Need to fast forward and report a red flag now? Send an email to [email protected].

Introduction

Montana State University (MSU) handles various accounts, including student accounts, employee records, and short-term loans, requiring the use of personally identifiable information (PII). To safeguard this information, we adhere to the Fair and Accurate Credit Transactions Act (FACTA) established by the Federal Trade Commission (FTC) in 2003, which includes the Red Flags Rule. This rule mandates financial institutions and creditors to implement programs to detect, prevent, and mitigate identity theft.

This training will cover where to find "red flags," what they look like, and what actions to take when you encounter them.

Key Definitions

Covered Accounts

  • Accounts primarily for personal, family, or household purposes that allow multiple payments or transactions (e.g., credit cards, loans, utility accounts).
  • Accounts with foreseeable risks of identity theft to students or account owners, including operational, compliance, reputation, or litigation risks.
  • Examples at MSU: student accounts, short-term loans, and certain payroll accounts.

Personally Identifiable Information (PII)

Information that identifies a specific person, such as names, addresses, phone numbers, identification numbers, social security numbers, birth dates, and more.

Nonpublic Personal Information (NPI)

While NPI sometimes overlaps with PII, it also includes information that is not generally public, like bank account numbers, account balances, credit card numbers, payment history, social security numbers, etc.

Identity Theft

Fraudulent use of someone else's PII without authorization.

Red Flag

A pattern, practice, or specific activity indicating potential identity theft.

Responsibilities

Program Management

  • The Vice President for Administration and Finance or senior financial administrator manages the program.
  • The Identity Theft Prevention Committee (ITPC) oversees the program's administration and monitoring. Report any red flags to ITPC via [email protected].

  • Unit heads are responsible for implementation within their units if they interact with PII or NPI.

Implementation

  • Deans, directors, department heads, or supervisors must implement and document identity theft prevention procedures, including:
    • Identifying relevant red flags.
    • Detecting red flags.
    • Preventing, responding to, and mitigating identity theft.
    • Reporting identity theft incidents.
    • Training staff.
    • Overseeing service provider arrangements.

Workplace Implementation

Our workplace must adhere to the FACTA and GLBA regulations regarding Personally Identifiable Information (PII) and Nonpublic Personal Information (NPI.)

Clean desk policy

Desks must be kept clean and free of visible or easily accessible information or passwords relating either to PII/NPI or gaining access to accounts containing PII and NPI.

Shred documents containing PII or NPI

Documents not currently in use or securely stored must be shredded. If the department uses a shred box, the box must be kept securely locked.

Computers that interact with NPI cannot accept USB thumb drives

Any desktops, laptops or other devices interacting with NPI cannot have USB/thumb drives allowed to access it. Contact MSU UIT if you need to update any devices.

Procedures Documentation Template for Your Unit

You can use our unit procedures template document to create your procedures documentation.

 

Download .docx Template of Red Flags Department Procedures

 

Identifying and Detecting Red Flags

Identifying Red Flags

Consider the types of accounts, methods to open and access accounts, and previous experiences with identity theft.

Detecting Red Flags

  • Verify identity for new accounts and changes to existing accounts.
  • Monitor for suspicious activity, such as altered documents or inconsistent PII.

Examples of Red Flags

  1. Suspicious Documents:
    • Altered or forged identification documents.
    • Inconsistent information on identification compared to university records.
  2. Suspicious PII:
    • Inconsistencies with external sources (e.g., mismatched addresses).
    • PII linked to known fraudulent activity.
  3. Unusual Account Activity:
    • Unusual patterns like sudden large transactions or changes in usage.
    • Returned mail while transactions continue.
  4. Notifications:
    • Alerts from students, law enforcement, or other individuals about potential identity theft.

There are more examples of these in the FTC Red Flags Identity Theft policy, too.

Responding to Red Flags

Upon detecting a red flag

  • Monitor the account.
  • Contact the account owner.
  • Change security details.
  • Close or reopen accounts as needed.
  • Notify law enforcement if necessary.
  • Consult your supervisor or ITPC for guidance.

Reporting and Oversight

Reporting:

Service Provider Oversight:

  • Ensure service providers comply with identity theft prevention policies and FTC regulations. Require certification of compliance and prompt reporting of red flags.

Conclusion

Always remain vigilant for signs of identity theft. Your proactive actions are crucial to protecting the integrity and security of our university's accounts. If you have any questions or encounter any red flags, don't hesitate to contact your supervisor or email [email protected] for assistance.

 

 denotes required fields.

Verification of Understanding
By clicking "I verify" below, you are verifying that you reviewed the information provided on this webpage.