6.11 Identity Theft Red Flag and Security Incident Reporting

Overview

Description:  In accordance with the provisions outlined in the Federal Trade Commission’s Red Flag Rule, which implements Section 114 of the Fair and Accurate Transactions Act (FACTA) of 2003,[1] the Maricopa County Community College District (MCCCD) shall implement a program for Identity Theft Prevention.[2]  The purpose of the program is to provide information that will assist individuals in (1) identifying, detecting, preventing and mitigating identity theft in connection with the establishment or maintenance of any new or existing Covered Account and (2) reporting a Security Incident.

Applicability:  Information Security is everyone’s responsibility. All MCCCD Personnel and Persons of Interest (POIs) with access to MCCCD Sensitive Information, whether through use of online technology resources[3] or otherwise, are covered by this administrative regulation. MCCCD students are expected to know and comply with all current published policies, rules and regulations as stated in the college catalog, class schedule, and/or student handbook.[4]

Failure to Comply:  Failure to comply with this administrative regulation may result in disciplinary actions up to and including dismissal from employment and termination of service at MCCCD. Legal actions, including, but not limited to, the application of civil and criminal penalties, may also be taken for violations of applicable regulations and/or laws. MCCCD recognizes that laws and regulations involving security of Sensitive Information are continuously evolving.

1.  Identifying Identity Theft

​To identify relevant red flags, MCCCD considers the types of accounts that it offers and maintains, the methods it offers for opening and accessing those accounts, and prior experiences with identity theft. The following categories are identified as red flags:

          A. Alerts, notifications or warnings from a consumer reporting agency including fraud alerts, credit freezes

                    or official notice of address discrepancies.

          B. The presentation of suspicious documents such as those appearing to be forged or altered, or where

                   the photo ID does not resemble its owner, or an application that appears to have been severed,

                   reassembled and photocopied.

          C. The failure to provide all required information or presentation of suspicious personally identifiable information,

                   such as:           

                   i. a photograph or physical description on the identification that is not consistent with the appearance of

                       the person presenting the identification;

                   ii. discrepancies in address, social security number, student ID, or other information on file;

                   iii. an address that is either invalid, a post office mailbox or a prison; and/or

                   iv. a phone number that is likely to be a pager or answering service.

          D. Unusual use or suspicious account activity, such as:

                   i. material changes in payment patterns,  and/or

                   ii. notification that the account holder is not receiving mailed statements or that the account has

                       unauthorized charges.

          E. Requests to mail something to an address that is not on file.

          F. Notifications by students, victims of identity theft, law enforcement, and/or other persons regarding possible identity

                   theft in connection with Covered Accounts.

2.  Detecting Identity Theft

​The detection of red flags in connection with the opening of Covered Accounts and the processing of existing accounts can be made through internal controls such as:

         A. Obtaining and verifying the identity of a person opening and using an account.

         B. Authenticating customers

         C. Monitoring transactions.

         D. Verifying the validity of change of address requests for existing Covered Accounts.

 

3.  Preventing and Mitigating Identity Theft

​MCCCD’s Identity Theft Prevention Program shall provide for appropriate responses to detected red flags in order to prevent and mitigate identity theft. Examples of appropriate responses, depending on the circumstances, may include:

         A. Monitoring Covered Accounts for evidence of identity theft.

         B. Denying access to a Covered Account until other information is available to eliminate the identified red flag, or

                   close the existing Covered Account.

         C. Notifying the customer, law enforcement, and/or regulators in accordance with Administrative Regulation 4.23.

         D. Changing any passwords, security codes or other security devices that permit access to a Covered Account.

         E. Closing an existing account.

         F. Reopening a Covered Account with a new account number.

         G. Determining if no response is warranted given the particular circumstances.

4.  Reporting Actual and Suspected Exposure

Anyone, including, but not limited to, any MCCCD Personnel, who notices and/or suspects that MCCCD Sensitive Information may currently be or may have been exposed to someone without authorization should immediately contact the Chief Privacy Officer protectprivacy@maricopa.edu.  The Chief Privacy Officer is designated as the exclusive recipient of reports of this nature.  The Chief Privacy Officer is also responsible for obtaining details about the situation from the individual(s) and coordinating with the Incident Response Team (“IRT”) to take any additional actions that the IRT deems necessary.  Responsibilities of the IRT are described in MCCCD Administrative Regulation 4.24 Information Security Incident Response Plan.   

