Protecting Sensitive Data
The following is the Carson-Newman Policy and Procedure to protect against Identity Theft.
INDENTITY THEFT POLICY AND PROCEDURES
The Federal Trade Commission (FTC) issued a regulation known as the Red Flag Rule (Sections 114 and 315 of the Fair and Accurate Credit Transactions Act), that applies to Carson-Newman University. The purpose is to reduce the risk of identity theft through detection, prevention, and mitigation of opportunities for personal identity theft. The Red Flag Rule applies to Carson-Newman University because the University offers or maintains covered accounts.
Carson-Newman University will make reasonable efforts to detect, prevent and mitigate identity theft associated with a university account. In doing so, the University will develop, implement and maintain an Identity Theft Red Flags program in compliance with the Fair and Accurate Credit Transactions Act.
Identity theft is a fraud committed or attempted using the identifying information of another person without authority.
A covered account is an account that Carson-Newman University offers or maintains, primarily for business, personal, family, or household purposes that involves or is designed to permit multiple payment or transactions. It also includes any other account that the University offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the University from identity theft, including financial, operation, compliance, reputation or litigation risks.
A red flag is a pattern, practice or specific activity that indicates the possible existence of identity theft. It includes, but not limited to, suspicious documents, suspicious personal identification information, suspicious covered account activity or unusual use of an account, alerts from others, and notification from credit reporting agencies.
Personally identifiable information is information that identifies a person as unique, including but not limited to any of the following.
- Telephone number, including wireless
- Social Security number
- Date of birth
- Marital status
- State or Federal issued driver’s license or identification number
- Employer or taxpayer identification number
- Student identification number
- Federal alien registration number
- Passport number or related information
- Computer internet protocol address, or routing code
- Credit number or other information (e.g., balance, expiration date, security code)
- Account user identification name, password, or pin for access control
- Email address in conjunction with an account
- Any medical information
- Any information related to pay, withholdings, etc.
Many offices at Carson-Newman University maintain files, both electronic and paper, of student biographical, academic, health, financial, and admission records. These records may also include student billing information, Perkins Loan records, and personal correspondence with students and parents. The Human Resources Department performs background checks on some potential employees prior to their date of hire. This population may include any employees whose positions require them to have regular access to cash and/or who have computer access to personal data. Access to this information is very limited and procedures to safeguard the data are in place.
Compliance with the Gramm-Leach-Bliley Act (GLB), Family Educational Rights and Privacy Act (FERPA), and Payment Card Industry security standards (PCI), system and application security, and internal control procedures provides an environment where identify theft opportunities are mitigated. Records are safeguarded to ensure the privacy and confidentially of student, parents, alumni and employees. Specific procedures are listed below.
Red Flag Prevention and Mitigation
Treasury, Financial Aid, Other
Parents may obtain information with a signed FERPA release form submitted by the student at the discretion of the institution. Staff members that have access to data have been trained on the FERPA regulations that state information is not provided unless approved in writing.
The student is required to give written authorization to the Registrar's Office if their information is permitted to be shared with another party. A FERPA disclosure statement is available to students informing them of their rights under FERPA.
Occasionally the University will extend short-term credit to a student for payment of his / her bill which thus creates a covered account. The student signs a short-term promissory note, which is stored in a secured area. If we receive information of an address change (which is a red flag), we verify the change by contacting the student before making the change in the Datatel system.
Access to non-directory student data in Carson-Newman University’s Datatel system is restricted to those employees of the University with a need to properly perform their duties. These employees are trained to know FERPA and "Red Flag" regulations.
Social Security numbers are not used as identification numbers and these data are classified as non-directory student data.
All paper files are required to be maintained in locked filing cabinets (if not in a locked closet) when not in use. All offices, when not occupied, are to be locked.
Staff members are requested to report all changes in name, address, telephone or marital status to the Department of Human Resources as soon as possible. They also must periodically verify those persons listed as contacts in case of an emergency, and those persons designated as beneficiaries to life and/or retirement policies.
The University is sensitive to the personal data (unlisted phone numbers, dates of birth, etc.) that it maintains in its personnel files and databases. The University will not disclose personal information, except by written request or signed permission of the employee (for example, the Campus Directory), or unless there is a legitimate business "need-to-know", or if compelled by law.
Every effort is made to limit the access to private information to those employees on campus with a legitimate "need-to-know". Staff members who have approved access to the administrative information databases understand that they are restricted in using the information obtained only in the conduct of their official duties. The inappropriate use of such access and/or use of administrative data may result in disciplinary action up to, and including, dismissal from the University.
The University's official personnel files for all employees are retained in the Department of Human Resources. Employees have the right to review the materials contained in their personnel file. All computer accounts for terminated employees are suspended immediately.
Credit Card information is processed securely between Carson-Newman and payment processors using SSL and Security Smith encryption. Credit Card information is not retained within C-N databases. Other sensitive data is transmitted between Carson-Newman and third-parties using secure site-to-site VPN connections or secure FTP. When secure VPN or SFTP is not possible with the third-party we employ authentication or password protection.
Https and SSL are used to encrypt information collected online. Faculty/staff are periodically reminded to not respond to phishing e-mail and popups.
Sensitive information is never transmitted by e-mail unless there are no alternatives with the receiver. In those rare cases, password protection is applied to the information.
Network account passwords for faculty and staff are set to expire every six months. Password rules are employed to prevent users from using a password that’s less than six characters in length as well as preventing them from using a previous password. Student passwords will expire annually after the end of the spring semester.
