The Board of Trustees ("Board") recognizes that some activities of Nova Southeastern University (NSU) are subject to the provisions of the Fair and Accurate Credit Transactions Act (FACTA) and the Federal Trade Commission's Identity Theft Prevention "Red Flag" Rules (16 C.F.R. §681.1) and that Identity Theft is a serious and growing problem. Therefore, the Board approves of and adopts the following initial program Identity Theft Prevention program for Nova Southeastern University.
- Definitions
The following definitions shall apply to this Program:
"Covered accounts":
- Any account NSU offers or maintains primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions.
- Business, personal and student financial aid account for which there is a reasonably foreseeable risk of identity theft or a reasonably foreseeable risk to the safety of the College from identity theft, including financial, operational, compliance and litigation issues.
"Customer": Any person with a covered account with NSU.
"Identifying information": Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person," including:
- Personal information belonging to any employee, student, patient or customer, examples of which include:
- Names, including maiden name
- Address
- Telephone number
- Social security number
- Date of birth
- Student or employee identification number
- Phone numbers
- Government issued driver's license or identification number
- Alien registration number
- Government passport number
- Credit card information, including any of the following:
- Credit card number (whole or in part)
- Credit card expiration date
- Cardholder name
- Cardholder address
- employer or taxpayer identification number
- banking information
- unique electronic identification number
- computer's Internet Protocol address or routing code
- Medical insurance information for any employee, student or patient including, but not limited to:
- Practitioner names and claims
- Insurance claims
- Any related personal medical information
"Identity Theft": A fraud committed using the identifying information of another person.
"NSU Health Care Provider": Any clinic operated and managed by NSU which offers health care services.
"Patient": Any person with a covered health care account.
"Patient Account": Covered accounts at NSU Health Care Clinics. See also, definition of NSU Health Care Provider.
"Red Flag": A pattern, practice, or specific activity that indicates the possible existence of Identity Theft.
- Program Adoption
The NSU Board of Trustees has adopted this initial Identity Theft Prevention Program ("Program") in compliance with the "Red Flag" rules issued by the Federal Trade Commission pursuant to the Fair and Accurate Credit Transactions ACT ("FACTA"). NSU is engaging in activities which are covered by the FACTA Red Flag rules due to NSU's participation in the Federal Perkins Loan Program, the Parent Loan for Undergraduate Students (PLUS) program, Federal Subsidized and Unsubsidized Stafford Loan programs, deferred billing, and promissory notes for covered accounts, and NSU's request of credit reports for some potential employees during the hiring process.
After consideration of the size and complexity of NSU's operations and account systems, the nature and scope of NSU's activities, and our risk assessment of potential identity theft opportunities, the Board has determined that this Program is appropriate for NSU. This policy and protection program applies to employees and students at NSU, including all personnel affiliated with third parties.
- Program Purpose
Under the Red Flag rules, NSU is required to establish an "Identity Theft Program" with reasonable policies and procedures to detect, identify, and mitigate identity theft in its covered accounts. The risk to NSU, its employees, students, customers, and patients from data loss and identity theft is of significant concern to NSU and can be reduced only through the combined efforts of every employee and vendor. This program is intended to identify, detect, prevent, and mitigate opportunities for identity theft at Nova Southeastern University.
This policy enables NSU to protect existing employees, students, customers, and patients, reduce risk from identity fraud, and minimize potential damage to NSU from fraudulent new accounts. The program will help NSU:
- Identify risks that signify potentially fraudulent activity within new or existing covered accounts;
- Detect risks when they occur in covered accounts;
- Respond to risks to determine if fraudulent activity has occurred and act if fraud has been attempted or committed; and
- Update the program periodically, including reviewing the accounts that are covered and the identified risks that are part of the program.
- Responsible University Official
The President has designated the Director of Risk Management to serve as Program Administrator. The Program Administrator shall exercise appropriate and effective oversight over the Program and shall report regularly to the President on the Program.
- Program Administration and Maintenance
The Identity Theft Prevention Program shall not be operated as an extension to any existing NSU policies that address fraud prevention. The Program warrants the highest level of attention. The Program Administrator is responsible for developing, implementing and updating the Program throughout the NSU system. The Program Administrator will be responsible for ensuring appropriate training of NSU staff on the Program, for reviewing any staff reports regarding the detection of Red Flags and the steps for identifying, preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program.
The Program will be periodically reviewed and updated to reflect changes in identity theft risks and technological changes. The Program Administrator will consider the NSU's experiences with identity theft, changes in identity theft methods; changes in identity theft detection, mitigation and prevention methods; changes in types of accounts NSU maintains; changes in the NSU's business arrangements with other entities, and any changes in legal requirements in the area of identity theft. After considering these factors, the Program Administrator will determine whether changes to the Program, including the listing of Red Flags, are warranted.
The Program Administrator shall confer with all appropriate NSU personnel as necessary to ensure compliance with the Program. The Program Administrator shall annually report to the President on the effectiveness of the Program. The Program Administrator shall present any recommended changes to the President for approval. The President's approval shall be sufficient to make changes to the NSU Identity Theft Program.
