Identity Theft Program

Stevens Institute of Technology (“Stevens” or the “University”) developed this Identity Theft Prevention Program ("Program") pursuant to the Federal Trade Commission’s (“FTC”) Red Flags Rule (“Red Flags Rule”), which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003.  The Red Flags Rule requires financial institutions and creditors (including colleges and universities) to develop and implement an Identity Theft Prevention Program.  Stevens developed this Identity Theft Program based on the size and complexity of the University's operations and accounting systems, and the nature and scope of the University's operating activities.

Stevens is considered a creditor for purposes of the Red Flags Rule because it participates in the Federal Perkins loan program, offers institutional loans, and offers a payment plan for tuition throughout the semester. Identity Theft means fraud committed or attempted using the identifying information of another person without authority and Red Flags are the activities that may signal attempted identity theft.
The University’s Identity Theft Prevention Program incorporates existing policies and procedures, including the Information Security Policy and related appendices.

A. Compliance with the Red Flags Rule

Under the Red Flags Rule, the University is required to establish an “Identity Theft Prevention Program” tailored to its size, complexity, and the nature of its operation. Each program must contain reasonable policies and procedures to:

1. Identify relevant Red Flags for new and existing covered accounts and incorporate those Red Flags into the Program;

2. Detect Red Flags that have been incorporated into the Program;

3. Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft; and

4. Ensure the Program is updated periodically to reflect changes in risks to students.

B. Definitions

Covered Account:  All student and employee accounts or loans that are administered by the University as a creditor, including but not limited to Perkins Loans accounts and any other account that poses a reasonably foreseeable risk to customers of identity theft.

Creditor: Any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.

Identity Theft:  A fraud committed or attempted using the identifying information of another person without authority.

Identifying information:  Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including but not limited to name, address, telephone number, social security number, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer’s Internet Protocol address, or routing code.

Red Flag:  A pattern, practice, or specific activity that indicates the possible existence of Identity Theft.

Responsible Employees:  All Stevens employees who handle in their role with the University personal financial information of students, employees, donors, or other individuals.

Program Administrator: The individuals designated with primary responsibility for oversight of the program as set forth in Section F below.

C. Red Flags

All Stevens employees who handle personal financial information of individuals in their role with the University (“Responsible Employees”) have a responsibility to pay careful consideration to potential Red Flags when conducting university business involving accounts subject to the Red Flags rule include the following.  Specifically, they should pay attention to the following: 

1. Notice or report from a credit reporting agency indicating a discrepancy in information reported by the applicant or possible fraudulent activity on a credit account or report.

2. Presentation of identification documents that appear to be forged or inauthentic.

3. Presentation of identifying information that is inconsistent with other information on file or presented (examples: inconsistent birth dates or social security numbers).

4. Failure to complete personal identifying information on an application when reminded to do so.

5. Receipt of returned mail as undeliverable to student addresses that are on file.

6. Breach in the university’s computer system security and/or detected unauthorized access to student account information.

7. Receipt of notice that someone with an account has been engaged in or victimized by Identity Theft.

D. Detection

In order to detect any of the Red Flags described above, University personnel will take the following steps to verify identification of students, employees, or donors:

1. Require certain identifying information be provided such as name, date of birth, academic records, home address, etc.

2. Before issuing a student identification card, verify the student’s identity by reviewing a driver’s license or other government issued photo identification.

3. Verify the identity of a student or supporting parent if they request information on the student’s account.

E. Prevention

In the event that University personnel detect any identified Red Flags, one or more of the following steps, depending on the assessed degree of risk of Identity Theft, will be taken:

1. Monitor the account for other evidence of identity theft.

2. Contact the student.

3. Change passwords that permit access to covered accounts.

4. Provide student with a new identification number.

5. Notify law enforcement.

6. Determine that no response is warranted under the circumstances.

The CFO, Vice President of Finance and Treasurer or designee will be consulted prior to notifying law enforcement of possible risks of Identity Theft.

In order to prevent the likelihood of Identity Theft occurring, the University’s internal operating procedures include controls such as the following.

1. Ensure that the website is secure or provide clear notice that it is not secure.

2. Ensure complete and secure destruction of paper documents and computer files containing student account information.

3. Ensure that access to student account information is password protected.

4. Whenever possible, avoid use of social security numbers.

5. Ensure computer virus protection is up-to-date.

6. Require and maintain only the types of student information that are necessary for University purposes.

F. Administration

Responsibility for developing, implementing, and updating the University’s Identity Theft Program falls under the jurisdiction of the Executive Director of Student Accounts and Auxiliary Services, the Director of Student Accounts, the Director of Technology Commercialization, the Chief Information Security Officer and the Chief Compliance Officer. These employees will meet at least once a year to discuss appropriate communication and training of staff, Red Flags that have been identified during the year, if any, and steps taken to mitigate these situations, new prevention measures to consider, testing requirements, and any other issues relevant to the program. Essential information discussed during the meeting will be documented.

The employees responsible for the Program will communicate the requirements of the Program to directors of departments impacted by the Program. Directors are responsible for training appropriate university staff in their departments regarding the requirements of this Program. Directors are also responsible for ensuring that any third-party organization their department may use for services in connection with students accounts and loans comply with the FTC’s Red Flags Rule. Such assurances will include written confirmation that service providers have policies and procedures in place to Identify Red Flags and that service providers review the University’s Program and report any Red Flags to the University employee with primary oversight of the service provider relationship.