This Identity Theft Prevention Program ("Program") was developed pursuant to a SUNY policy adopted by the Board of Trustees on May 12, 2009, in order to comply with the Federal Trade Commission's Red Flags Rule (16 CFR 681.2). The purpose of this Program is to prevent frauds committed by the misuse of identifying information (i.e. identity theft). The Program aims to accomplish this goal by identifying accounts maintained by SUNY Oneonta which may be susceptible to fraud (hereinafter "Covered Accounts"), identifying possible indications of identity theft activity associated with those accounts (hereinafter "Red Flags"), devising methods to detect such activity, and responding appropriately when such activity is detected.
I. Definitions:
Account: A relationship established with an institution by a student, employee, or other person to obtain educational, medical, or financial services.
Covered Account: An account that permits multiple transactions or poses a reasonably foreseeable risk of being used to promote an identity theft.
Responsible Staff: Personnel, based on title, who regularly work with Covered Accounts and are responsible for performing the day-to-day application of the Program to a specific Covered Account by detecting and responding to Red Flags.
Red Flag: A pattern, practice, or specific activity that indicates the possible existence of identity theft.
Response: Action taken by Responsible Staff member(s) upon the detection of any Red Flag to prevent and mitigate identity theft.
Service Provider: A contractor to the institution engaged to perform an activity in connection with a Covered Account.
Identity Theft: A fraud committed or attempted using the identifying information of another person without authority.
II. Program Administration and Oversight
The President has designated the Vice President for Finance and Administration as Program Administrator to oversee the administration of this Program. The Program Administrator may designate additional staff of SUNY Oneonta to undertake responsibility for training personnel, monitoring service providers, and updating the Program, all under the supervision of the Program Administrator.
The Program Administrator or designees shall identify and train responsible staff, as necessary, to effectively implement and apply the Program. All SUNY Oneonta personnel are expected to assist the Program Administrator in implementing and maintaining the Program. The Program Administrator or designees shall review service provider agreements and monitor service providers, where applicable, to ensure that such providers have adequate identity theft prevention programs in place. When the Program Administrator determines that a service provider is not adequately guarding against threats of identity theft, he/she shall have the authority to take necessary corrective action, including termination of the service provider's relationship with SUNY Oneonta.
Prior to the beginning of each academic year, the Program Administrator shall evaluate the Program to determine whether it is functioning adequately. This evaluation shall include: a case-by-case assessment of incidents of identity theft or attempted identity theft that occurred during the previous academic year; interviews with Responsible Staff; and a survey of all accounts maintained by SUNY Oneonta to identify any additional Covered Accounts. In response to this annual evaluation, the Program Administrator shall recommend amendments to this Program for approval by the President.
The Program Administrator shall maintain records relevant to the Program, including the Written Program; documentation on training; documentation on instances of identity theft and attempted identity theft; contracts with service providers that perform activities related to Covered Accounts; and updates to the Written Program. From time to time, the designated internal control officer or his or her designee may perform reviews to determine if SUNY Oneonta is in compliance with the Program.
III. Covered Accounts; Responsible Staff; Red Flags; Responses:
Covered Account: Student Personal Information
Responsible Staff: Registrar’s Office, Admissions Office, Continuing Education, Summer Session & Graduate Studies
Red Flag: Suspicious change of address form (ex. Multiple address changes in a short time period, lack of zip code information, lack of official signature, etc.)
Response: If a change of address seems suspicious, the appropriate office will call the individual and ask them to come into the office (if the request was mailed). If they are unable to come into the office, additional documentation will be requested.
Covered Account: Web Services
Responsible Staff: Registrar’s Office, Admissions Office, Continuing Education, Summer Session & Graduate Studies, Information Technology Help Desk
Red Flag: PIN disabled due to multiple failed login attempts
Response: If the PIN is entered incorrectly three times, the account is disabled. The account is frozen until the individual contacts the appropriate office to re-enable PIN. The PIN is reset and e-mailed to the preferred email address or individual’s physical mailing address.
Covered Account: Student Accounts
Responsible Staff: All Student Accounts staff
Red Flag 1: Insufficient or suspicious identification is presented by a student who is trying to access account information in person or by telephone.
Response: Withhold information until appropriate identification is presented. Notify student if suspicious activity is suspected.
Red Flag 2: Multiple failed login attempts (web inquiries).
Response: If the PIN is entered incorrectly three times, the account is disabled. The account is frozen until the individual contacts the appropriate office to re-enable PIN. The PIN is reset and e-mailed to the preferred email address or individual’s physical mailing address.
Covered Account: Student/Parent Refunds
Responsible Staff: All Student Accounts staff members
Red Flag 1: Insufficient or suspicious identification is presented by a student who is trying to pick up a check
Response: Withhold check until appropriate identification is presented. Notify student if suspicious activity is suspected.
Red Flag 2: Request to mail check to address other than established in the Banner database
Response: In order to mail a check to an “unofficial address” request must be submitted in person with ID or in writing from the preferred email address in Banner. Notify student if suspicious activity is suspected.
Covered Account: Cash Advances/Bugbee Loans
Responsible Staff: Student Accounts/Financial Aid/ Finance and Admin staff
Red Flag 1: Insufficient or suspicious ID presented by student initiating loan or picking up the check
Response: Withhold processing of loan or check disbursement until appropriate ID is presented. Notify student if suspicious activity is suspected.
