Policy 4-006 Rev: 0
Date: May 12, 2009

Policy 4-006: Identity Theft Prevention Program

  1. Purpose and Scope
    1. This policy outlines the requirements for complying with the Fair and Accurate Credit Transaction Act of 2003 to prevent, mitigate and respond to Identity Theft. This policy applies to all “Covered Accounts” and University departments which defer payments, allow multiple payments over time, or who utilize credit reports for employment or credit decisions.
  2. Definitions
    1. Covered Account means a financial account used mostly for personal, family, or household purposes, and that involves deferred or multiple payments or transactions. Covered accounts include credit card payments, checking or savings accounts, cell phone accounts, and those where the University has extended credit to individual students, staff, faculty, patients, or visitors. A covered account is also an account for which there is a foreseeable risk of identity theft.
    2. Identity Theft means a fraud committed using the identifying information of another person.
    3. Red Flag means a pattern, practice, or specific activity that indicates the possible risk of identity theft.
  3. Policy
    1. The IT Compliance Office will develop, routinely update, and distribute guidance which outlines methods of detecting Identity Theft Red Flags. In developing the guidance, the following will be considered:
      1. Experience with Identity Theft;
      2. Changes in methods of Identity Theft; or
      3. Changes in methods to detect, prevent, and mitigate Identity Theft.
    2. Departments which have covered accounts shall review the guidance and update policies and procedures relevant to their operations, to reflect changes in risk, based on the published guidance.
    3. The IT Compliance Office shall also periodically assess departments to ensure compliance and, where gaps exist, assist departments in coming into compliance.
    4. The IT Compliance Office shall provide training to all departments identified as having covered accounts.
    5. The University Chief Information Officer provides oversight for this program, after written approval from the Board of Trustees has been obtained.
  4. Procedures, Guidelines, Forms and other related resources
    1. Procedures
    2. Guidelines
      1. Memo Re: University Compliance with the Fair and Accurate Credit Transaction Act of 2003
    3. Forms
    4. Other related resource materials
  5. References
    1. Policy 4-004, University Information Technology Resource Security Policy
    2. Policy 4-001, University Institutional Data Management Policy
    3. Fair and Accurate Credit Transaction Act of 2003 (FACTA)
    4. Federal Trade Commission 16 CFR Part 681, Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003
  6. Contacts:
    1. Policy Officer:
      1. Chief Information Officer, 801-581-3100
    2. Policy Owner:
      1. Chief Information Security and Privacy Officer, 801-587-9241
      2. IT_Policy@utah.edu
  7. History:
    1. Current version: Revision 0
    2. Presented for the information of the Academic Senate: May 4, 2009
    3. Approved by the Board of Trustees: May 12, 2009