The Georgia Institute of Technology (Georgia Tech or the Institute) developed this Identity Theft Prevention Program ("Program") pursuant to the Federal Trade Commission's (FTC) Red Flags Rule. The Red Flags Rule implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. After consideration of the size and complexity of the Institute's operations and account systems, and the nature and scope of the Institute's activities, the Institute determined that this Program was appropriate.
Requirements of the Red Flags Rule
Under the Red Flags Rule, the Institute is required to establish an Identity Theft Prevention Program. The program must contain reasonable policies and procedures to:
- Identify relevant Red Flags for new and existing covered accounts. and incorporate those Red Flags into the Program;
- Detect Red Flags that have been incorporated into the Program;
- Respond appropriately to any Red Flags that are detected in order to help prevent and mitigate Identity Theft; and
- Ensure the Program is updated periodically to reflect changes in risks to students or to the safety and soundness of the Institute from Identity Theft.
Responsibility for developing, implementing, and updating this Program lies with an Identity Theft Committee (Committee) for the Institute. The Committee is headed by the Chief Information Security Officer who is the Program Administrator. The Institute's Chief Information Officer, the Vice President for Legal Affairs and Risk Management, and such other individuals as may be appointed by the President of the Institute comprise the remainder of the committee membership. The Program Administrator is responsible for ensuring appropriate training of Institute staff on the Program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances, and considering periodic changes to the Program.
Staff Training and Reports
Institute staff responsible for implementing the Program shall be trained either by or under the direction of the Program Administrator in the detection of Red Flags and the steps to be taken when a Red Flag is detected. Institute employees are expected to notify the Program Administrator once they become aware of an incident of Identity Theft or of the Institute's failure to comply with this Program.
At least annually, or sooner if requested by the Program Administrator, Institute staff responsible for development, implementation, and administration of the Program shall report to the Program Administrator on compliance with this Program. The report should address such issues as effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening and maintenance of Covered Accounts, service provider arrangements, significant incidents involving identity theft and management's response, and recommendations for changes to the Program.
Service Provider Arrangements
In the event the Institute engages a service provider to perform an activity in connection with one or more Covered Accounts, the Institute will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft:
- Require, by contract, that service providers have such policies and procedures in place; and
- Require, by contract, that service providers review the Institute's Program and report any Red Flags to the Program Administrator or the Institute employee with primary oversight of the service provider relationship.
Non-disclosure of Specific Practices
For the effectiveness of the Identity Theft Prevention Program, knowledge about specific Red Flag identification, detection, mitigation, and prevention practices may need to be limited to the Committee who developed this Program and to those employees with a need to know them. Any documents that may have been produced or are produced in order to develop or implement this program that list or describe such specific practices and the information those documents contain are considered confidential and should not be shared with other Institute employees or the public. The Program Administrator shall inform the Committee and those employees with a need to know the information of those documents or specific practices which should be maintained in a confidential manner.
The Committee will periodically review and update the Program to reflect changes in risks to students and the soundness of the Institute from Identity Theft. In doing so, the Committee will consider the Institute's experiences with Identity Theft situations, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in the Institute's business arrangements with other entities. After considering these factors, the Program Administrator will determine whether changes to the Program, including the listing of Red Flags, are warranted. If warranted, the Committee will update the Program.
All employees, students, affiliates, contractors, consultants, vendors, or other consumers of Covered Accounts data, and all Institute data (electronic, paper or otherwise) that could be leveraged to conduct identity theft from Covered Accounts are covered by this policy.
All student accounts or loans that are administered by the Institute, including tuition payment plans, federal and school loans involving multiple payments, and campus payment cards.
Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address, telephone number, social security number, date of birth, government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer's Internet Protocol address, or routing code.
A fraud committed or attempted using the identifying information of another person without authority.
The individual designated with primary responsibility for oversight of the Identity Theft Prevention Program.
A pattern, practice, or specific activity that indicates the possible existence of Identity Theft.
5.1. Program Administrator
This policy confirms the need for an Information Security organization, which is responsible for ensuring Institute compliance with this policy, and maintaining this policy as business processes, technology, and methods of identity protection improve. The Program Administrator monitors the activities of and works with the Data Stewards on the development and implementation of campus unit level Identity Theft Prevention Programs.
5.2. Identity Theft Committee
The Identity Theft Committee is responsible for confirming incidents of identity theft and determining the appropriate course of action when incidents occur. Additionally the committee is responsible for supporting the Program Administrator in ensuring the ongoing success of the Identity Theft Prevention Program.
5.3. Data Stewards
Data Stewards are responsible for developing and implementing Identity Theft Prevention within their purview. Data Stewards report to the Program Administrator on their activities in implementing unit level Identity Theft Programs.
Individuals covered by the scope of this policy are expected to: a) respect the confidentiality and privacy of individuals whose records they access; b) observe any restrictions that apply to sensitive data; and c) abide by applicable laws, policies, procedures, and guidelines with respect to access, use, or disclosure of information.
Individuals who become aware of potential Identity Theft are expected to report such an incident per the procedures defined by the Identity Theft Prevention Program Administrator. The Program Administrator will report violations to the appropriate Faculty and/or Employment body. Violations of this policy may result in loss of usage privileges, administrative sanctions (including termination or expulsion) as outlined in applicable Georgia Tech disciplinary procedures, as well as personal civil and/or criminal liability.
|XX-XX-XXXX||OIT-Information Security||New policy|
|04-2013||OIT-Information Security||Update to policy|