E-700.1 Identity Theft Prevention

The purpose of this Identity Theft Prevention Program (ITPP) is to control reasonably foreseeable risks to Students from identity theft by providing for the identification, detection, and response to patterns, practices, or specific activities (“Red Flags”) that could indicate identity theft.

DEFINITIONS

Identity Theft – Is a fraud attempted or committed using the identifying information of another person without authority.

Creditor – This includes government entities that defer payment for goods (for example, payment plans for bookstore accounts or parking tickets), issued loans, or issued Student debit cards.  Government entities that defer payment for services provided are not considered creditors for purposes of this ITPP.

Deferring Payments – Refers to postponing payments to a future date or installment payments on fines or costs.

Covered Account – Includes one that involves multiple payments or transactions.

Person – Means any individual receiving goods or services from the College and making payments on a deferred basis for said goods or services.

Red Flag – A red flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft.

Detection or discovery of a “Red Flag” implicates the need to act under this ITPP to help prevent, detect, and correct identity theft.

Program Administrator – The program administrator is the Employee responsible for developing, implementing, and updating this program.

Program Coordinators – Program coordinators are Employees with supervisory responsibility for an organizational unit in which activities associated with covered accounts

occur (i.e., admissions, Student records, financial aid, business office, information technology support services, etc.).

PROGRAM ADMINISTRATION

Oversight

The Director of Financial Services will be the Program Administrator responsible for developing, implementing, and updating this program. The Program Administrator will also ensure appropriate training of Program Coordinators on the program, review any Employee reports regarding the detection of red flags and the steps for preventing and mitigating identity theft, determine which steps of prevention and mitigation should be taken under the circumstances, and consider periodic changes to the program.

Employee Training and Reports

Program Coordinators responsible for implementing the Program shall be trained, as necessary, in detecting red flags and the responsive steps to be taken when a red flag is detected. Program Coordinators are expected to notify the Program Administrator once they become aware of an incident of identity theft or the College's failure to comply with this program. At least annually, Program Coordinators responsible for the implementation and administration of the program shall report to the Program Administrator on compliance with this program. The report should address such issues as the effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening and maintenance of covered accounts, service provider agreements, significant incidents involving identity theft and management's response, and recommendations for changes to the program.

Service Provider Arrangements

In the event the College engages a service provider to perform an activity related to one or more covered accounts, the College will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.

• Require, by contract, that service providers have such policies and procedures.

• Require, by contract, that service providers review the College's program and report any red flags to the Program Administrator.

The College has identified State Collection Services and Wisconsin TRIP program as types of accounts that fall under the definition of service provider-covered accounts.

Specific Program Elements and Confidentiality

For the effectiveness of this Identity Theft Prevention Program, knowledge about specific red flag identification, detection, mitigation, and prevention practices may need to be limited to the Employee who developed this program and those needing to know them. Any documents that may have been produced or are produced to develop or implement this program that list or describe such specific practices and the information those documents contain are considered "confidential" and should not be shared with other Employees or the public to the extent permitted by law. The Program Administrator shall inform the Employees needing to know the information of those documents or specific practices that should be maintained confidentially.

Program Updates

The Program Administrator will periodically review and update this program to reflect changes in risks to Students and the soundness of the College from identity theft. In doing so, the Program Administrator will consider the College's experiences with identity theft situations, changes in identity theft methods, changes in identity theft detection and prevention methods, and changes in the College's business arrangements with other entities. After considering these factors, the Program Administrator will determine whether changes to the program, including the list of red flags, are warranted. If warranted, the Program Administrator will update the program.

Incident Documentation

The Program Administrator will keep detailed files on all incidences where there have been actual identity thefts, attempts at identity thefts, or suspicions of identity thefts. These files will, at a minimum, provide a complete description of the incident, procedures taken to determine any harm caused to the Student involved, any procedures taken to prevent and mitigate identity theft, and procedures taken to monitor activity in the Student's account to ensure that no further compromise to the Student's information occurred. These documents will be used to evaluate the effectiveness of this policy and provide appropriate changes to the College's Red Flag Policy. These documents will remain on file for at least five (5) years.

Disclaimer

While reasonable efforts will be made to detect, prevent, and mitigate identity theft, the College makes no representations or warranties that the program described above will ensure the absence of identity theft or prevent financial losses. All warranties against loss, either express or implied, are hereby disclaimed. Furthermore, the College will not be liable for direct, indirect, or consequential damages.

PROCEDURES

Identification of Red Flags

The following risk factors will be used to identify relevant Red Flags for covered accounts:

• The types of covered accounts as identified above.

• The methods provided to open covered accounts include gathering information such as:

  • Admissions application and registration with personally identifying information.

  • FAFSA application for financial aid assistance.

  • High school transcripts, GED, HSED, or other equivalent documents.

  • Official test scores, such as ACT, SAT, COMPASS, ACCUPLACER, and TABE.

