Some Towson University employees perform roles that put them in contact with sensitive information such as personal identifying information or accounts. If you are one of these employees, it's important that you follow best practices to protect sensitive information and safeguard TU customers from identity theft. Read on for instructions on how to detect/respond to red flags, verify a customer's identity, and report findings. This information follows the Federal Trade Commission's red flag rule guidelines and TU’s identity theft policy.
If you are an employee who works with covered accounts or personal information, you must complete red flag training. Failure to complete training could result in losing access to university systems, as well as administrative sanctions (including termination or expulsion) and personal civil and/or criminal liability. Training will be made available in the coming months.
If you work with personal identifying information or accounts, you should monitor for the following red flags which may indicate an attempt to steal someone’s identity.
If you encounter a red flag, respond immediately in accordance with the degree of risk posed to the account. If the risk is low, you might consider continuing to monitor the account for evidence of identity theft. If the risk is moderate, you may choose to contact the customer, notify the program administrator, and/or change passwords or other security devices that permit access to accounts. If the risk is elevated, you may elect to not open a new account, close an existing account and reopen an account with a new number, or notify appropriate law enforcement and other university officials, including Management Advisory and Compliance Services.
To report a red flag, please complete the Identity Theft Incident Report.
To protect against identity theft, you should verify the identity of anyone opening or using a covered account. There are different verification processes for new and existing accounts.
You should take a two-step process to verify the identity of customers establishing new covered accounts. First, secure identifying information such as name, date of birth, TU ID number, residential or business address, or other information used in university systems. Then, verify that information with photo identification, including a valid driver’s license, OneCard or other identification card.
For existing covered accounts, you should monitor transactions and verify customers’ identities for information requests and account changes. Make sure to verify the identity of a customer before providing account information, whether it’s in person, by phone or via email or fax. You should also verify the validity of any requests to change billing addresses or banking information before completing those requests.
For a list of frequently asked questions please check the Federal Trade Commission’s website.
Any area containing documents with sensitive data should be locked when not in use. Storage rooms containing documents with sensitive data must be locked at the end of each workday. Desks, workstations, work areas, printers and fax machines, and common shared work areas must be cleared of all documents containing sensitive data when not in use. Whiteboards, dry-erase boards, writing tablets, etc. in common shared work areas containing personal identifying information must be erased, removed, or shredded when not in use. Documents containing personal identifying information must be destroyed in a secure manner such as document shredding.
You must verify an individual's identity before allowing him or her to open an account. Similarly, before an individual may access or be provided with information concerning an existing account, he or she must demonstrate authorization to access the account. When opening a new account, check a current government-issued identification card, like a driver’s license or passport. Ask challenging questions based on information from other sources. For higher-risk situations, consider using multi-factor authentication techniques such as passwords, pins, smart cards, tokens or biometric identification. The university will never ask account holders to share their password or pin with anyone else.
Personal identifying information in an electronic format may only be transmitted using approved methods, such as through a university-approved encryption program.
Service providers that handle university accounts covered by the red flags rule must comply with the regulations. The university’s contract with service providers requires them to have compliant policies and procedures in place. This obligates the service provider to meet university red flags rule standards. Service provider performance relative to identity theft prevention procedures should be monitored by the department by conducting an annual assessment of the service provider’s policies and procedures to ensure they are in compliance with the red flag rule. Departments must also require reports from the service provider about incidents detected and their responses. This information should be shared with Fiscal Affairs each January via the annual identity theft survey.