4.7 - Identity Theft Prevention Policy

Last updated on May 24, 2023

POLICY:

The protection of Confidential and Sensitive Information assets and the resources that support them are critical to the operation of Spoon River College.  As information assets are handled they are placed at risk for potential threats of employee errors, malicious or criminal actions, theft, and fraud.  Such events could cause Spoon River College to incur a loss of confidentiality or privacy, financial damages, fines, and penalties.

The purpose of this policy is to reduce the risk of a loss or breach of Confidential and Sensitive Information through guidelines designed to detect, prevent, and mitigate loss due to errors or malicious behavior.  Spoon River College recognizes that absolute security against all threats is an unrealistic expectation.  Therefore, the goals of risk reduction and implementation of this policy are based on:

These policy guidelines were derived through a risk assessment of Spoon River College methods of handling Confidential and Sensitive Information.  Determination of appropriate security measures must be a part of all operations and shall undergo periodic evaluation.

SCOPE:

This policy applies to employees and service providers of Spoon River College.  This includes all parties that may come into contact with Confidential and Sensitive Information (CSI), including but not limited to, contractors, consultants, vendors, temporaries, and personnel of third- party affiliates.

Spoon River College will implement and enforce these policies, as well as, design more specific or new guidelines as needed.

DEFINITIONS:

Confidential and Sensitive Information (CSI):  CSI is data that is protected by federal, state or local law or contractual obligation, or that is specifically designated as confidential by the College. Information also is considered CSI if its loss, misuse or unauthorized disclosure or alternation might cause substantial injury to the College, its constituents and/or affiliates in terms of financial loss, reputational damage, operational capability, and/or significant embarrassment. Examples of CSI include, but are not limited to:

  1. Personal Information
    1. Social Security Number
    2. Date of Birth
    3. Driver’s License Information
    4. Professional License Information
    5. Paychecks, Pay stubs, Pay rates
    6. Passport Information
  2. Financial Information
    1. Credit Card Numbers
    2. Credit Card Expiration Dates
    3. Credit Card CCV Numbers
    4. Bank/Credit Union Account Numbers
    5. Credit Reports
    6. Billing Information
    7. Payment History
  3. Medical Information
    1. Medical Records
    2. Doctor Names and Claims
    3. Health, Life, Disability Insurance Policy Information
    4. Prescription Information
  4. Business Information
    1. Federal ID Numbers
    2. Business Systems
    3. Security Systems
    4. Employee Identifiers
    5. Access Numbers / Passwords
    6. Student Identifiers
    7. Vendor Numbers
    8. Account Numbers

Account:  An account is a body of information, or a record, on an individual, group, or entity that is kept for the purpose of transacting on an on-going basis with another individual, group, or entity.  The terms “accounts” and “records” are used interchangeably because they share similar functions and characteristics.  Both contain identifiable information on an individual, group, or entity.  They each allow for access to products or services, and keep a history of transaction activity.

Board of Trustees: The collective body of elected officials charged with directing the operations of Spoon River College.

Covered Account:  Both new and existing accounts where a continuing relationship exists between the College and the customer are considered “covered accounts.”  There are two definitions.

  1. An account that the College offers or maintains, primarily for personal, family, or household purposes, that involve or is designated to permit multiple payments or transactions. Examples include a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account.
  2. Any other account that the College offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the College from identity theft, including financial, operational, compliance, reputation or mitigation risks.

Electronic or Soft Copy Format: Electronic or Soft Copy Format refers to any CSI that exists electronically on CDs, DVDs, phones, computers, networks, portable devices, etc.

Hard Copy Format: Hard Copy Format refers to any CSI that exists physically on paper.

Physical Access Zone: A physical access zone is a clearly defined physical or implied boundary established to control and limit access to CSI areas.

Red Flags: Red Flags are patterns, practices, or specific activities involving covered accounts that indicate the possible risk of identity theft

Service Provider: A service provider is any individual, group, or entity that directly provides a service to Spoon River College or on behalf of Spoon River College for its customers or clients.

