Information Technology, Documents, & Records

Select a Policy to jump to: College Data on Mobile Devices Data Management and Access Guidelines Data Risk Classification Guidelines E-mail as Official Communication for Students Identity Theft Prevention Program iPad Purchase Policy New Technology Request Program Privacy Statement Records Retention Related Party Disclosure Statement (Conflict of Interest Policy) Responsible Use of Technology Student Records Surveillance Camera Guidelines

Identity Theft Prevention Program

I. Background

A. Effective Date

Carleton College approved the original Identity Theft Prevention Program (“Program”) in February 2009. The Program is reviewed and updated on an annual basis.

B. Purpose and Policy

Carleton College developed this Program to comply with the requirements of the Federal Trade Commission’s (FTC) Red Flags Rule of the Fair and Accurate Credit Transactions Act (FACTA) of 2003.

“Identity theft” occurs when a person commits or attempts to commit fraud using identifying information of another person without authority. It is the policy of the College to develop, implement, and maintain a comprehensive program to detect, prevent and mitigate identity theft for our students and their families.

A “Red Flag” is a pattern, practice or specific activity that indicates the possible existence of identity theft.

No part of this Program or related policies and procedures should be interpreted as conflicting with or superseding any other applicable legal and regulatory requirements. This Program and its related policies and procedures reflect a good faith effort to comply with applicable law and reduce the potential for identity theft.

C. Responsibilities and Management

Management of the College has the authority and responsibility to approve and implement this Program. The Program Coordinator has the authority and responsibility to:

• Oversee and manage the development, implementation and administration of the Program;
• Assign specific responsibilities for implementation of the Program;
• Review reports prepared by staff regarding compliance with the Red Flags Rule and this Program;
• Approve material changes to the Program as necessary to address changing identity theft risks; and
• Exercise management control as necessary to ensure that all relevant operations and employees make compliance with this Program and integral part of regular operations.

II. Program Development and Assessment

The FTC’s Identity Theft Rules require that the College identify relevant Red Flags and methods of detecting relevant Red Flags, as well as periodically update the risk assessment and adjust the Program accordingly.

A. Covered Accounts

The College is subject to the requirement of the identity theft rule because it is a “creditor” under the definition in the Rule.

The College has identified three types of accounts under which the college would be considered a “creditor” in regard to the following activities where “covered accounts” exist:

• (i) participation in the Federal Perkins Loan program,
• (ii) participation as a school lender in the Federal Direct Stafford Loan program
• (iii) Carleton Student Accounts with charges for any goods or services for which students are invoiced or otherwise allowed to pay after the goods or services are provided (i.e. telephone service, print center services and health care services)

B. Risk Assessment

The College has evaluated these covered accounts and assessed the likely risk of identity theft as low. The low risk is due in part to the following factors: (a) no historical experience with identity theft, (b) access to disbursements from covered accounts requires photo identification, a student authorized bank account or address on record and (c) the size of our institution allows us to be intentional about each relationship we establish and maintain with our students to ensure we are familiar with their identity before we establish a creditor relationship with them. The student application process requires all of the following:

• Common application with personally identifying information
• High school transcript
• Official ACT or SAT scores
• Two letters of recommendation
• Entrance Medical Records
• Medical history
• Immunization history
• Proof of Insurance

III. Red Flag Detection and Response

The College will periodically identify relevant Red Flags for the types of covered accounts it offers or maintains by considering appropriate risk factors, categories of Red Flags and other sources of Red Flags.

In identifying the relevant Red Flags, the College considers the following categories of Red Flags:

• Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
• The presentation of suspicious documents;
• The presentation of suspicious personal identifying information, such as a suspicious address change;
• The unusual use of , or other suspicious activity related to, a covered account; and
• Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.

