Policies & Procedures

I. PURPOSE 

This policy implements an Identity Theft Prevention Program ("Program") at Longwood University, pursuant to the Federal Trade Commission's Red Flags Rule under Section 114 and 315 of the Fair and Accurate Credit Transactions Act, which amended the Fair Credit Reporting Act. This policy and its related procedures are determined to be appropriate to the size and complexity of the University's operations and the nature and scope of its activities. Given the University's existing data security protocol and applicable privacy laws, Longwood is extremely cognizant of protecting sensitive data and therefore considers itself a low-risk institution.

The purpose of this policy is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the Program. The Program shall include reasonable policies and procedures to:

1. Identify relevant red flags for covered accounts it offers or maintains and incorporates those red flags into the Program;
2. Detect red flags that have been incorporated into the Program;
3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft;
4. Ensure the Program is updated periodically to reflect changes in risks and to the safety and soundness of the creditor from identity theft; and

5. Ensure University staff responsible for implementing the Program are appropriately trained in the detection of red flags and the responsive steps to be taken when a red flag is detected.

II. DEFINITIONS  

Identity Theft - A fraud committed or attempted using the identifying information of another person without authority.

Identifying Information - Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address, social security number, date of birth, driver's license or identification number, student identification number, alien registration number, government passport number, employer or taxpayer identification number, telephone number, computer's Internet Protocol address or routing code.

Red Flag - A pattern, practice or specific activity that should alert an individual or organization that there is a possible risk of identity theft.

Covered Account - A consumer account that a creditor offers or maintains primarily designed to permit multiple payments or transactions, and any other account for which there is a reasonably foreseeable risk of identity theft.

Service Provider - A service provider is a third party who performs an activity in connection with one or more covered accounts.

III. POLICY 

In order to identify relevant red flags, the University considers the types of covered accounts it offers or maintains, methods it provides to open or access its accounts, and its previous experiences with identity theft. Categories of red flags defined under FTC guidelines are:

1. Alerts, notifications, or other warnings received from consumer reporting agencies or service providers;
2. Presentation of suspicious documents;
3. Presentation of suspicious personal identifying information;
4. Unusual use of, or other suspicious activity related to, a covered account; and

5. Notice from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.

IV. PROCEDURE 

The University will adhere to procedures established to identify and detect red flags, and identify appropriate responses to red flags that are detected in order to prevent and mitigate identity theft.

The Longwood University Technology Group (LUTECH) is responsible for administering the institution’s Identity Theft Prevention Program policy and procedures, to include reviewing alerts regarding the detection of red flags, determining which steps of prevention and mitigation should be taken in particular circumstances, and re-evaluation of the program to address new risks.  Identity theft prevention is a standing agenda item for LUTECH committee meetings.

The Identity Theft Program Procedures are available on the Vice President for Administration and Finance website.

Approved by the Board of Visitors, March 26, 2010.
Revised and approved by the Board of Visitors, December 3, 2010.
Revised and approved by the Board of Visitors, June 14, 2013.