Spoken Word: Spoken Word refers to the transfer of CSI verbally or audibly through electronic media.

DETAILS:

  1. Roles and Responsibilities:
    1. Board of Trustees: The board is responsible for the design, implementation, and oversight of the Information Security Program. However, if it is not feasible for the board to be directly involved, it may appoint a member of administration to be charged with these responsibilities. This designated Information Security Officer (ISO) generally advises the board on policy decisions. They must report to the board at least annually on the state of the Information Security Program.
    2. The ISO is responsible for the following:
      1. Risk Assessment: Conduct periodic risk assessments in the areas of operations where CSI is handled.
      2. Design: Design, implement, and regularly monitor safeguards which protect all CSI owned or entrusted to the College.
      3. Implementation: Provide ongoing training to employees on the proper handling of CSI.
      4. Monitor: Evaluate the policy and procedures regularly.
      5. Enforce: Take necessary disciplinary action when employees break the CSI protocol.
      6. Regularly evaluate and adjust the Information Security Program in light of changes in the College environment.
      7. Response Plan: Create an incident response plan to respond to security incidents.
    3. Employees: All personnel are responsible for adhering to this policy and for reporting any security incidents to the ISO immediately.
    4. Service Providers: The level of responsibility given to service providers for security reasons depends on the scope of their service offering. Each will be responsible according to their direct or indirect access to information. In either case, service providers will be held accountable for their conduct and agreements must delineate where Spoon River College liability ends and where the service provider liability begins.
      1. Direct Access to Information: A service provider is considered to have direct access to information when they perform an activity with employee or customer information on behalf of Spoon River College. If information is shared, then the service provider must have an Information Security Policy that complies with or exceeds the laws of our industry.
      2. Indirect Access to Information: A service provider is treated differently when they have indirect access to information. These are service providers that are working in the proximity of CSI in the business, but their function does not involve sharing information. In this type of relationship, the service provider must comply with this Information Security Policy.
  2. Guidelines: The following policy guidelines cover issues related to the collection, retention, transfer, and destruction of CSI.
    1. Physical Access Zones: Spoon River College will establish, maintain, and enforce physical access zones in all of its facilities to control and limit access to CSI areas.  There are four types of color coded zones, each with different access requirements.
      1. Green Zones. Green zones are low priority public areas where everyone has access.  This would include hallways, reception area, cafeteria, and student lounge areas.
      2. Yellow Zones. Yellow zones are moderate priority operational or information processing areas.  Service providers, customers, and visitors must be accompanied by an employee. This would include employee offices not considered red zone, classrooms, bookstore, LRC, and general maintenance areas.
      3. Red Zones. Red zones are high priority areas containing proprietary information, record storage, or data bases.  Access is limited to authorized employees only.  All others must be identified, verified, and have an escort at all times.  This would include human resources, student records areas, maintenance storage area, data center, financial aid, and business offices.
      4. Grey Zones. Grey zones are transition zones where risk fluctuates as CSI enters and leaves.  The transition zone takes on the characteristics of other zone requirements when CSI is introduced.  This would include conference centers and vehicles.
    2. Information Storage: Storing CSI is a normal function of conducting business at Spoon River College.  College representatives shall only store CSI for legitimate business needs and that is related to their individual job responsibilities.
      1. Hard Copy Storage:
        1. On-site Storage: On-site storage refers directly to CSI stored within any Spoon River College facility.
          • Employees Personal Belongings: Spoon River College generally provides personnel with a secure place to store personal belongings. Employees are responsible for keeping personal items secure during work hours.
          • CSI Stored in a Workspace: Confidential and Sensitive Information stored in an office, cubicle, reception area, cash register, or other workspace must be kept in locked desks, cabinets, closets, or safes when not in use.
          • File Rooms and Storage Rooms: File and storage room doors must be closed and locked when unattended by authorized personnel.
          • Records Storage: College, student, transaction, and service provider records will only be stored when there is a legitimate business need. Any records in storage beyond the legal statute of limitations will be appropriately disposed of by designated employees.
