FIN-031: Prevention, Detection, and Mitigation of Identity Theft

In order to detect and stop identity thieves from using someone else’s identifying information at the University, an Identity Theft Prevention Program will be maintained. (This is distinct from data security which is covered under other University policies; see Related Information.) Identity theft is committed by using the identifying information of another person without his or her authority. Identifying information may include such things as a Social Security number, account number, date of birth, driver's license number, passport number, and other unique identification numbers or codes.

The Identity Theft Prevention Program describes the characteristics of identity theft and helps detect, prevent, and mitigate the effects of identity theft in order to protect individuals and the University from fraudulent transactions. This program coordinates, reviews, and oversees policies and procedures in order to:

• identify business processes at risk of identity theft fraud;
• detect and respond appropriately to signs of potential identity theft;
• educate appropriate faculty, staff, and others regarding their responsibilities under the Identity Theft Prevention Program; and 
• update the Identity Theft Prevention Program to appropriately respond to new or evolving risks.

The Executive Vice President and Chief Operating Officer, oversight executive for the program, delegates administration of the program to the Vice President and Chief Financial Officer and the Vice President and Chief Information Officer.

The Assistant Vice President for Finance and University Comptroller (Comptroller) has responsibility for:

• operational administration of the program, including notifying an office if it is determined they have covered accounts at risk for identity theft;
• determining whether processes identified by offices should be included in the program;
• training for managers and employees handling covered accounts;
• oversight and monitoring of the program , including review of annual Internal Control Questionnaire responses; and
• the annual certification process through the Agency Risk Management and Internal Control Standards (ARMICS).

Offices handling covered accounts must:

• identify and bring to the attention of the Comptroller any processes that would be at risk for such fraud;
• implement the Identity Theft Prevention Program for those applicable business processes;
• assess whether identifying information provided by individuals (i.e., students, patients, etc.) may have red flags of identity theft; and
• document potential identity theft fraud and report the information to the Comptroller.

These areas include but are not limited to:

• Student Financial Services
• Accounting Services
• Medical Center
• Any departments other than the Medical Center that provide and bill for medical services
• Any departments in the College at Wise that bill for services

A complete list of offices with covered accounts and guidance information related to the Identity Theft Prevention Program is provided at the University’s Red Flags Rule Program. (Of note, it has been determined that payroll deductions for University parking, Intramurals, etc., are low-risk and therefore not included in the program.)

Compliance with Policy:
Failure to comply with the requirements of this policy may result in disciplinary action up to and including termination in accordance with relevant University policies.

Questions about this policy should be directed to the Office of the University Comptroller.