The Maryland Institute College of Art, in response to a growing problem of identity theft, endeavors to safeguard personal and private information of all of its constituents, including faculty, staff, students, vendors, volunteers, and donors. Additionally, the College understands the importance of complying with applicable federal regulations under sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003 to establish an Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft in connection with conducting College business, as defined by federal regulations.
Definitions and Terms
Identity theft: Fraud committed or attempted using the identifying information of another person without authority.
Covered Account includes all student accounts or loans that are administered by the college.
Red Flag: patterns, practices, and specific activities that signal possible existence of identity theft.
Purpose
To establish a College wide "Red Flag" program to detect, prevent, and mitigate identity theft.
Program
MICA 's Identity Theft Prevention Program (the Program) is intended to detect, prevent, and mitigate identity theft. The Program includes reasonable policies and procedures to:
- Identify relevant Red Flags for covered accounts it offers or maintains and incorporate those Red Flags into the Program. Covered accounts include all student accounts or loans that are administered by the college.
- Detect and record Red Flags that have been incorporated into the Program.
- Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft.
- Ensure the Program is updated periodically to reflect changes in identity theft risks to "customers" and to the safety and soundness of MICA in its role as creditor.
- The Program shall, as appropriate, incorporate existing policies and procedures that control reasonably foreseeable risks.
Administration of the Program
The Identity Theft Prevention Program Team shall be responsible for developing and implementing the Program.
The Identity Theft Prevention Program Team members shall train staff, as necessary, to implement the Program effectively within the individual departments' needs.
The Chair of the Identity Theft Prevention Program Team will provide a written report annually to the President's Office concerning annual activity and recommendations for continued administration. The Theft Program Team should consist of the following: AVP of Human Resources, Director of Student Account Services, Director of Accounting, AVP of Technology, Associate Dean of Enrollment Services and Registration, AVP of Financial Aid, Director of Records and Registration, Senior Director of Auxiliary Services.
Identification of Relevant Red Flags
The Program shall include relevant Red Flags from the following categories as appropriate
- Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services.
- The presentation of suspicious documents.
- The presentation of suspicious personal identifying information.
- The unusual use of, or other suspicious activity related to, a covered account.
- Notice from "customers", victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.
The Program shall consider the following risk factors in identifying relevant Red Flags for covered accounts as appropriate:
- The types of covered accounts offered or maintained.
- The methods provided to open covered accounts.
- The methods provided to access covered accounts.
- Its previous experience with identity theft.
The Program shall incorporate relevant Red Flags from sources such as:
- Incidents of identity theft previously experienced.
- Methods of identity theft that reflect changes in risk.
- Applicable regulatory or professional guidance
Detection of Red Flags
The Program shall address the detection of Red Flags in connection with the opening of covered accounts and existing covered accounts, such as by:
- Obtaining identifying information about, and verifying the identity of, a person opening a covered account.
- Authenticating "customers", monitoring transactions, and verifying the validity of change of address requests in the case of existing covered accounts.
In order to detect any of the red flags for an employment or volunteer position for which a criminal background report is sought, college personnel will require written verification from any applicant that the address provided by the applicant is accurate at the time before the request for the background report is made to the consumer report agency.
Response
The Program shall provide for appropriate responses to detected Red Flags to prevent and mitigate identity theft. The response shall be commensurate with the degree of risk posed. Appropriate responses may include:
- Monitor a covered account for evidence of identity theft.
- Contact the "customer".
- Change any passwords, security codes or other security devices that permit access to a covered account.
- Reopen a covered account with a new account number.
- Not open a new covered account.
- Close an existing covered account.
- Notify law enforcement.
- Determine no response is warranted under the particular circumstances.
Updating the Program
The Program shall be updated periodically to reflect changes in risks to "customers" or to the safety and soundness of the organization from identity theft based on factors such as:
- The experiences of the organization with identity theft.
- Changes in methods of identity theft.
- Changes in methods to detect, prevent, and mitigate identity theft.
- Changes in the types of accounts that the organization offers or maintains.
- Changes in the business arrangements of the organization, including mergers, acquisitions, alliances, joint ventures and service provider arrangements.
Program Oversight
Oversight of the Program shall include:
- Assignment of specific responsibility for implementation of the Program.
- Review of reports prepared by staff regarding compliance.
- Approval of material changes to the Program as necessary to address changing risk of identity theft.
Reports shall be prepared as follows:
- Staff responsible for development, implementation and administration of the Program shall report to the Red Flag Committee at least annually on compliance by the organization with the Program.
- The report shall address material matters related to the Program and evaluate issues such as effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered amounts.
Staff Training and Reports
College staff responsible for implementing the program shall be trained either by or under the direction of the program administrator or his/her designee in the detection of red flags and the responsive steps to be taken when a Red Flag is detected. College employees are expected to notify the program administrator once they become aware of an incident of identity theft or of the college's failure to comply with the program. At least annually, or as otherwise requested by the program administrator, college staff responsible for development, implementation, and administration of the program shall report to the program administrator on compliance with this program. The report should address issues as effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening and maintenance of covered accounts, service provider arrangements, and significant incidents involving identity theft and management's response and recommendations for changes to the program.
Service Provider Arrangements
In the event the college engages a service provider to perform an activity in connection with one or more covered accounts, the college will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.
- Require, by contract, that service providers have such policies and procedures in place, and
- Require, by contract, that service providers review the college's program and report any red flags to the program administrated or the college employee with primary oversight of the service provider relationship.
Non-disclosure of Specific Practices
For the effectiveness of this identity theft prevention program, knowledge about specific red flag identification, detection, mitigation and prevention practices may need to be limited to the committee who developed this program and to those employees with a need to know them. Any documents that may have been produced or are produced in order to develop or implement this program that list or describe such specific practices and the information those documents contain are considered confidential and should not be shared with other employees or the public. The program administrator shall inform the committee and those employees with a need to know the information of those documents or specific practices that should be maintained in a confidential manner.
Program Updates
The committee will periodically review audit, and update this program to reflect changes in risks to students and the security of the college from identity theft. In doing so, the committee will consider the college's experiences with identity theft situations, changes in identity theft methods, changes in identity theft detection and prevention methods and changes in college's business arrangements with other entities. After considering these factors, the program administrator will determine whether changes to the program, including the listing of red flags, are warranted. If warranted, the committee will update the program.