 

5.  Overseeing Service Providers

MCCCD remains responsible for compliance with the Red Flag Rules even in instances where services are outsourced to a third party. The written agreement between MCCCD and the third party service provider should require the third party to have reasonable policies and procedures designed to detect relevant Red Flags that may arise in the performance of their service activities. The written agreement should also indicate whether the service provider is responsible for notifying MCCCD of the detection of a Red Flag or if the service provider is responsible for implementing appropriate steps to prevent or mitigate identity theft.

 

6.   Overseeing the Identity Theft Prevention Program

The Chancellor shall designate a program administrator. The program administrator shall exercise appropriate and effective oversight over the Identity Theft Program and shall report regularly to the Governing Board and the Chancellor on the activities and status of the program. The program administrator shall be responsible for developing, implementing and updating the program throughout MCCCD. The program administrator shall be responsible for ensuring the appropriate training of Personnel, reviewing staff reports regarding the detection of Red Flags and implementing steps to identify, prevent and mitigate identity theft.

 

Definitions:   As used in this administrative regulation, the following terms have the respective meanings set forth below: 

ARS: Arizona Revised Statutes; the statutory laws that govern the state of Arizona as formally enacted in writing by the Arizona State Legislature, such as the Arizona law that requires businesses, including, but not limited to, colleges and universities, to provide consumer notification of data breaches involving personally identifiable information.  Pursuant to ARS § 44-7501, “personally identifiable information (PII) (a) Means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, redacted or secured by any other method rendering the element unreadable or unusable: (1) The individual's social security number; (2) The individual's number on a driver license issued pursuant to ARS § 28-3166 or number on a nonoperating identification license issued pursuant to ARS § 28-3165; or (3) The individual's financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to the individual's financial account.”  PII does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media. 

Covered Account: a consumer account that involves multiple payments or transactions in arrears such as a loan that is billed or payable monthly. This includes accounts where payments are deferred and made by a borrower periodically over time such as with a tuition or fee installment payment plan.

Creditor: a person or entity that regularly extends, renews, or continues credit and any person or entity that regularly arranges for the extension, renewal or continuation of credit. Examples of activities involving MCCCD as a creditor may include:

       i. Participation in the Federal Perkins Loan program;

       ii. Participation as a school lender in the Federal Family Education Loan Program;

       iii. Offering institutional loans to students and Personnel;

       iv. Offering a plan for payment of tuition or fees throughout the semester, rather than requiring full payment at the

              beginning of the semester; or

       v. Offering emergency loans to students and Personnel.

 

FERPA: Family Educational Rights and Privacy Act; a federal law that protects the privacy of student education records. "Education records" are "those records, files documents, and other materials which 1) contain information directly related to a student; and 2) are maintained by an educational institution.” (20 U.S.C. § 1232g (a)(4)(A); 34 CFR § 99.3). FERPA applies to all schools that receive funds under an applicable program of the U.S. Department of Education. 

GLBA aka Financial Services Modernization Act of 1999: Gramm–Leach–Bliley Act; an Act that requires “financial institutions,” including, but not limited to, colleges and universities, to protect the privacy of their customers, including information that customers provide to a financial institution that would not be available publicly (“personally identifiable financial information (PIFI)”).[5]  MCCCD, therefore, has a responsibility to secure the personal records of its students and employees.  To ensure this protection, GLBA mandates that all financial institutions establish appropriate administrative, technical and physical safeguards.  GLBA also requires financial institutions to provide notice to customers about their privacy policies and practices, but institutions of higher education are generally exempt from this requirement, because they already do so under FERPA.  Colleges and universities complying with FERPA are considered to be in compliance with GLBA.

HIPAA: Health Insurance Portability and Accountability Act of 1996; an Act to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.

HIPAA Privacy Rule aka Privacy Rule: A statute that (1) establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically, (2) requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization, and (3) gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.  The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.  The Privacy Rule calls this information “protected health information (PHI).” (45 CFR § 160.103). Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Ibid. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, social security number). 

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g. 

Information Security Incident Response Team (IRT): The internal ad hoc team of professionals that is convened to provide incident handling services to MCCCD during an ongoing information security event and to respond to an information security incident when the need arises. 

Payment Card Industry Data Security Standard (PCI DSS): Payment Card Industry Data Security Standard; a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, automated teller machine (ATM), and point-of-sale (POS/ePOS) cards.  “Payment card information” is any personally identifiable information associated with a cardholder, such as the cardholder’s account number, account expiration date, name, address, or social security number.  All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered payment card information. 

Personnel: All full-time, part-time and temporary employees and faculty who work for the MCCCD organization.

