Top Bar Menu
IECC Secondary Menu
Breadcrumbs

Identity Theft Prevention Program: Red Flags Rule

I.   Background                                                                             

Illinois Eastern Community College’s (IECC) Identify Theft Prevention Program was adopted in 2009 by the Board of Trustees in response to a regulation issued by the Federal Trade Commission known as the Red Flags Rule (Fair and Accurate Credit Transactions Act of 2003 Sections 114 and 315). Under the Rule, every financial institution and creditor with covered accounts must establish an identity theft prevention program to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

II.  Definitions

Red Flag – A pattern, practice, or specific activity that indicates the possible existence of identity theft.

Identity Theft – A fraud committed or attempted using the identifying information of another person without authority.

Covered Account – A consumer account designed to permit multiple payments or transactions. These are accounts where payments are deferred and made periodically over time such as a tuition and fee installment payment plan.

Creditor – Someone who regularly extends, renews, or continues credit. Illinois Eastern Community Colleges is considered a creditor due to our participation in the following activities: 

  • Offering institutional loans to students or employees;
  • Offering students a plan of payment rather than requiring full payment prior to the beginning of the semester.

Personal Identifying Information – Refers to any information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying data. This includes, but is not limited to:

  • Full name
  • Home address
  • Email address
  • Telephone number
  • Social Security number (SSN)
  • Student or Employee identification number
  • Date of birth
  • Driver’s license number or government-issued identification number
  • Alien registration number
  • Passport number
  • Employer or taxpayer identification number
  • Bank account number
  • Credit or debit card number
  • Computer’s Internet Protocol (IP) address or routing code

III. Identification and Examples of Red Flags

In order to identify relevant Red Flags, IECC has reviewed the types of accounts offered and maintained, the methods provided to open and access these accounts, and previous experiences with identity theft. IECC identified the following Red Flags in the five categories listed.

Notifications and Warnings from a Consumer Reporting Agency

  • A fraud or active-duty alert included with a consumer report;
  • A notice of credit freeze from a consumer reporting agency in response to a request for a consumer report;
  • A notice of address discrepancy from a consumer reporting agency in response to a credit report request; or
  • A consumer report that indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant, such as:
    • A recent and significant increase in the volume of inquiries;
    • An unusual number of recently established credit relationships;
    • A material change in the use of credit, especially with respect to recently established credit relationships; or
    • An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Suspicious Documents

  • Documents provided for Identification that appear to have been altered, forged, or inauthentic;
  • The photograph or physical description on the identification is not consistent with the appearance of the individual presenting the identification;
  • Other information is not consistent with information provided by the student/employee;
  • Other information on the identification is not consistent with readily accessible  information that is on file with IECC, such as a signature on a registration form or other document;
  • An application appears to have been altered or forged or gives the appearance of having been destroyed and reassembled.

Suspicious Personal Identifying Information

  • Personal Identifying information provided is inconsistent when compared against external information sources used by IECC (such as inconsistent birth dates or addresses);
  • Personal Identifying information presented that is inconsistent with other sources of information (such as an address not matching the address on a credit report);  
  • Personal Identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by IECC. For example:
    • The address matches one previously provided on a fraudulent document, or
    • The phone number matches one previously provided on a fraudulent document.
  • Personal Identifying information provided is a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by IECC. For example:
    • The address is fictitious, a mail drop, or a prison; or
    • The phone number is invalid.
  • The SSN provided is the same as that submitted by another student or employee;
  • The address or telephone number provided is the same as or similar to the address or telephone number submitted by an unusually large number of other students or employees;
  • The student or employee fails to provide all required personal identifying information on a document or in response to notification that the information is incomplete;
  • Personal identifying information provided is not consistent with personal identifying information that is on file with IECC;
  • When using security questions (i.e. mother’s maiden name, pet’s name, etc.), the student or employee cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Suspicious Account Activity or Unusual Use of Covered Account

  • Shortly following the notice of a change of address for a covered account, IECC receives a request for the addition of other authorized users on the account;
  • A covered account is used in a manner commonly associated with patterns of fraud. For example, the individual fails to make the first payment or makes an initial payment but no subsequent payments;
  • A covered account is used in a manner that is not consistent with established patterns of activity on the account. For example, nonpayment when there is no history of late or missed payments or a material change in usage patterns;
  • A covered account that has been inactive for a reasonably lengthy period of time is used;
  • Mail sent to the student or employee is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the covered account;
  • IECC is notified that the student or employee is not receiving paper account statements;
  • IECC is notified of unauthorized charges or transactions in connection with the  covered account.

Alerts from Others

  • IECC is notified by a student or employee, a victim of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by IECC.

IV. Detecting Red Flags

New Accounts

In order to detect any of the Red Flags identified above associated with the opening of a new covered account, IECC staff will take the following steps to obtain and verify the identity of the individual opening the account:

  • Require certain identifying information such as name, date of birth, residential or business address, mother’s maiden name, or other identification;
  • Verify the individual’s identity by reviewing driver’s license or other government-issued photo identification;
  • Independently contact the individual.

Existing Accounts

In order to detect any of the Red Flags identified above for an existing covered account, IECC staff will take the following steps to monitor transactions on an account:

  • Verify the identification of students or employees if they request information in person, via telephone, via facsimile or via email;
  • Verify the validity of requests to change billing address by mail or email and provide the student or employee with a reasonable means of promptly Sing incorrect billing address changes;
  • Verify changes in banking information given for billing and payment purposes.

