Tulane University’s Identity Theft Prevention Program
I. Program Adoption
The Administrators of the Tulane Educational Fund (“Tulane”) developed this Identity Theft Prevention Program (“Program”) pursuant to the Federal Trade Commission’s (“FTC”) Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. After consideration of the size and complexity of Tulane’s operations and account systems, and the nature and scope of the Tulane’s activities, the Board of Administrators determined that this Program was appropriate for Tulane, and therefore approved this Program on April 16, 2009.
II. Definitions
“Identity Theft” is a “fraud” committed or attempted using the identifying information of another person without authority.”
A “Red Flag” is a “pattern, practice, or specific activity that indicates the possible existence of Identity Theft.”
A “Covered Account” includes all student and employee accounts or loans that are administered by Tulane and any patient accounts maintained by Tulane University Medical Group.
“Program Administrator” is the individual designated with primary responsibility for oversight of the program. See Section VII below.
III. Covered Accounts
Tulane has identified various types of accounts that fall within the definition of a covered account as set forth below:
1. Federal Perkins Loan Program
2. Health Professional Loan Program
3. Institutional Loans
4. Student Accounts
5. Patient Accounts
IV. Identification of Relevant Red Flags
Tulane considers the following risk factors in identifying relevant red flags for covered accounts:
1. Receipt of Notice of Dispute from a credit agency;
2. Identification document or card that appears to be forged, altered or inauthentic;
3. Identification document or card on which a person’s photograph or physical description is not consistent with the person presenting the document;
4. Other document with information that is not consistent with employee or student information;
5. Identifying information presented that is inconsistent with other information the employee, patient or student provides (example: inconsistent birth dates);
6. Identifying information presented that is inconsistent with other sources of information (for instance, an address not matching an address on a Perkins loan application);
7. Social security number presented that is the same as one given by another student, employee or patient;
8. Notice to Tulane that an account has unauthorized activity;
9. Notice by student to Tulane of unauthorized access to or use of student account information;
10. Notice to Tulane from a student, employee, patient, identity theft victim, law enforcement or other person that Tulane has opened or is maintaining a fraudulent account for a person engaged in Identity Theft;
11. Patient signs a different name on registration forms;
12. Patient presents conflicting demographic information during registration or treatment without presenting a corroborating piece of identification;
13. Patient receives a bill and asserts that he/she did not receive services at the facility and other processes indicate that this is likely to be true;
14. Payment is denied by insurance because it is improbably or impossible that the insured patient received the service; and
15. Patient or patient’s representative admits during the process that someone else’s identity is being used.
V. Detecting Red Flags
A. Student Enrollment
In order to detect any of the Red Flags identified above associated with the enrollment of a student, University personnel will take the following steps to obtain and verify the identity of the person opening the account:
1. Require certain identifying information such as name, date of birth, academic records, home address or other identification; and
2. Verify the student’s identity at time of issuance of student identification card (review of driver’s license or other government-issued photo identification).
B. Existing Accounts
In order to detect any of the Red Flags identified above for an existing Covered Account, University personnel will take the following steps to monitor transactions on an account:
1. Verify the identification of students if they request information (in person, via telephone, via facsimile, via email).
C. Consumer Report Requests
In order to detect any of the Red Flags identified above for an employment position for which a credit or background report is sought, Tulane personnel will take the following steps to assist in identifying address discrepancies:
1. Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency.
VI. Preventing and Mitigating Identity Theft
In the event Tulane personnel detect any identified Red Flags, such personnel shall take one or more of the following steps, depending on the degree of risk posed by the Red Flag:
Prevent and Mitigate
1. Continue to monitor a Covered Account for evidence of Identity Theft;
2. Change any password or other security devices that permit access to Covered Accounts;
3. Notify the Program Administrator for determination of the appropriate step(s) to take;
4. Notify law enforcement;
5. Determine that no response is warranted under the particular circumstances.
Protect Student Identifying Information
In order to further prevent the likelihood of Identity Theft occurring with respect to Covered Accounts, the University will take the following steps with respect to its internal operating procedures to protect student identifying information:
1. Ensure that its website is secure; and
2. Ensure that system access to Covered Account information is password protected.
VII. Program Administration
A. Oversight
Responsibility for developing, implementing and updating the Program lies with an Identity Theft Committee (“Committee”) for Tulane. The Committee is headed by a Program Administrator who is Tulane’s Vice President for Information Technology and Chief Technology Officer who can be reached at (504) 988-8555. The Program Administrator will be responsible for ensuring appropriate training of Tulane staff on the Program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program.
B. Staff Training and Reports
Tulane staff responsible for implementing the Program shall be trained either by or under the direction of the Program Administrator in the detection of Red Flags and the responsible steps to be taken when a Red Flag is detected.
C. Program Updates
The Committee will review and update this Program at least annually to reflect changes in risks to students, patients and employees and the soundness of Tulane from Identity Theft. In doing so, the Committee will consider Tulane’s experiences with Identity Theft situations, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in Tulane’s business arrangements with other entities. After considering these factors, the Program Administrator will determine whether changes to the Program, including the listing of Red Flags, are warranted. If warranted, the Program Administrator shall update the Program.
D. Oversight of Service Provider Arrangements
Tulane shall take steps to ensure that the activity of a service provider is conducted in accordance with reasonable policies and procedure designed to detect, prevent and mitigate the risk of identity theft whenever the organization engages a service provider to perform an activity in connection with one or more covered accounts.
VIII. Revision History
Version: 1.0
Approved Date: April 16, 2009
Effective Date: May 1, 2009
