Identity Theft Prevention Program
Pursuant to the regulations implementing the federal Fair and Accurate Credit Transactions Act of 2003 (FACTA), the University is required to establish an “Identity Theft Prevention Program” with reasonable policies and procedures to detect, identify, and mitigate identity theft in its Covered Accounts.
Lawrence-campus University employees (faculty, staff, and student employees), contractors, consultants, and temporary workers in their handling of University Covered Accounts.
- Program Adoption
The University of Kansas has adopted an Identity Theft Prevention Program ("Program") in compliance with the “Red Flags” rules issued by the Federal Trade Commission pursuant to the Fair and Accurate Credit Transactions Act (“FACTA”). The University engages in some activities that are covered by the FACTA Red Flag rules; therefore, offices or units subject to the provisions of the rules are required to develop and implement procedures in compliance with this policy. For purposes of this policy, “Red Flag” means a pattern, practice, or specific activity that indicates the possible existence of Identity Theft.
- Responsible University Official
The Chancellor designates the Vice Provost for Finance to serve as the Program Administrator. The Vice Provost for Finance shall exercise appropriate and effective oversight over the Program. The Vice Provost for Finance may delegate day-to-day responsibility for aspects of the program to the KU Privacy Office and others as appropriate.
- Program Administration and Maintenance
- The Vice Provost for Finance is responsible for developing, implementing and on a periodic basis updating the Program throughout the University. The KU Privacy Office will provide staff support, including the following:
- The Program will be periodically reviewed and updated to reflect changes in identity theft risks and technological changes, and in consideration of the University’s experiences with identity theft, changes in identity theft methods, changes in identity theft detection, mitigation and prevention methods, changes in types of accounts the University maintains, changes in the University’s business arrangements with other entities, and any changes in legal requirements in the area of identity theft. After considering these factors, the Vice Provost for Finance, in consultation with others, will determine whether changes to the Program, including the listing of Red Flags, are warranted.
- Consistent with the Program requirements set forth in sections IV through VI below, all units of the University with Covered Accounts are required to:
- Identify relevant Red Flags, as described further below, for Covered Accounts it offers or maintains and incorporate those Red Flags into its unit-level policies and procedures;
- Detect Red Flags that have been incorporated into the unit-level policies and procedures, as described further below;
- Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft, as described further below;
- Update periodically unit-level policies and procedures to reflect changes in risks to students, staff, faculty, the University and others from Identity Theft;
- Train unit staff appropriately to effectively implement the program; and
- Review and exercise appropriate and effective oversight of Service Provider arrangements. Such oversight shall include steps to ensure that the activity of the Service Provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of Identity Theft.
- Affected units should designate an appropriate Identity Theft and or Privacy Liaison for coordination of activities under this Program. Units may incorporate, as appropriate, existing policies, procedures and other arrangements that control reasonably foreseeable risks from Identity Theft. Units shall report to the Vice Provost for Finance at least annually on compliance with the Program, including the effectiveness of unit policies and procedures in addressing the risk of Identity Theft, Service Provider Arrangements, management response to significant incidents involving Identity Theft and recommendations for material changes to the Program.
- Any unit or department that requires access to a Consumer Report must obtain prior approval from the Office of the Vice Provost for Finance.
- Identification of Relevant Red Flags
- The Program shall include relevant Red Flags from the following categories, as appropriate:
- Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services.
- The presentation of suspicious documents.
- The presentation of suspicious personal Identifying Information, such as a suspicious address change.
- The unusual use of, or other suspicious activity related to, a Covered Account.
- Notice from Customers, victims of Identity Theft, law enforcement authorities, or other persons regarding possible Identity Theft in connection with Covered Accounts.
- The Program shall include the consideration of the following risk factors in identifying relevant Red Flags for Covered Accounts, as appropriate:
- The types of Covered Accounts offered or maintained;
- The methods provided to open Covered Accounts;
- The methods provided to access Covered Accounts; and
- Its previous experience with Identity Theft.
- The Program shall incorporate relevant Red Flags from sources such as:
- Incidents of Identity Theft previously experienced;
- Methods of Identity Theft that reflect changes in risk; and
- Applicable supervisory guidance.
- The Program shall include relevant Red Flags from the following categories, as appropriate:
- Detection of Red Flags
The Program shall address the detection of Red Flags in connection with the opening of Covered Accounts and existing Covered Accounts. At minimum, the Program Administrator and each campus department/unit administering Covered Accounts will develop and implement procedures appropriate to meet the requirements of this Program.