      2. Soft Copy Storage: College representatives shall only store CSI on Spoon River College authorized computers, telecommunications, or other electronic devices. A list of approved equipment will be maintained by the College’s ISO.
        1. Encryption: The College does not have access to encryption software. Therefore, employees are prohibited from downloading, transmitting, selling, or providing information determined to be confidential or proprietary to Spoon River College.
        2. Portable Electronic Devices: Storage of CSI on portable electronic devices is prohibited.
    3. Destruction:
      1. Hard Copy Destruction: All hard copy CSI will be shred in compliance with the College’s record retention and disposal policy.
        1. In-house Destruction: Cross cut or confetti style shredders will be made conveniently available to employees that handle Spoon River College’s CSI at the Havana Center, Rushville Center, Macomb Outreach Center and the Canton Outreach Center.
          • Shredding is the responsibility of every employee and should occur every day.
        2. Destruction Service Providers:  All destruction service providers must comply with the service provider oversight policies in this Information Security Policy.
          • Spoon River College has outsourced its shredding of confidential material generated on the Canton and Macomb Campuses to an onsite shredding company
          • Locked shredding containers have been conveniently located in Canton in the Business Office, Human Resources Office, Financial Aid Office, Mailroom, and Student Accounts Office.  In Macomb, containers have been placed in the Business Office and  Student Services Office.
          • Hard copy material waiting to be shred will be maintained in locked and secured boxes labeled “Confidential Shred Material.”
          • All destruction service providers must be National Association of Information Destruction, Inc. (NAID, Inc) Certified.
          • Shredding will be onsite and occur every 8 weeks.
          • Spoon River College must be provided a certificate of destruction every time material is released to be destroyed.
      2. Electronic data destruction: Any electronic document with CSI has to be destroyed. Secure disposal of College hardware is critical to protect CSI data.  For this reason, disposal of computer equipment is addressed appropriately.
        1. All computers, telecommunications, or electronic devices must be “sanitized” or “wiped clean” before being sold, donated, or discarded. An Information Technology professional is designated for this function.
        2. For computers that are non-functional, the hard drive or other internal data memory are removed for physical destruction.
        3.  Network devices such as switches, routers wireless access points are reset to factory default before disposing them.
    4. Transferability
      1. Spoken Word:
        1. College representatives must identify and verify callers as authorized before releasing any CSI over the phone.
        2. College representatives may not release any CSI to a third party unless the third party was previously authorized in writing.
        3. Employees may only discuss CSI with Spoon River College authorized individuals for a legitimate business purpose.
        4. Under no circumstances are college representatives permitted to leave CSI messages on voicemail systems.
      2. Hard Copy Transferability
        1. Clean Desk Policy: College representatives shall keep desks and workspaces clear of CSI when not in use.
        2. Dry Erase and Bulletin Boards: Employees must not print, post, or make known any CSI on any dry erase boards or bulletin boards in public or operations areas. Dry erase boards must be wiped clean after every use.
        3. Transporting Information: The physical transfer of CSI from one site to another is prohibited. All CSI must be scanned from one of the college’s convenience scanners and emailed to its intended destination via the College’s secure email.
      3. Soft Copy Transferability
        1. Personal Electronic Devices: College representatives and service providers are permitted to bring personal electronic devices into Spoon River College facilities in compliance with the College’s Technology and Network Services Policy.
        2. E-mail Transferability: Employees shall not send CSI materials via e-mail to any external sources.
        3. Portable Electronic Device Transferability: Storage of CSI on portable electronic devices is prohibited.
    5. Information Accessibility
      1. Hard Copy Accessibility
        1. Entrances and Exits: All facility entrances and exits that are determined not for public use will remain locked at all times, unless it violates fire code.
        2. Surveillance Equipment: Spoon River College reserves the right to use cameras and other surveillance equipment to monitor public, operations, and restricted areas.
        3. Employee Authorization:
          • Every new employee will go through a background check and a screening process before being authorized to handle CSI.
          • Employees shall only handle CSI for a legitimate business purpose or as a function of their job responsibilities.
