Maricopa Steward
Red Flag Rules
In accordance with the provisions outlined in the Federal Trade Commission’s Red Flag Rule, which implements Section 114 of the Fair and Accurate Transactions Act (FACTA) of 2003, the Maricopa County Community College District adopted a new Board policy titled Identify Theft Red Flag and Security Incident Reporting on September 22, 2009.
The policy establishes that the District implement a program for Identity Theft Prevention. The purpose of the program is to provide information that will assist individuals in detecting, preventing and mitigating identity theft in connection with the opening of a “covered account” or any existing “covered account” or who believe that a security incident has occurred, and to provide information for the reporting of a security incident. Key components of the policy follow.
Definitions
- Covered Account – is a consumer account that involves multiple payments or transactions in arrears such as a loan that is billed or payable monthly.
- Creditor – is a person or entity that regularly extends, renews, or continues credit and any person or entity that regularly arranges for the extension, renewal or continuation of credit.
- Personal Information – is specific information that represents a legal or personal identity or that could result in public impersonation of identity or identity theft if such information were stolen or compromised.
- Red Flag – is a pattern, practice or specific activity that indicates the existence of identity theft or possible attempted fraud via identity theft on covered accounts.
- Security Incident – is a collection of related activities or events which provide evidence that personal information could have been acquired by an unauthorized person.
Red Flags
In order to identify relevant red flags, the MCCCD considers the types of accounts that it offers and maintains, the methods provided to open accounts, the methods provided to access accounts , as well as previous experiences with identity theft. The following categories are identified as red flags:
- Alerts, notifications or warnings from a consumer reporting agency including fraud alerts, credit freezes or official notice of address discrepancies.
- The presentation of suspicious documents such as those appearing to be forged or altered, or where the photo ID does not resemble its owner, or an application that appears to have been cut up, reassembled and photocopied.
- The presentation of suspicious personal identifying information such as a photograph or physical description on the identification that is not consistent with the appearance of the student presenting the identification; discrepancies is address, Social Security Number, Student ID, or other information on file; an address that is a mail-drop, a prison, or is invalid, a phone number that is likely to be a pager or answering service; and/or failure to provide all required information.
- Unusual use or suspicious account activity that would include material changes in payment patterns, notification that the account holder is not receiving mailed statement, or that the account has unauthorized charges.
- A request to mail something to an address that is not on file.
- Notice received from students, victims of identity theft, law enforcement, other persons regarding possible identity theft in connection with covered accounts.
Detection of Red Flags
The detection of red flags in connection with the opening of covered accounts and the processing of existing accounts can be made through internal controls such as:
- Obtaining and verifying the identity of a person opening and using an account
- Authenticating customers
- Monitoring transactions
- Verifying the validity of change of address requests for existing covered accounts
Response to Red Flags
Maricopa’s Identity Theft Prevention Program shall provide for appropriate responses to detected red flags in order to prevent and mitigate identity theft. This would include:
- Monitoring covered accounts for evidence of identity theft;
- Denying access to a covered account until other information is available to eliminate the identified red flag, or close the existing covered account;
- Notify the customer;
- Change any passwords, security codes or other security devices that permit access to a covered account;
- Close an existing account;
- Reopen a covered account with a new account number;
- Notify law enforcement if suspected illegal activity;
- Determine if no response is warranted given the particular circumstances.
Security Incident Reporting
An employee who believes that a security incident has occurred shall immediately notify their appropriate supervisor and the Program Manager. After normal business hours, notification shall be made to the college public safety office.
Service Providers Oversight
The Maricopa County Community College District remains responsible for compliance with the Red Flag Rules even in instances where services are outsourced to a third party. The written agreement between the MCCCD and the third party service provider shall require the third party to have reasonable policies and procedures designed to detect relevant Red Flags that may arise in the performance of their service activities. The written agreement must also indicate whether the service provider is responsible for notifying the MCCCD of the detection of a Red Flag or if the service provider is responsible for implementing appropriate steps to prevent or mitigate identity theft.
Program Oversight
The Chancellor shall designate a program administrator. The Program Administrator shall exercise appropriate and effective oversight over the Program and shall report regularly to the Governing Board and the Chancellor on the Program. The program administrator shall be responsible for developing, implementing and updating the Program throughout the Maricopa district. The Program Administrator shall be responsible for ensuring the appropriate training of college and district employees, reviewing staff reports regarding the detection of Red Flags and implementing steps to identify, prevent and mitigate identity theft.
Co-chairs for administering the new program are Kim Granio, Director Financial Services and Controller and Dr. Sylvia Manlove, Associate Vice Chancellor for Academic and Student Affairs.
The full Board policy can be found here.
Questions or comments?
Contact Teresa Toney @ 480.731.8084
Office of General Counsel
2411 West 14th Street
Tempe, AZ 85281-6942
480.731.8877 / 480.731.8890 fax
© Maricopa County Community College District. All Rights Reserved.