FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud

Objectives  Introduction to the law and why it applies to the University  Understand what the law requires  Understand what type of information is used in identity theft  Understand the types of Red Flags  What do to do if a Red Flag surfaces  Security of information  Describe the role of UW central office support  Provide resources regarding Red Flag rules

FACTA - Red Flag Rules The Financial Institution Regulators have issued a final rule (the Red Flag Rule) under sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA), which amended the Fair Credit Reporting Act (FCRA). The Red Flag Rule requires financial institutions (the University of Washington is considered a financial institution) and creditors that hold covered accounts (e.g..; student loan) to develop and implement an identity theft prevention program for new and existing accounts.

Requirements of the Law  Identify risks that signify potentially fraudulent activity  Detect risks  Respond to risks to determine if fraudulent activity has occurred  Update the program periodically

Personally Identifiable Information Consumer’s  First, middle, or last name  Date of birth  Address  Telephone or wireless numbers  Social Security number  Maiden name  Account numbers Credit card information  Account number (whole or part)  Expiration date  Cardholder name  Cardholder address Medical information for any customer  Doctor names and claims  Insurance claims  Prescriptions  Treatment or diagnoses  Any related personal medical information

Red Flag Alerts  Documents provided for identification appear to have been altered or forged  The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification  An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.  Personal identifying information provided is inconsistent when compared against external information.  The Social Security number provided is the same as that submitted by others.  Social Security numbers do not match on all documents.  The customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete  Personal identifying information provided is not consistent with personal identifying information on file.  Excessive address changes.  Unusual number of inquires on the account.  A student asking for their student number because they lost their ID card.

What To Do When A Red Flag Surfaces?  Most important - notify your manager immediately  Gather all related documentation  Write a description of the situation  Monitor the account involved  Contact the customer  Change passwords if needed  Notify law enforcement  Or determine no response is warranted in this case

Protection of Customer Information The University is committed to providing protection from identity theft. It is the law:  The Gramm Leach-Bliley Act (GLB) requires protection of customers’ information  The Family Educational Rights and Privacy Act(FERPA) of 1974 (20 U.S.C. §1232g ; 34 CFR Part 99) is a federal law that protects the privacy of students

Information Safeguards Safeguards to protect the security, confidentiality, and integrity of customer information fall into 3 basic categories:  Administrative  Technical  Physical A department that handles non-public personal information must assume responsibility for safeguard procedures. Each department must have a security policy to comply with the law requirements for safeguarding information. Employees must adhere to those safeguard procedures.

Information Safeguards Administrative Safeguards focus on departmental processes and include, but are not limited to:  Adhering to standards for handling customer information  Following basic steps to protect customer information (see next slide)  Promoting awareness and knowledge about applicable policies and expectations  Limiting access to customer information to employees who have a business need to see it  Referring calls or requests for customer information to staff trained to respond to such requests  Being alert to fraudulent attempts to obtain customer information and reporting these to management for referral to appropriate law enforcement agencies

Information Safeguards Technical Safeguards: Technical safeguards regarding hardware and networking are generally designed and provided to campus by Computing and Communications. Department staff must be aware and knowledgeable regarding how their digital customer information is safeguarded.

Information Safeguards Technical Safeguards – Your Workstation:  Use anti-virus software that updates automatically  Maintain up-to-date firewalls if your department manages them internally, particularly if your department uses broadband Internet access or allows staff to connect to the network from home  Use a password protected screensaver or logoff the computer each time you step away  Do not store non-public personal information on personal workstations, use the University network only  Do not send non-public personal information via

Information Safeguards Technical Safeguards – Your Passwords :  Do not post your passwords on or near your terminal  Do not give your passwords out to anyone  Change your passwords periodically (see C&C recommendations on MyUW)  Use complex passwords

Information Safeguards Technical Safeguards – Physical Environment:  Lock and Secure rooms and file cabinets where customer information is kept and limit access to authorized employees  Ensure that storage areas are protected against damage from physical hazards, like fire or floods  Do not leave credit card slips, bank documents or other similar documents in public view  Dispose of information appropriately (see next slide)

Information Safeguards Physical Safeguards –Appropriate disposal:  Designate a trained staff member to supervise the disposal of records containing customer personal information  Shred or recycle customer information recorded on paper and store it in a secure area until the shredding/recycling service picks it up  Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media that contains customer information  Promptly dispose of outdated customer information within record retention policies  Shred printed material containing financial or personal information once it is no longer needed  NEVER throw documents containing Credit Card, banking, or other non-public personal information directly into the trash or recycling

UW Support The University of Washington provides support by:  periodically assessing security risks  communicating through this training program  providing guidelines for secure computer data  providing resource and educational materials  providing security tools and software  providing support for safeguard failure response

Every Department Plays a Role Each department:  is required to have a security policy  is responsible for training staff  needs to be aware of red flags  needs to assure that staff are familiar with the web sites for safeguarding information of these three types:  administrative  technical  physical The University of Washington central office staff provide support and resources for you to help protect non-public personal information.

Resources Available resources : Many policies, procedures and resources are available that support our efforts to protect non-public personal information. A list of related resources can be found on the University of Washington Information Security Program web page.