POI: Person(s) of Interest; individuals such as the following who are not considered part of the MCCCD workforce but who are still of interest to the organization:

Person of interest category

Definition

Dual enrollment instructor

Individuals who teach college-level courses to high school students and are not compensated by MCCCD

Consultant

Individuals who are hired to do specialized work for MCCCD and are paid by outside sources

Agency temporary employee

Temporary agency employees who come to work for MCCCD and are paid by the temporary agency

Retired employee

Retired employees who continue a relationship with MCCCD are changed from Employee status to Person of Interest status

Call center or contract employee

Employees who provide support for some of our systems and are paid by the contracted company

Unpaid intern

An individual who is completing an internship at MCCCD for credit in their degree program

Volunteer

An individual who is working at MCCCD on a volunteer basis

Vendor (e.g., Follett bookstores, Chartwells dining services, Aramark facilities services)

Members of organizations that provide services to MCCCD employees and students

ESS Educational Services (e.g., hospitals providing adjuncts for nursing program and/or Fire Science/EMT department)

Members of organizations that have contractual relationships with MCCCD for specialized programs

 

Red Flag: a pattern, practice or specific activity that indicates the existence of identity theft or possible attempted fraud via identity theft on Covered Accounts.

Security Incident: the unauthorized access to and/or misappropriation of Sensitive Information. 

 

Sensitive Information: information that is protected by law, contractual obligation or administrative regulation. Personally identifiable information, personally identifiable education records, individually identifiable health information, personally identifiable financial information and payment card information are examples of Sensitive Information covered under the Arizona Revised Statutes (ARS), Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm–Leach–Bliley Act (GLBA aka Financial Services Modernization Act of 1999) and Payment Card Industry Data Security Standard (PCI DSS), respectively.

Reference(s):

MCCCD Administrative Regulations 2.1 General Regulation2.5.1 Disciplinary Standards, and 2.5.2 Student Conduct Code

MCCCD Administrative Regulation 4.22 Statement on Privacy

MCCCD Administrative Regulation 4.23 Written Information Security Program

MCCCD Administrative Regulation 4.24 Information Security Incident Response Plan

MCCCD Administrative Regulation 6.17 Requests for Public Information 

Records Retention and Disposition Schedules for Arizona Community Colleges and Districts are located at: Employee Portal  [Employee credentials are needed to enter secure site].

Contact(s):

Anyone, including, but not limited to, any MCCCD Personnel, who notices and/or suspects that MCCCD Sensitive Information may currently be or may have been exposed to someone without authorization should immediately contact the Chief Privacy Officer protectprivacy@maricopa.edu.  The Chief Privacy Officer is designated as the exclusive recipient of reports of this nature.   The Chief Privacy Officer is also responsible for obtaining details about the situation from the individual(s) and coordinating with the IRT to take any additional actions that the IRT deems necessary.  Responsibilities of the IRT are described in MCCCD Administrative Regulation 4.24 Information Security Incident Response Plan.   

AMENDED BY DIRECT CHANCELLOR APPROVAL: November 12, 2014

AMENDED February 22, 2011, Motion No. 9781, 9782
ADOPTED September 22, 2009, Motion. No. 9606

 

[1] The Identity Theft Red Flags Rule, issued in 2007, requires creditors and financial institutions to implement identity theft prevention programs.  It is implemented pursuant to the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The FACT Act amended the Fair Credit Reporting Act(FCRA) by directing the FTC, along with the federal banking agencies and the National Credit Union Administration, to develop Red Flags guidelines. These guidelines require creditors and financial institutions with covered accounts to develop and institute written identity theft prevention programs.

[2] This Administrative Regulation supersedes and expressly replaces Administrative Regulation 2.5.6 and Appendix S-11 such that Administrative Regulation 2.5.6 and Appendix S-11 are hereby repealed and no longer effective.

[3] MCCCD Administrative Regulation 4.4 Technology Resource Standards provides the following examples of technology resources:  Websites, applications (such as, but not limited to, MCCCD’s Instructure/Canvas-based Course Management System and RioLearn Learning Management System), desktop and laptop systems, printers, central computing facilities, MCCCD-wide or college-wide networks, local-area networks, telephones, facsimile machines, scanners, access to the Internet, electronic mail and similar electronic devices and information. 

[4] See, for example, MCCCD Administrative Regulations 2.1 General Regulation2.5.1 Disciplinary Standards, and 2.5.2 Student Conduct Code

[5] Also, See, 17 CFR 160.3 [Title 17 Commodity and Securities Exchanges; Chapter I Commodity Futures Trading Commission; Part 160 Privacy of Consumer Financial Information], for a related definition of PIFI and whereby some GLBA requirements with respect to futures commission merchants, commodity trading advisors, commodity pool operators and introducing brokers.