- New Covered Accounts
In order to detect any of the Red Flags associated with the opening of a new Covered Account, University personnel will take steps to obtain and verify the identity of the person opening the Covered Account.
- Existing Covered Accounts
In order to detect any of the Red Flags identified for an existing Covered Account, University personnel will take steps to authenticate customers, such as by verifying identity, and to monitor transactions with a Covered Account.
- New Covered Accounts
- Response
The Program shall provide for appropriate responses to detected Red Flags that are commensurate with the degree of risk posed.
- Appropriate responses may include, but are not limited to, the following:
- Monitoring a Covered Account for evidence of Identity Theft;
- Contacting the Customer, student or applicant (for or about which a consumer report was run);
- Changing any passwords, security codes or other security devices that permit access to a Covered Account;
- Reopening a Covered Account with a new account number;
- Not opening a new Covered Account;
- Closing an existing Covered Account;
- Not attempting to collect on a Covered Account.
- Notifying law enforcement; or
- Determining no response is warranted under the particular circumstances.
- Appropriate responses may include, but are not limited to, the following:
- Duties of card issuers regarding changes of address
- The Red Flag rules issued by the Federal Trade Commission provide, in part, that a debit or credit card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer’s debit or credit card account and, within a short period of time afterwards, the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional replacement card, until, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer notifies the cardholder of the request.
- The University Card Center operates the University’s Beak ‘Em Bucks program. In order to be issued a card, the students, faculty, and staff must physically go to the Card Center Office with a valid driver’s license, state issued photo identification card, military identification card, green card or passport. Individuals are required to show their identification to the office staff to verify their identity. No cards are issued through the mail. Students wishing to change their address in University records must do so through the University’s Registrar’s Office or through Enroll & Pay; faculty and staff must do so through their department personnel-related staff or through the central Payroll Office.
- Issuance of credit or debit cards by a University unit other than the University Card Center is prohibited.
- Non-disclosure of Specific Practices
To ensure the effectiveness of this Identity Theft Prevention Program, it may be necessary to limit knowledge about specific Red Flag identification, detection, mitigation and prevention practices to the Program Administrator who developed this Program and to those employees with a need to know them. Any documents that may have been produced or are produced in order to develop or implement this program that list or describe such specific practices and the information those documents contain are considered “confidential” and should not be shared with other University employees or the public.
- Security Procedures
Departments/units with Covered Accounts must ensure they have sufficient physical, technical and administrative safeguards to protect the information in accordance with applicable University policies and procedures.
- Service Provider Arrangements
In the event a University unit engages a Service Provider to perform an activity in connection with one or more Covered Account(s), the University unit should take steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. These steps should include a requirement in the contract that the Service Provider have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider’s activities, and that the Service Provider either report the Red Flags to the unit or take appropriate steps to prevent or mitigate identity theft.
Any questions regarding interpretations and applicability of the Identity Theft Red Flag requirements and implementing the federal regulations will be coordinated with the Office of the Vice Provost for Finance, the Office of the General Counsel, the Privacy Office and the IT Security Office.
Faculty, staff and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.
Office of the Vice Provost for Finance
250 Strong Hall
785-864-4904
provost@ku.edu
Office of the Chief Information Officer
1001 Sunnyside Avenue
Lawrence, KS 66045
785-864-4999
kucio@ku.edu
The following definitions are adapted from the definitions contained in the Red Flag regulations, found at 16 C.F.R. Part 681, and shall apply to this Program:
Covered Account: a consumer account designed to permit multiple payments or transactions. These are accounts where payments are deferred and made periodically over time such as tuition or fee installment payment plan. It also includes any other account the University offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the University from Identity Theft.
Customer: any person with a Covered Account with the University.
Identifying Information: any name or number that may be used alone or in conjunction with any other information, to identify a specific person, including:
- name
- address
- telephone number
- social security number
- date of birth
- government issued driver’s license or identification number
- alien registration number
- government passport number
- employer or taxpayer identification number
- unique electronic identification number
- computer’s Internet Protocol address or routing code
Identity Theft: a fraud committed using the identifying information of another person.
Red Flag: a pattern, practice or specific activity that indicates the possible existence of identity theft.
Service Provider: a person that provides a service directly to the University.
01/26/2022: Updated contact section.
12/10/2014: Policy formatting cleanup (e.g., bolding, spacing).
10/30/2014: Updated to fix broken link in Related Policies.
06/08/2010: Updated.
10/21/2009: Approved.