General Policies & Procedures
Record Retention Policy
Identity Theft Prevention Program
Union College ("College") developed this Identity Theft Prevention Policy ("Program") in response to a growing problem of identity theft, endeavors to safeguard personal and private information of its faculty, staff, students, vendors and donors. Additionally, the College understands the importance of complying with applicable federal regulations pursuant to the Federal Trade Commission's Red Flags Rule ("Rule"), which implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003.
The purpose of this policy is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the Program. The Program shall include reasonable policies and procedures to:
- 1. Identify relevant red flags for covered accounts it offers or maintains and incorporate those red flags into the program;
- 2. Detect red flags that have been incorporated into the Program;
- 3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
- 4. Ensure the Program is updated periodically to reflect changes in risks to Students and to the safety and soundness of the creditor from identity theft.
The program shall, as appropriate, incorporate existing policies and procedures that control reasonably foreseeable risks.
Identify theft means fraud committed or attempted using the identifying information of another person without authority.
A "Covered Account" includes all student accounts or loans that are administered by the College.
A red flag means a pattern, practice or specific activity that indicates the possible existence of identity theft.
The "Program Administrator" is the individual designated with primary responsibility for oversight of the program.
"Identifying information" is any name or number that may be used to identify a specific person," including name, address, telephone number, social security number, date of birth, employer or tax identification number, student ID number, driver's license number or passport number.
Union College has identified eight types of accounts, five of which are covered accounts administered by the College and three types of account that are administered by a service provider.
College covered accounts:
- 1. Refund of credit balances involving PLUS loans
- 2. Refund of credit balances, without PLUS loans
- 3. Deferment of tuition payments
- 4. Institutional loans
- 5. Perkins loans
- 6. Direct Loans
Service provider covered account:
- 1. Tuition payment plan administered by AMS (SallieMae).
- 2. Tuition payment plan administered by TMS (Key Bank).
- 3. Loan billing and collection services administered by ECSI.
Refer to "Oversight of Service Provider Arrangements" on page 5.
Identification of Relevant Red Flags
The Program considers the following risk factors in identifying relevant red flags for covered accounts:
- 1. The types of covered accounts as noted above;
- 2. The methods provided to open covered accounts-- acceptance to the College and enrollment in classes requires the all of the following information:
- (a) Common application with personally identifying information
- (b) high school transcript
- (c) official ACT or SAT scores
- (d) two letters of recommendation
- (e) Entrance Medical Record
- 3. The methods provided to access covered accounts:
- (a) Disbursement obtained in person require picture identification
- (b) Disbursements obtained by mail can only be mailed to an address on file
- 4. The College's previous history of identity theft.
The Program identifies the following red flags:
- 1. Documents provided for identification appear to have been altered or forged;
- 2. The photograph or physical description on the identification is not consistent with the appearance of the student presenting the identification;
- 3. A request made from a non-College issued email account;
- 4. A request to mail something to an address not listed on file; and
- 5. Notice from customers, victims of identity theft, law enforcement authorities, credit reporting agencies or other persons regarding possible identity theft in connection with covered accounts.
- 6. Identifying information is inconsistent with other information provided by the student. (Examples:. Birth date, address, social security number, name)
Detection of Red Flags
The Program will detect red flags relevant to each type of covered account as follows:
- 1. Refund of a credit balance involving a PLUS loan - As directed by federal regulation (U.S. Department of Education) these balances are required to be refunded in the parent's name and mailed to their address on file within the time period specified. No request is required. Red Flag - none as this is initiated by the College.
- 2. Refund of credit balance, no PLUS loan - requests from current students must be made in person by presenting a picture ID or in writing from the student's college issued email account. The refund check can only be mailed to an address on file or picked up in person by showing picture ID. Refunds to students not currently enrolled or graduated from the college are mailed to the primary address as defined by the student. Red Flag - Picture ID not appearing to be authentic or not matching the appearance of the student presenting it. Request not coming from a student issued email account.
- 3. Deferment of tuition payment - requests require the student's signature. Red Flag - none.
- 4. Institutional, Perkins and Direct loans - Proceeds are credited directly to the named student account. Requests must be made in person by presenting a picture ID or in writing from the student's college issued email account. The loan refund check can only be mailed to an address on file or picked up in person by showing picture ID. Red Flag - Picture ID not appearing to be authentic or not matching the appearance of the student presenting it. Request not coming from a student issued email account.
- 5. Tuition payment plan - Students must contact an outside service provider and provide personally identifying information to them. Union College uses a unique seven (7) digit identifier for students as the recommended ID number to be used for payment plans. Red Flag - none, see Oversight of Service Provider Arrangements.
Additional Red Flag Considerations:
- 1. Employee Information - Background checks and I-9 Forms completed prior to beginning employment are kept in a secured location by Human Resources. Payroll does not display the employee's social security number on distributed payroll documents with the exception of tax documents as required. All payroll information is maintained in a secured location by Payroll. Requests for replacement checks or W-2"s are mailed to the address on file or picked up in person. Payroll information that is no longer required in accordance with the College Record Retention Policy must be shredded by the appropriate personnel.
- 2. Vendor Information - Tax identification numbers required for vendors are kept in electronic format which is accessible to limited staff within the Financial Services Department. Any tax identification number is "blacked out" prior to scanning invoices which are accessible online to staff.
Preventing and Mitigating Identity Theft
The Program shall provide for appropriate responses to detected red flags to prevent and mitigate identity theft. The appropriate responses to the relevant red flags are as follows:
- Deny access to the covered account until other information is available to eliminate the red flag;
- Contact the student;
- Change any passwords, security codes or other security devices that permit access to a covered account;
- Notify law enforcement; or
- Determine no response is warranted under the particular circumstances.
- Notify the Program Administrator
- Protect identifying information by ensuring that websites are secure, complete and secure file destruction, computers are password protected, ensure computer virus protection software is up to date and avoid the use of social security numbers.
Oversight of the Program
Responsibility for developing, implementing and updating this Program lies with the Vice President for Finance and Administration. The Program Administrator will be responsible for the Program administration, for ensuring appropriate training of College's staff on the Program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program.
This Program will be periodically reviewed and updated to reflect changes in risks to students and the soundness of the College from identity theft. At least once per year in October, the Program Administrator will consider the College's experiences with identity theft, changes in identity theft methods, changes in identity theft detection and prevention methods, changes in types of accounts the College maintains and changes in the College's business arrangements with other entities. After considering these factors, the Program Administrator will determine whether changes to the Program, including the listing of Red Flags, are warranted. If warranted, the Program Administrator will update the Program.
College staff responsible for implementing the Program shall be trained either by or under the direction of the Program Administrator in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected.
Oversight of Service Provider Arrangements
The College shall take steps to ensure that the activity of a service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft whenever the organization engages a service provider to perform an activity in connection with one or more covered accounts.
Currently the College uses Sallie Mae and Key Bank to administer the Tuition Payment Plans and ECSI to administer the Institutional and Perkins Loan Programs. Students contact the service provider directly through its website or by telephone and provide personally identifying information to be matched to the records that have been provided by the College.