Relevant Red Flags

The College has identified the following relevant Red Flags that may be raised in connection with opening or servicing a covered account:

1. The student does not have a photo ID.
2. The student photo ID appears to have been altered.
3. The photo ID is inconsistent with the appearance of the student.
4. Documents presented by a student or beneficiary appear to be altered or forged, or appear to have been destroyed and re-assembled.
5. The student or beneficiary refuses to provide all of the required personal information.
6. A refund request from a non-College sponsored E-mail account
7. A request to mail something to an address not otherwise on record
8. Notification from a student or beneficiary, victim of identity theft, law enforcement agency, or someone else that an account has been opened or used fraudulently.

Procedure when Red Flags are Present

If one or more of these risk factors is present, the person servicing the account should notify a supervisor and the supervisor should:

• Deny access to the covered account until additional information is available to eliminate the Red Flag and verify his or her identity
• Independently attempt to contact the student
• Change any passwords, security codes or other security devices that permit access to a covered account if it is determined that an account may have been compromised
• Notify law enforcement if identify theft is confirmed; or
• Determine no response is warranted under the particular circumstances

In any case where the transaction is delayed, the following script may be used to communicate with the student or beneficiary:

Our identity theft protection procedures are designed to prevent identity theft and fraud, before we can complete your transaction additional information to verify your identity is required. These precautions will require additional time to process your transaction.

IV. Training, Service Provider Oversight, and Program Updating

A. Training

It is the responsibility of the Program Coordinator to ensure that all relevant College personnel receive training, as necessary, to effectively implement the Program. The training will include the following:

• Distribution of a copy of this Program to all employees having duties that may involve covered accounts;
• Training of all new employees having duties that may involve covered accounts; and
• Training on a periodic basis as determined by the Program Coordinator to be necessary to reflect changes to the Program

Such training program shall include the pertinent requirements of the Red Flags Rule, the policies and procedures set forth in this Program, as updated from time to time and the importance placed by the College on compliance with the Program and the prevention and mitigation of identity theft.

Training has been embedded into the online FERPA web tutorial incorporated into new staff orientation and training provided by the Human Resources Office.

B. Overseeing Service Providers

It is the responsibility of the Program Coordinator to exercise appropriate and effective oversight of service provider arrangements. A service provider means a person who provides a service directly to the College in connection with covered accounts. The Program Coordinator shall take reasonable steps to select and retain service providers that are capable of maintaining safeguards to protect the information handled or accessed.

The College has identified service providers who provide services for covered accounts:

• (i.) Cashnet, a payment plan administrator for student accounts
• (ii.) ECSI, a loan service provider for Perkins, Henry Strong and Carleton College Loan accounts
• (iii.) Flywire, international online paymentvendor for student accounts
• (iv.) Wellfleet, student health insurance adminsitrator for Carleton College
• (v.) Williams & Fudge, collection agency for defaulted accounts and student loans with Carleton College
• (vi.) General Revenue Corp., collection agency for defaulted accounts and student loans with Carleton College

Personally identifying information transmitted to or from service providers is done through a secure web portal and/or with data encryption technology.

C. Reports

The Program Coordinator and other staff responsible for the development, implementation, and administration of the Program shall report to the Vice President and Treasurer, at least annually, on compliance with the Red Flags Rule and this Program. The report shall address material matters related to the Program and evaluate all material issues arising in connection with the Program since its inception or the most recent prior report. In any event, the following issues shall be addressed in each report:

• The effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening of covered accounts and, if and when applicable, with respect to existing covered accounts;
• Service provider arrangements;
• Significant incidents involving identity theft and management’s response; and
• Recommendations for material changes to the Program.

D. Periodic Updates

It is the responsibility of the Program Coordinator to ensure that the Program is updated periodically based on changes in the regulatory guidance, the College’s experience with identity theft, or new methods of identity theft having been uncovered.

V. Appointments

Identification of Responsible Employees

The following position has been appointed to the position indicated below, subject to modification from time to time:

Program Coordinator: College Comptroller

Last Revised: February 22, 2021

For: Faculty, Staff, Students

Last Reviewed: February 22, 2021

Maintained by: Business Office

List all Policies & Guidelines for Information Technology, Documents, & Records