Covered Account: Oneonta Installment Plan
Responsible Staff: All Student Accounts staff
Red Flag 1: Multiple failed login attempts
Response: If the PIN is entered incorrectly three times, the account is disabled. The account is frozen until the individual contacts the appropriate office to re-enable PIN. The PIN is reset and e-mailed to the preferred email address or individual’s physical mailing address
Red Flag 2: Insufficient or suspicious identification is presented by a student who is trying to access account information.
Response: Withhold information until appropriate identification is presented. Notify student if suspicious activity is suspected.
Covered Account: Deferred Payment Agreement
Responsible Staff: Student Accounts/Financial Aid staff
Red Flag 1: Insufficient or suspicious identification is presented by a student who is trying to access account information.
Response: Withhold information until appropriate identification is presented. Notify student if suspicious activity is suspected
Covered Account: Employee Records
Responsible Staff: Employee Services and Payroll
Red Flag 1: An employee attempts to pick up their paycheck without picture identification.
Response: Can not release check without proper picture identification.
Red Flag 2: An individual requests to pick up someone else’s paycheck for them.
Response: We need written permission from the employee whose check they are picking up and picture identification for them.
Red Flag 3: Receive a call from someone requesting verification of employment.
Response: We can only say yes or no as to whether or not they are employed here if they can give us a social security number. Any additional information will need a release of authorization signed by the employee and faxed to us.
Red Flag 4: Receive a faxed verification of employment request.
Response: Call and request a signed release of authorization from the employee before filling out the form.
Red Flag 5: Someone other than the employee (spouse, family member, etc) calls and requests information about the employee such as when is the individual getting paid, how much, where is it being sent, etc.
Response: Can only give out that information to the employee him or herself.
Red Flag 6: Receive an address change request over the phone.
Response: Indicate that we only accept address changes either by completing our form or by emailing it to us using a properly authorized email account.
Red Flag 7: Someone calls and wants their check mailed to them.
Response: We need written permission in order to mail someone’s check to them. Written permission can be by completing our form or by emailing us using a properly authorized email account.
Red Flag 8: Missing signature for a paycheck on the paycheck distribution list.
Response: Contact the authorized person who signed for the bundle of paychecks and have them get the employees signature if they did indeed pick up their paycheck.
Red Flag 9: Employee requests information in regards to their personal information.
Response: Need to confirm social security number before that information can be given.
Covered Account: Alumni Records
Responsible Staff: Alumni Database Manager, Banner_Access manager (DBA or appointee), Phonathon Manager
Red Flag #1: Database file requested for purposes outside of normal institution-related programs or from person(s) not normally submitting such requests.
Response: Notify alumni director or immediate supervisor and proceed with an investigation. Explain current division privacy policy to all involved. If the request is approved, provide the minimum amount of information to meet the need.
Red Flag #2: Staff person discovered performing and recording constituent searches/results not relating to job function and outside of immediate need either during regular work hours or outside work hours.
Response: Notify immediate supervisor and proceed with an investigation.
Red Flag #3: Reports or printed files with sensitive constituent data are found outside the office, not secured/locked.
Response: Notify immediately and proceed with an investigation.
Red Flag #4: Alumna notifies us of identity theft and that she’s receiving bills from unknown businesses using her name exactly like the name applied on alumni mail (including maiden name).
Response: Notify immediately and proceed with an investigation.
Covered Account: ID/Dining Card
Responsible Staff: ID/Dining Card Office Staff
Red Flag 1: Insufficient or suspicious identification presented by patron trying to obtain SUNY Oneonta ID.
Response: Do not issue card unless, or until, patron provides acceptable documentation of identity or verification of banner record is complete.
Red Flag 2: Patron requests SUNY Oneonta ID to be mailed.
Response: Deny service, SUNY Oneonta ID’s must be obtained in person.
Red Flag 3: Patron requests name change.
Response: Deny service until name change is confirmed in banner record.
Red Flag 4: Patron requests refund be mailed to address other than banner address.
Response: Contact patron to verify address, if address change is needed, instruct patron to officially change banner record. Once complete, service can be provided.
Red Flag 5: Patron calls to activate previously lost card.
Response: Once caller’s identity is verified, the card is released from hold.
Red Flag 6: Indistinct SUNY Oneonta ID presented for service.
Response: Deny service, send patron to ID/Dining Card office for replacement ID.
Red Flag 7: Suspicious SUNY Oneonta ID presented for service.
Response: Deny service, confiscate card and send to ID/Dining Card office.
Red Flag 8: Large transaction or dollar amount.
Response: Staffed - Deny transaction until identity is properly established. Unstaffed -Transaction limits in unstaffed areas set to deny above the daily threshold.
Red Flag 9: Patron requests check cashing services with no SUNY Oneonta ID.
Response: Deny request until identity established through acceptable means.
Red Flag 10: Patron presents a starter check for cash.
Response: Deny service, no starter checks accepted.
Red Flag 11: Excessive transactions in a 24hr period.
Response: Contact patron and verify the card is in their possession.
Covered Account: E-mail account
Responsible Staff: E-mail Administrator
Red Flag: Notification from account owner that the password has been exposed or that the account has been used without authorization.
Response: Disable account. Investigate unauthorized use. Require password change. Issue new account if necessary. Monitor account activity.
Red Flag: E-mail administrator detects abnormal account activity.
Response: Disable account. Notify the account owner. Require password change. Monitor account activity.
Red Flag: Notification that password has been changed by someone other the account owner or that the account has been locked out due to failed login attempts by someone other than the account owner.
Response: Disable account. Investigate unauthorized access or attempted access. Require password change. Issue new account if necessary. Monitor account activity.