of the University’s operations and account systems, and the nature and scope of the University’s activities, the Regional University System of Oklahoma (RUSO) has determined that this Program is appropriate for the University.
Under the Red Flag rules, the University is required to establish an “Identity Theft Program” with reasonable policies and procedures to detect, identify, and mitigate identity theft in its covered accounts. The University must incorporate relevant Red Flags into a Program to enable the University to detect and respond to potential identity theft. The University shall ensure that the Program is updated periodically to reflect changes in risks to customers or creditors or the University from identity theft.
Universities receiving certain federal grants as well as deferring payments for services must comply with these rules. The Rule applies to all “covered accounts,” in which Northeastern State University is the “creditor.” Furthermore, the rule is applicable to consumer reports used to conduct credit or background checks on prospective employees or applicants for credit.
Conclusively, this policy and protection program pertains to employees, students, contractors, consultants, temporary workers, and other workers at Northeastern State University, including all personnel affiliated with third parties.
The President shall designate a senior University official to serve as Program Administrator. The Program Administrator shall exercise appropriate and effective oversight over the Program and shall report regularly to the President on the Program.
With oversight of the Program Administrator, the Program will be administered by a committee comprised of, at minimum, representation from the offices of Business Affairs, Human Resources, Computing and Telecommunications, Public Safety, and the Office of General Counsel. The committee is jointly responsible for developing, implementing and updating the Program throughout the University system. The committee will also be responsible for ensuring appropriate training of University staff on the Program, for reviewing any staff reports regarding the detection of Red Flags and the steps for identifying, preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program.
The Program will be periodically reviewed and updated to reflect changes in identity theft risks and technological changes. The Program Administrator and committee will consider the University’s experiences with identity theft, changes in identity theft methods; changes in identity theft detection, mitigation and prevention methods; changes in types of accounts the University maintains; changes in the University’s business arrangements with other entities, and any changes in legal requirements in the area of identity theft. After considering these factors, it will determined whether changes to the Program, including the listing of Red Flags, are warranted.
The Program Administrator shall confer with all appropriate University personnel as necessary to ensure compliance with the Program. The Program Administrator shall annually report to the President on the effectiveness of the Program. The Program Administrator shall present any recommended changes to the President for approval. The President’s approval shall be sufficient to make changes to the University Identity Theft Program.
Pursuant to the Red Flag regulations at 16 C. F. R. § 681.2, the following definitions shall apply to this Program:
In order to identify relevant Red Flags, the University considers the types of accounts that it offers and maintains, the methods it provides to open its accounts, the methods it provides to access its accounts, and its previous experiences with Identity Theft. Employees should be aware of and diligent in monitoring for the following Red Flags. Northeastern State University has identified the following relevant Red Flags in each of the categories listed. Please note that this list is not exhaustive:
The Program’s general Red Flag detection practices are described in this document. The Program Administrator and each campus will develop and implement specific methods and protocols appropriate to meet the requirements of this Program.
In the event University personnel detect any identified Red Flags, such personnel shall take appropriate steps to respond and mitigate identity theft depending on the nature and degree of risk posed by the Red Flag, including but not limited to the following examples:
University employees responsible for implementing the Program shall be trained under the direction of the Program Administrator in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected.
Appropriate staff shall provide reports to the Program Administrator on incidents of identity theft, the effectiveness of the Program and the University’s compliance with the Program.
In the event the University engages a service provider to perform an activity in connection with one or more accounts, the University will ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft:
Updated July 2009
<back to University Policies