Main menu (IT)

Identity Theft Red Flag & Security Incident Reporting Procedure

Keyboard with thumbprint on a key, representing Identity Theft.

Introduction

The purpose of the Identity Theft Red Flag and Security Incident Reporting Procedure is to provide information to assist individuals in 1) detecting, preventing, and mitigating identity theft in connection with the opening of a “covered account” or any existing “covered account” or who believe that a security incident has occurred and 2) reporting a security incident.

 

Scope

Security Incident

Existing California law requires that any organization that owns computerized data that includes personal information shall disclosure any breach of security of the system following discovery or notification of the breach in the security of the system to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Red Flag Rules

In 2003, the U.S. Congress enacted the Fair and Accurate Credit Transaction Act of 2003 (FACT Act) which required the Federal Trade Commission (FTC) to issue regulations requiring “creditors” to adopt policies and procedures to prevent identify theft.

In 2007, the Federal Trade Commission (FTC) issued a regulation known as the Red Flag Rule. The rule requires “financial institutions” and “creditors” holding “covered accounts” to develop and implement a written identity theft prevention program designed to identify, detect and respond to “Red Flags.”

Standards & Practices

Identification of Red Flags

Broad categories of “Red Flags” include the following:

  • Alerts - alerts, notifications, or warnings from a consumer reporting agency including fraud alerts, credit freezes, or official notice of address discrepancies
  • Suspicious Documents - such as those appearing to be forged or altered, or where the photo ID does not resemble its owner, or an application which appears to have been cut up, re-assembled and photocopied
  • Suspicious Personal Identifying Information - such as discrepancies in address, Social Security Number, or other information on file; an address that is a mail-drop, a prison, or is invalid; a phone number that is likely to be a pager or answering service; personal information of others already on file; and/or failure to provide all required information
  • Unusual Use or Suspicious Account Activity - such as material changes in payment patterns, notification that the account holder is not receiving mailed statement, or that the account has unauthorized charges
  • Notice from Others Indicating Possible Identity Theft - such as the institution receiving notice from a victim of identity theft, law enforcement, or another account holder reports that a fraudulent account was opened

Detection of Red Flags

Detection of Red Flags in connection with the opening of covered accounts as well as existing covered accounts can be made through such methods as:

  • Obtaining and verifying identity
  • Authenticating customers
  • Monitoring transactions

A data security incident that results in unauthorized access to a customer’s account record or a notice that a customer has provided information related to a covered account to someone fraudulently claiming to represent CSUN or to a fraudulent website may heighten the risk of identity theft and should be considered Red Flags.

Response to a Red Flag

The detection of a Red Flag by an employee shall be reported to the Information Security Officer and to the appropriate administrator in the reporting area. Based on the type of red flag, the appropriate administrator and the Information Security Officer will work with the employee to determine the appropriate response.

Security Incident Reporting

Security Incident Reporting

Any employee who believes that a security incident has occurred must immediately notify their appropriate administrator and the campus Information Security Officer. The campus incident response standard will be followed to address each incident in an appropriate manner. Submit a Security Incident Report to report an incident. 

Service Providers

CSUN remains responsible for compliance with the Red Flag Rules even if it outsources operations to a third party service provider. The written agreement between the university and the third party service provider shall require the third party to have reasonable policies and procedures designed to detect relevant Red Flags that may arise in the performance of their service provider’s activities. 

The written agreement must also indicate whether the service provider is responsible for notifying only CSUN if a Red Flag is detected or if the service provider is responsible for implementing appropriate steps to prevent or mitigated identify theft.

Identity Theft

What is Identity Theft?

Identity theft is the illegal use of another's personal information, such as credit card numbers, Social Security number, or driver's license number, to commit fraud or other crimes. The more difficult you make it to steal your information the harder it is for the suspect to make you a victim. If you suspect that your identity or bank accounts have been tampered with contact your local law enforcement agency and credit/banking institution immediately. The longer you wait-the more damage can be done.

What to do if you’re the victim of identity theft:

  1. Immediately close any/all accounts you believe to be fraudulent. 
  2. Immediately place a fraud alert on your accounts with fraudulent activity AND with all three credit reporting agencies (see below for reporting agencies information). 
  3. Make a police report with the law enforcement agency in the city that you live in (or where the incident occurred if possible).

To learn more, visit the Department of Police Service's Identity Theft page

Definitions:

Covered Account - A consumer account designed to permit multiple payments or transactions. These are accounts where payments are deferred and made by a borrower periodically over time such as a tuition or fee installment payment plan.

Creditor - A person or entity that regularly extends, renews, or continues credit and any person or entity that regularly arranges for the extension, renewal, or continuation of credit. Examples of activities that indicate a college or university is a “creditor” are:

  • Participation in the Federal Perkins Loan program;
  • Participation as a school lender in the Federal Family Education Loan Program;
  • Offering institutional loans to students, faculty or staff;
  • Offering a plan for payment of tuition or fees throughout the semester, rather than requiring full payment at the beginning of the semester.

Personal Identifying Information - Specific items of personal information identified in CA Civil Code Sections 1798.29 and 1798.3. This information includes an individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: Social Security Number, driver’s license/California identification card number, health insurance information, medical information, or financial account number such as credit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Red Flag - A pattern, practice or specific activity that indicates the possible existence of identity theft.

Security Incident - A collection of related activities or events which provide evidence that personal information could have been acquired by an unauthorized person.

Training

All employees who process any information related to a covered account shall receive training following appointment on the procedures outlined in this document. Refresher training may be provided annually. Visit the Security Awareness page for more information. 

Related Policy