V. Reporting Red Flags

Immediate response is essential when reporting an incident involving a Red Flag. The following outlines the reporting process.

Step 1  
Student Affairs Division: Report Red Flags to the Associate Dean of Admissions and Records.
Financial Aid Staff: Report Red Flags to the Program Director of Financial Aid.
Business Office Staff: Report Red Flags to the Director of Financial Operations.
Human Resources Staff: Report Red Flags to the Executive Director of Human Resources.
Information Technology Staff: Report Red Flags to the Chief Information Officer.

Step 2  
Those receiving a report of a Red Flag must provide details to the Chief Financial Officer (CFO) within one business day, including a proposed plan for response and mitigation. The recipient may request assistance from the CFO and/or the Identity Theft Prevention Team in developing and implementing the response.

Step 3  
CFO reports all Red Flag detections to the Program Administrator for review and inclusion in the annual Identify Theft Prevention Report.

VI. Preventing and Mitigating Identity Theft

Responding to a Red Flag

In the event IECC staff detect any identified Red Flags, appropriate steps to respond and mitigate shall be instituted depending upon the nature and degree of risk posed by the Red Flag, including but not limited to the following:

  • Continue monitoring a covered account for evidence of identity theft;
  • Contact the student or employee;
  • Change any passwords, security codes, or other security devices that permit access to a covered account;
  • Reopen a covered account with a new account number;
  • Provide the student or employee with a new identification number;
  • Do not open a new covered account;
  • Close an existing covered account;
  • Do not attempt to collect on a covered account or do not sell a covered account to a debt collector;
  • Notify law enforcement; or
  • Determine that no response is warranted under the particular circumstances.

Protecting Identifying Information

In order to prevent and mitigate identity theft, IECC will take the following steps with respect to internal operating procedures to protect identifying information:

  • Ensure IECC website is secure or provide clear notice that the website is not secure;
  • Ensure complete and secure destruction of paper documents and computer files containing personal account information when a decision has been made to no longer maintain such information;
  • Ensure office computers with access to covered account information are password protected;
  • Limit use of social security numbers;
  • Ensure computer virus protection is up to date;
  • Implement and maintain cyber security managed detection and response(MDR) and managed risk(MR) systems to improve overall cyber security posture.
  • Require and keep only the kinds of personal information necessary for IECC purposes; and
  • Provide Release of Student Information Guidelines, as appropriate, to new staff members.

 

VII. Program Administration

Program Oversight

The Board of Trustees of Illinois Eastern Community Colleges is responsible for the proper implementation of an Identity Theft Prevention Program and has delegated the operational oversight to the Identity Theft Prevention Team.

Identity Theft Prevention Team

The Identity Theft Prevention Team consists of the following personnel:

  • Chief Financial Officer
  • Program Director of Grants & Compliance (Program Administrator)
  • Associate Dean of Admissions & Records
  • Chief Information Officer
  • Director of Financial Operations
  • Executive Director of Human Resources
  • Program Director of Financial Aid

This team is responsible for developing, implementing, monitoring, and updating the program as necessary. The Identity Theft Prevention Team shall name a Program Administrator who is responsible for:

  • Ensuring appropriate training of IECC staff on the Program;
  • Reviewing Red Flag reports received from the CFO and notifying the team, as necessary, if any additional or district-wide measures should be taken;
  • Coordinate an annual review of the Program.

Annual Review

An annual review of the Program is essential to ensure it remains effective in detecting, preventing, and responding to identity theft. The Team will evaluate the success of current safeguards and make recommendations.

Identity Theft Prevention Report

The annual review will result in an Identity Theft Prevention Report prepared by the Program Administrator and provided to the Team. The CFO is responsible for submitting the Report to the Strategic Engagement Planning Council (SEPC) as an Informational Item.

This Identity Theft Prevention Report will, at a minimum:

  • Detail incidents of identity theft that have occurred since the previous year’s Report and IECC’s corresponding responses;
  • Summarize the overall effectiveness of the program; and
  • Include any significant changes to the Program.

Program Updates

Based on the annual review and resulting report, the Identity Theft Prevention Team may periodically update this Program to address evolving risks to covered accounts and to protect the integrity of IECC against identity theft. In doing so, the Team shall consider IECC’s experiences with identity theft situations, changes in identity theft methods, changes in identity theft detection and prevention methods, and changes in IECC’s business arrangements with others.

Training

The Program Administrator is responsible for ensuring appropriate staff, as determined by the Team, receive adequate training and for maintaining records of all training activities. Training shall include detection and recognition of red flags and action steps to be taken when a Red Flag is detected.  To ensure maximum effectiveness, staff will continue to receive additional training as changes to the Program are made.

Service Provider Arrangements

In the event IECC engages a service provider to perform an activity in connection with one or more covered accounts, the CFO will take the following steps to ensure the service provider performs its activity in accordance with policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.

  1. Require, by contract, that service providers have such policies and procedures in place; and
  2. Require, by contract, that service providers review IECC’s Identity Theft Prevention Program and report any Red Flags to the IECC employee with primary oversight of the service provider.