  • Letters of recommendation.

  • Entrance medical record.

  • Criminal background check information.

  • Military Service Records.

  • Residency documents, such as Visa, I-9, I-551, etc.

  • Financial status documentation.

  • Post-secondary transcripts. 

• The methods used to access covered accounts include gathering the following information:

  • Disbursement requests obtained in person require picture identification.

  • Disbursement requests obtained by mail can only be mailed to an address on file.

  • Disbursement requests obtained by the Internet require a previously authorized password.

• The College's previous history of identity theft.

The following Red Flags will be considered:

• Notifications and Warnings from Consumer Reporting Agencies.

  • Report of fraud accompanying a consumer reporting agency report.

  • Notice of report from a consumer reporting agency of a credit freeze.

  • Notice or report from a consumer reporting agency of an active-duty alert.

  • Receipt of a notice of address discrepancy in response to a consumer reporting agency report request.

  • Indication from a consumer reporting agency report of activity inconsistent with the usual pattern or activity.

• Suspicious Documents

  • Identification document or card that appears forged, altered, or inauthentic.

  • The photograph or physical description of the identification is not consistent with the appearance of the Student presenting the identification.

  • A service request that appears to have been altered or forged.

  • A request was made from a non-college-issued e-mail account.

  • A request to mail something to an address not listed on the file.

  • A request to reset a password.

• Suspicious Identifying Information

  • Identifying information presented that is inconsistent with the Student's other information, such as inconsistent birth dates and different signatures.

  • Identifying information presented that is inconsistent with other sources of information, such as an address mismatch on personal documents.

  • Identifying information presented that is the same information shown on other applications found to be fraudulent.

  • Identifying information presented that is consistent with fraudulent activity, such as an invalid phone number or fictitious billing address.

  • The social security number presented is the same as one another person gave.

  • Failure to provide complete personal identifying information on a deferred payment plan when reminded to do so.

  • Identifying information that is not consistent with the information that is on file for the Student.

• Suspicious Account Activity

  • Account used in a way that is not consistent with prior use.

  • Mail sent to a Student repeatedly returned as undeliverable, although transactions continue in connection with the Student's covered account.

  • Notice to the College that a Student is not receiving mail from the College.

  • Notice to the College that an account has unauthorized activity.

  • A breach in the College's computer security system.

  • Unauthorized access to or use of Student account information.

  • Numerous unsuccessful attempts to gain computer access to a Student's account.

• Alerts from Others 

• ​Notice to the College from a Student, identity theft victim, law enforcement, or other persons that the College has opened or is maintaining a fraudulent account for a person engaged in identity theft.

DETECTION OF RED FLAGS

Student Enrollment

To detect any of the Red Flags identified above associated with the enrollment of a Student, college personnel will take the following steps to obtain and verify the identity of the person opening the account:

1. Require certain identifying information such as name, date of birth, academic records, home address, or other identification.

2. Verify the Student's identity when the Student identification card is issued by reviewing government-issued photo identification or other personally identifiable information to confirm domicile, such as a utility bill, tax return, bank statement, school transcript, or pay stub.

3. Student-selected personal information must be used to reset a computer access password.

Existing Accounts

To detect any of the Red Flags identified above for an existing covered account, College personnel will take the following steps to monitor transactions on an account:

1. Verify Students' identification if they request information in person, via telephone, facsimile, or email.

2. Verify the validity of requests to change billing addresses by mail or email and provide the Student with a reasonable means of promptly reporting incorrect billing address changes.

3. Verify changes in banking information given for billing and payment purposes.

4. Verify Student-selected personal information before resetting passwords.

PREVENTING AND MITIGATING IDENTITY THEFT

When a Red Flag is triggered, personnel shall take one or more of the following steps, depending on the degree of risk posed by the Red Flag:

Protect and Prevent Student-Identifying Information

To further prevent the likelihood of identity theft occurring with respect to covered accounts, the College will take the following steps with respect to its internal operating procedures to protect Student identifying information:

• Ensure that its website is secure or provide clear notice that the website is not secure.

• Ensure complete and secure destruction of paper documents and computer files containing Student account information when a decision has been made to no longer maintain such information.

• Ensure that office computers with access to covered account information are password protected.

• Avoid the use of social security numbers.

• Ensure computer virus protection is up to date.

• Require and keep only the kinds of Student information necessary for college purposes.

• Automatic lock-out for computers.

• Ensure secured access to imaged documents.

• Require Student's previously selected personal information to be provided before resetting computer access passwords. 

Mitigate

• Continue to monitor a covered account for evidence of identity theft.

• Contact the Student or applicant to prove identity.

• Change any passwords or other security devices that permit access to covered accounts.

• Not open a new covered account.

• Notify the Program Administrator to determine the appropriate step(s) to take.

• Notify law enforcement.

• Determine that no response is warranted under the circumstances.

• Provide the ability to enable FERPA block on directory information.