Password activated screen-savers are not used but encourage employees to lock (Ctrl-Alt-Del and select Lock Computer) when leaving their computer. Computers are powered off after hours and then back on just before the start of the business day, forcing the computers to require credentials.
Encryption software is used to secure laptops of all cabinet level personnel along with others (e.g. Admissions staff) that might contain sensitive information. CN policy states: “No information considered confidential is to be saved to the local drive of any Carson-Newman computer, but only to approved network locations such as drive m: and shared network drives where available and appropriate. In the event confidential data must be saved to the local drive of a computer, the hard drive of the computer must be adequately secured by IT with password protection and hard drive encryption. All computer-related disposals must be handled through IT to ensure the secure removal of software / information and to ensure equipment is disposed of safely and properly.”
If an employee telecommutes, the university policy prohibiting saving confidential information to local drive (or related storage device) controls whether and how employees are allowed to keep information at home.
Employees are periodically reminded about storage of sensitive data online (e.g., internet accessible files) or on other storage devices (e.g., USB sticks).
With regard to destroying or erasing data when disposing of computers, disks, CDs, tapes, hard drives, laptops, PDAs, cell phones ,or other electronic media, the procedure requires that all computer-related disposals must be handled through IT to ensure the secure removal of software / information and to ensure equipment is disposed of safely and properly.
The University has a monitoring system that alerts IT staff upon system failures (deter, detect and defend against security breaches) or other suspicious activity.
To monitor websites of software vendors and reading relevant industry publication on security threats, IT department personnel attend presentations/conferences and subscribes to several print and online publications concerning information technology security.
To maintain up-to-date and appropriate programs and controls to prevent unauthorized access to customer information, the college has dedicated servers that download and install operating system updates, anti-malware updates as well as a firewall. In addition, IT only open ports on the firewall as needed for business operations. Faculty/staff are notified when a significant phishing e-mail is circulating.
Appropriate oversight and audit procedures to detect the improper disclosure or theft of customer information are used. Internet activity is logged and monitored. Servers have logs that are regularly monitored. IP addresses that are attempting to gain unauthorized access are blocked by that server and/or firewall.
If IT department detects a breach, that system is immediately disconnected from the network and Internet. Log files are preserved and studied for sources of the breach. Personnel or officials are notified as appropriate.
Detecting Red Flag Activity
Alerts, notifications, or warnings from a Consumer Reporting Agency
- A fraud or active duty alert is included with a consumer report.
- A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.
- A consumer reporting agency provides a notice of address discrepancy, as defined in 41.82(b) of the Final Rules for Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003.
- A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as a recent significant increase in the volume of inquiries, unusual number of recently establish credit relationships, material change in the use of credit, an account that was closed for cause or identified for abuse of account privileges.
- Identify suspicious documents or cards that appear to be forged, altered or inauthentic.
- Question photographs or physical descriptions on the identification that is not consistent with the appearance of the person presenting the identification.
- Evaluate personal identifying information provided that is not consistent with other personal identifying information on file with the College.
- Question application for service that appears to have been altered or forged.
Suspicious Personal Identifying Information
- Personal identifying information provided is inconsistent with compared against external information sources used by the college.
- Personally identifying information provided by the customer is not consistent with other personal identifying information provided by the customer.
- Personal identifying information provided is associated with know fraudulent activity as indicated by internal or third party sources used by the college.
- Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third party source to the college.
- The SSN provided is the same as that submitted by other persons.
- The address or telephone number provided is the same as or similar to the account number or telephone number submitted by unusually large number of other persons opening account or other customers.
- The person having or opening a covered account fails to provide all required personal identifying information on an application or in response to notification that application is incomplete.
- Personal identifying information provided is not consistent with personal information that is on file with the University.
- The person opening a covered account cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
Unusual or Suspicious Activity Related to Covered Accounts.
- Following the notice of a change of address for a covered account, the University receives a request for new, additional, or replacement cards, or the addition of authorized users on the account.
- A covered account is used in a manner that is not consistent with established patterns of activity on the account.
- An inactive covered account is suddenly used.
- Mail is returned repeatedly as non-deliverable although transactions continue to be conducted in connection with the customer’s covered account.
- Notification from students, borrowers, law enforcement, or service providers of unusual activity related to a covered account.
- Notification from a credit bureau of fraudulent activity.
- University receives a FAFSA fraud alert.
Responding to Red Flags
Employees encountering Red Flags as described above or other suspicious activity are instructed to notify their immediate supervisor to assess the risk of identity theft. If the supervisor deems there is a risk or is uncertain, s/he shall notify the appropriate Vice President, the Assistant Vice President of Finance, and the Executive Vice President – CFO.
One or more of the following actions may be taken, depending on the facts and circumstances.
- Contact Campus Security.
- Notify the customer or covered account holder.
- Monitor the covered account for evidence.
- Change password or other access controls.
- Potentially close suspicious account and reopen a new account.
- Notify the Financial Aid Office if detection is related to student account.
- Notify the third party student loan service providers.
- Notify consumer reporting agency about address discrepancies associated with credit reports.
- Notify local law enforcement or FBI.
- Correct erroneous information associated with the account.
- Notify appropriate employees of the suspected identify theft.
LAW / REGULATIONS
This procedure follows Title 16 of Code of Federal Regulations, Part 681, implementing Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003, and Board of Trustees policies.
This policy and procedure will be reviewed by the Executive Council at least every three years.
last date reviewed: 05/01/2012