          • A written procedure and checklist will be used by the College to terminate access when an employee is terminated from service.
        4. Service Provider Accessibility: Service providers shall only handle CSI for a legitimate business purpose or as a function of their job responsibilities as stated in their service provider agreements.
    6. Soft Copy Accessibility
      1. Technology System Audits: Spoon River College will conduct periodic technology system audits to test the integrity of technology information systems no less than annually.
        1. Logging on and off Computers:
          • Only authorized personnel may log onto Spoon River College networks and equipment.
          • All personnel are required to lock or shut down computers when not in use.
        2. Passwords: Employees shall use strong password/passphrase with a minimum of 15 characters in length that contains a combination of numbers, upper and lowercase letters, and special characters. Passwords should be changed no less than once every year. Passwords/passphrase:
          • must not contain the user’s first or last name.
          • must not be the same as any of the last three passwords.
        3. Personal Use of Technology Equipment: College technology and network services are intended for college business activities in compliance with the College’s Technology and Network Services Policy.
    7. Plan for a Loss or Breach
      1. Information Security Audits: The Information Security Team is authorized to conduct security audits of any area containing CSI at any time to ensure the safety and security of that information.
      2. Discovery of a Breach in the Workplace
        1. Employee Protocol
          • Do not disturb the area;
          • Secure the area;
          • Notify supervisor;
          • Document the event;
          • Use a Suspicious Activity Report (SAR);
          • Submit to Supervisor.
        2. Supervisor Protocol
          • Ensure affected area is secure. Do not let anyone use the phone or computer in that area;
          • Gather relevant information concerning the incident;
          • Interview witness(es);
          • Contact Identity Theft Prevention Officer;
          • Submit SAR to Identity Theft Prevention Officer.
        3. Identity Theft Prevention Officer Protocol
          • Determine that there is a breach;
          • Review SAR;
          • Interview witness(es);
          • Notify Vice President of Administrative Services;
          • Contact college attorney;
          • Make a police report;
          • Notify potential victims according to legal statutes;
          • Notify the College Information Office.
      3. Discovery of a Breach through Accusation
        1. Employee Protocol
          • Be sympathetic to the potential victim;
          • Do not confirm or deny their allegations;
          • Document the conversation;
          • Use a Suspicious Activity Report (SAR);
          • Document contact information;
          • Inform them that your Identity Theft Prevention officer will contact them.
        2. Identity Theft Prevention Officer Protocol
          • Interview Employee Witness(es);
          • Review SAR;
          • Contact potential victim;
          • Ask them to reiterate their story;
          • Assure them that you will look into it;
          • Notify Vice President of Administrative Services;
          • Contact college attorney;
          • Determine that there is a breach;
          • Assess the extent of damage;
          • Make a police report;
          • Notify potential victims according to legal statutes;
          • Notify College Information Office.
    8. Suspicious Behavior
      1. College representatives shall document and confidentially report to Identity Theft Prevention Officer any suspicious behavior of other employees, customers, service providers, or visitors.
      2. Employees should challenge, verify, and escort any visitor or service provider found in or requesting access to a non-public area. Employees should get assistance and are not expected to engage in a situation if they are in fear of their physical safety.
    9. Transaction Identification and Verification: Spoon River College requires college representatives to verify adequate means of identification from a person before they can transact business with a check, credit card, or debit card on behalf of themselves, a group, or an entity.
      1. Personal or College Check Transactions: College representatives must not accept a check for payments without adequately verifying any of the following current and non-expired forms of identification.
        1. US State Driver’s License
        2. US State Picture ID
        3. US Passport
        4. US Military ID
        5. US Federal ID
        6. Alien Registration Card
        7. Physical Address
        8. Phone Number
        9. Valid Signature
        10. Other
      2. Credit or Debit Card Transactions: College representatives must not accept credit card or debit card payments without adequately verifying any of the following current and non-expired forms of identification.
        1. US State Driver’s License
        2. US State Picture ID
        3. US Passport
        4. US Military ID
        5. US Federal ID
