Policy and Law (166371228)

7/29/2019 Policy and Law (166371228)

http://slidepdf.com/reader/full/policy-and-law-166371228 1/14

New Identity Theft Rules

Rodney J. Petersen, J.D.Government Relations Officer

Security Task Force Coordinator

EDUCAUSE

7/29/2019 Policy and Law (166371228)


Big Picture of New Rules

It’s not about privacy of personallyidentifiable informationIt’s not about the security of information systemsIt’s about protecting individuals fromidentity theft once their identity hasbeen assumed by another individual Thus, RED FLAGS! ~ a pattern,practice,or specific activity that indicates thepossible existence of identity theft

7/29/2019 Policy and Law (166371228)


Statutory Basis

The Fair and Accurate Credit Transactions Act of 2003 (FACT Act)amended the Fair Credit Reporting

Act (FCRA)

Sections 114 and 315 of the FACT Act

7/29/2019 Policy and Law (166371228)


Rulemaking

Joint rulemaking

Final rules published November 9,2007Rules: 72 Fed. Reg. 63718 (November 9, 2007)http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf

Full compliance originally required byNovember 1, 2008

Deadline extended to May 1, 2009

7/29/2019 Policy and Law (166371228)


New ID Theft Rules

Users of Consumer Reports (Sec.681.1)

Financial Institutions and Creditors

holding “covered accounts” (Sec.681.2)

Debit and Credit Card Issuers (Sec.681.3)

7/29/2019 Policy and Law (166371228)


Use of Consumer Reports

Effective November 1, 2008

Duties of users regarding addressdiscrepancies

Triggered by a notice of addressdiscrepancy sent from a consumerreporting agency to an institution toinform them of a “substantial

difference between the address forthe consumer” that the institutionprovided

7/29/2019 Policy and Law (166371228)


Policies and Procedures

Institutions must develop and implementreasonable policies and proceduresdesigned to enable the institution to form areasonable belief that a consumer reportrelates to the consumer

Comparing the information in the consumerreport with:Information the institution obtains and uses toverify the consumer’s identityMaintains in its own records, such asapplications, change of address notifications,

other customer account records, etc.; orObtains from third-party sources.Verifying the information in the consumerreport provided by the consumer reportingagency with the consumer.

7/29/2019 Policy and Law (166371228)


Consumer’s Address

Institutions must develop and implementreasonable policies and procedures for furnishingan address for the consumer that the institutionhas reasonably confirmed is accurate to the

consumer reporting agency from whom itreceived the notice of address discrepancy

Examples of confirmation methods:

Verifying the address with the consumer

Reviewing its own records to verify the address

Verifying the address through third-party sources; orUsing other reasonable means

7/29/2019 Policy and Law (166371228)


Creditors Holding “Covered Accounts”

Effective May 1, 2009Creditor - any entity that regularlyextends, renews, or continues credit

Conduct periodic risk assessments todetermine if the institution has“covered accounts”

Jurisdiction of FTC- “Where non-profitand government entities deferpayment for goods or services, they,too, are to be considered creditors.”

FTC Business Alert, June 2008

7/29/2019 Policy and Law (166371228)


Covered Account

Credit card accounts

Mortgage loans

Automobile loans

Margin accountsCell phone accounts

Utility accounts

Checking accounts

Savings accountsAny account for which there is “aforeseeablerisk of identity theft”

7/29/2019 Policy and Law (166371228)


Application to Higher Ed

Participating in the Federal Perkins Loanprogram,

Participating as a school lender in theFederal Family Education Loan Program,

Offering institutional loans to students,faculty, or staff, or

Offering a plan for payment of tuitionthroughout the semester rather than

requiring full payment at the beginningof the semester

7/29/2019 Policy and Law (166371228)


ID Theft Prevention Program

Include reasonable policies and proceduresto detect or mitigate identity theft and enablea creditor to:

Identity relevant “red flags” (patterns, practices,and specific activities that signal possibleidentity theft) and incorporate them into theprogram;Detect the red flags that the programincorporates;Respond appropriately to detected red flags to

prevent and mitigate identity theft; andEnsure that the Program is updated periodicallyto reflect changes in risks

7/29/2019 Policy and Law (166371228)


Administration and Maintenance

The board of directors (or appropriateboard committee) must approve the initialwritten program.Involve the board, committee, or

designated employee at the level of seniormanagement in the oversight,development, implementation, andadministration of the program Train staff, as necessary, to effectively

implement the Program; andExercise appropriate and effectiveoversightof service provider arrangements.

7/29/2019 Policy and Law (166371228)


Conclusion

This is clearly a legal and regulatorycompliance issue

This is mostly about business processes There will be implications for IT – but what???

Information Privacy and SecurityTechnology Support of Business Processes

Programs, Policies, Procedures, and Training

Management of Identities to Prevent Fraud

Policy and Law (166371228)

Documents