        6. Alien Registration Card
        7. Physical Address
        8. Credit / Debit Card Number
        9. Expiration Date
        10. CVC2 / CVV2 / CID
        11. Valid Signature
        12. Other
    10. New and Existing Account Identification and Verification: College representatives shall make a reasonable effort to identify and verify each customer’s identity when opening new accounts or accessing existing accounts.
      1. New Accounts: Opening new accounts requires the following identification, document and non-document verification.
        1. Identifying Information
          • Legal Name
          • Date of Birth
          • Physical Address
          • Social Security Number
          • EIN
          • Passport and Country of Issuance
          • Alien Identification Card Number
          • Power of Attorney
          • Other
        2. Verification with Documents: When opening new accounts college representatives may request two sources of identification, one primary and one secondary.
          • Primary Identification
            • US State Picture Driver’s License
            • US State Picture Issued ID Card
            • US Passport
            • US Military Picture ID
            • Federal Picture ID
            • Alien Registration Card
            • Other
          • Secondary Identification
            • Social Security card
            • Individual taxpayer identification card
            • EIN
            • Voter registration, state of residence
            • Birth Certificate
            • Credit card
            • Bank cards
            • Insurance Cards
            • College identification
            • Police identification
            • Temporary driver license
            • US Federal Government issued Permanent Resident Card
            • US Federal Government issued Employment Authorization
            • Utility Bill: telephone, electricity, gas, water
            • Court documents indicating custodian or fiduciary appointment
            • Other
          • Non-Document Verification: College representatives must follow-up document verification with non-document verification.  Acceptable forms of non-document verification are:
            • Letter of Welcome
            • Professional papers
            • Assumed name certificate
            • Business license
            • Criminal Background Check
            • Other
      2. Existing Accounts: Customer access of existing accounts requires the following identification, document and non-document verification depending upon the mode of operation.
        1. Account Access in Person
        2. Verification with Documents: When a customer wishes to access existing accounts, college representatives may request two sources of identification, one primary and one secondary.
          • Primary Identification
            • US State Picture Driver’s License
            • US State Picture Issued ID Card
            • US Passport
            • US Military Picture ID
            • Federal Picture ID
            • Alien Registration Card
            • Other
          • Secondary Identification
            • Social Security card
            • Individual taxpayer identification card
            • EIN
            • Voter registration, state of residence
            • Birth Certificate
            • Credit card
            • Bank cards
            • Insurance Cards
            • State government
            • Local government
            • College identification
            • Police identification
            • Temporary driver license
            • US Federal Government issued Permanent Resident Card
            • US Federal Government issued Employment Authorization
            • Other
        3. Account Access On-Line
          • Customer Identifying Information
            • User ID
            • Password
        4. Account Access By Phone
          • Customer Identifying Information
            • Legal Name
            • Date of Birth
            • Student/employee ID Number
            • Social Security Number
        5. Account Access By Mail
          • Customer Identifying Information
            • Legal Name
            • Date of Birth
            • Physical Address
            • Student/ employee ID Number
            • Social Security Number
            • Signature Guarantee
            • Other
    11. Red Flags
      1. Alerts, Notifications or Warnings from a Consumer Reporting Agency.
        1. A consumer reporting agency provides a notice of address discrepancy.
      2. Suspicious Documents
        1. Documents provided for identification appear to have been altered or forged.
        2. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
        3. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the information.
        4. Other information on the identification is not consistent with readily accessible information that is on file with the College.
        5. An application appears to be altered or forged, or gives the appearance of being reassembled.
        6. Other.
      3. Suspicious Identifying Personal Information
        1. Personal identifying information provided is inconsistent when compared to external information sources used by the College. For example: a) the address does not match any address on the consumer; or b) the Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s Death Master File.
        2. Personal identifying information provided by the consumer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and the date of birth.
        3. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the College. For example: a) the address on an application is the same as the address provided on a fraudulent application; or b) the phone number on an application is the same as the number provided on a fraudulent application.
        4. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the College. For example: a) the address on an application is fictitious, a mail drop, or prison; or b) the phone number is invalid, or is associated with a pager or answering service.
        5. The SSN provided is the same as that submitted by other persons.
        6. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers.
        7. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
        8. Personal identifying information provided is not consistent with personal identifying information that is on file with the College.
        9. Other
      4. Unusual Use of, Suspicious Activity Related to, the Covered Account
        1. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage, and other relevant factors).
        2. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s covered account.
        3. The College is notified that the customer is not receiving paper account statements.
        4. The College is notified of unauthorized charges or transactions in connection with a customer’s covered account.
      5. Notice From Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection with Covered Accounts
        1. The College is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.
    12. Red Flags Response
      1. Response to Alerts, Notifications or Warnings from a Consumer Reporting Agency: When a college representative is presented with an alert, notification or warning from a consumer reporting agency, they must act quickly in an effort to prevent or mitigate loss for the customer and Spoon River College.  Appropriate responses are as follows:
        1. Take additional steps to verify identity.
        2. Validate address.
        3. Document with a Suspicious Activity Report (SAR).
      2. Response to Suspicious Documents: In the course of business, a college representative may be presented with suspicious documents.  Appropriate responses are as follows:
        1. Verify using third party resources.
        2. Verify using existing account records.
        3. Decline or put a hold on an application.
        4. Decline or put a hold on account access.
        5. File a Suspicious Activity Report.
      3. Response to Suspicious Identifying Personal Information: When a person provides suspicious or inconsistent identifying information to a college representative, the response is as follows:
        1. Escalate verification to Supervisor.
        2. Decline or put account on hold.
        3. Decline or put a hold on account access.
        4. File a Suspicious Activity Report (SAR).
      4. Response to Unusual Use of, Suspicious Activity Related to, the Covered Account: College representatives shall be vigilant in protecting customer accounts when transacting, servicing, or processing business.  When suspicious activity or unusual patterns emerge in covered accounts, the appropriate responses are as follows:
        1. Validate address.
        2. Decline or put a hold on account access.
        3. File a Suspicious Activity Report (SAR).
      5. Response to Notice From Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection with Covered Accounts: College representatives that are notified of a security incident from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts must immediately inform Identity Theft Prevention Officer and the Information Security Officer.  Appropriate responses are as follows:
        1. Decline or put hold on account access.
        2. File a Suspicious Activity Report (SAR).
        3. Notify existing customer on record.
        4. Open new account.
        5. Do not attempt to collect on the fraudulent account from the true identity.
        6. Cooperate with law enforcement.
        7. Other.
    13. Staff Training
      1. Staff training in relation to the Identity Theft Prevention program and its policies shall be conducted for all employees, temps, independent representatives, and contractors, both part-time and full-time, on a periodic basis.
      2. Staff members will receive additional training triggered by changes in policy, changes in their mode of operations, security incidents, and new information.
    14. Service Provider Oversight
      1. Spoon River College will periodically review all service provider agreements and activities.
      2. A service provider with direct access to CSI must provide proof of, and maintain, their own Identity Theft Prevention Program that is consistent with, or exceeds, industry regulations.
      3. A service provider that has indirect access to CSI shall comply with this Identity Theft Prevention policy.
  3. Enforcement: Any employee, temporary, contractor, or consultant found in violation of this   policy may be subject to disciplinary action, up to and including termination of employment.