- Covered Accounts
A covered account is generally a consumer account designed to permit multiple payments or transactions. These are accounts where payments are deferred and made by a borrower periodically over time such as a tuition or fee installment payment plan. See, definitions of covered accounts.
The following are examples of NSU Covered Accounts:
- Participation in the Federal Perkins Loan Program
- Participation in the Parent Loan for Undergraduate Student (PLUS) program
- Participation in Federal Subsidized FEEL Stafford Loans
- Participation in Unsubsidized Stafford Loans
- Participation as a school lender in the Federal Family Education Loan Program
- Deferred payment of tuition
- Payment plans for tuition or fees throughout the semester, rather than requiring full payment at the start of the semester
- Payment plans and promissory notes for other covered student accounts
- Emergency loans to students, faculty or staff
- Accounts receivable
The following are examples of Covered Patient Accounts at NSU Health Care Clinics:
- NSU Health Care Provider patient payment plans
- NSU Health Care Provider non-emergency patient billing
- Identification of Red Flags
In order to identify relevant Red Flags, NSU considers the types of accounts that it offers and maintains, the methods it provides to open its accounts, the methods it provides to access its accounts, and its previous experiences with Identity Theft. Red Flags generally fall within one of five general types of Red Flags. Although some Red Flags can appear harmless on their own, they may signal identity theft when paired with one or more others. The following are relevant Red Flags, in each of the listed categories, which employees should be aware of and diligent in monitoring for:
- Alerts - alerts, notifications, or warnings from a consumer reporting agency including fraud alerts, credit freezes, or official notice of address discrepancies.
- Suspicious Documents - such as those appearing to be forged or altered, or where the photo identification does not resemble its owner, or an application which appears to have been cut up, re-assembled and photocopied.
- Suspicious Personal Identifying Information – such as discrepancies in address, Social Security Number, or other information on file; an address that is a mail-drop, a prison, or is invalid; a phone number that is likely to be a pager or answering service; personal information of others already on file; and/or failure to provide all required information.
- Suspicious Account Activity or Unusual Use of Account – such as material changes in payment patterns, notification that the account holder is not receiving mailed statement, or that the account has unauthorized charges.
- Alerts from Others - notice to NSU from a customer, victim of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.
- Additional Red Flags Specific to Health Care Clinics – such as failure to produce an insurance card or other physical documentation of insurance even though insurance number provided; medical treatment that is inconsistent with a physical examination or medical history as reported by the patient; compliant and inquiries from a patient regarding billing; patient or insurance company report that coverage for legitimate service is denied because insurance benefits have been depleted or a lifetime cap has been reached.
- Detecting Red Flags
The Program's general Red Flag detection practices are described in this document. The Program Administrator and each NSU College, School and Clinic will implement the Program and follow protocols appropriate to meet the requirements of this Program.
- In order to detect any of the Red Flags identified above associated with the opening of a new account, NSU personnel will take the following steps to obtain and verify the identity of the person opening the account:
- Require certain identifying information such as name, date of birth, residential or business address, driver's license or other identification;
- Verify the customer's identity (for instance, review a driver's license or other identification card);
- Independently contact the customer;
- For emergency loans, requests must be made in person by presenting photo identification or in writing from the student's NSU-issued e-mail account. The loan check can only be mailed to an address on file or picked up in person by showing picture ID.
- Existing Accounts
In order to detect any of the Red Flags identified above for an existing account, NSU personnel will take the following steps to monitor transactions with an account:
- Verify the identification of customers if they request information (either in person, via telephone, via facsimile, or via email);
- Verify the validity of requests to change billing addresses; and
- Verify changes in banking information given for billing and payment purposes.
- Methods to Access Covered Accounts
In order to prevent unauthorized access to covered accounts, NSU personnel will take the following steps:
- Disbursement of information contained in covered accounts obtained in person requires provision of photo identification
- Disbursement of information contained in covered accounts by mail can only be mailed to the address on file under the covered account
- Refunds of credit balances, including loan balances, must be refunded in person by presenting photo identification or in writing from the student's NSU-issued email account. Refund checks can only be mailed to an address on file or picked up in person by showing photo identification.
- Refunds of a credit balance for a PLUS loan is required to be refunded in the parent's name and mailed to their address on file within the time period specified. No request is required.
- Credit card information used in association with covered accounts must be maintained in accordance with NSU'S Credit Card Processing Policy.
- Responding to Red Flags: Preventing and Mitigating Identity Theft
In the event NSU personnel detect any identified Red Flags, such personnel shall take all appropriate steps to respond to and mitigate identity theft depending on the nature and degree of risk posed by the Red Flag. When a potentially fraudulent activity is detected, NSU must act quickly as appropriate to protect students, employees, customers and patients.
The detection of a Red Flag by an employee shall be reported to their supervisor or designated authority who in turn will report the matter to the Program Administrator following an initial authentication review. The Program Administrator or their authorized designee shall conduct an investigation into the reported suspicious activity and based on the type of red flag, will determine the appropriate response.
- Updating the Program Periodically
This program will be periodically reviewed and updated to reflect changes in risks and the soundness of NSU from identity theft. At least once per year, the Program Administrator will consider NSU's experience with identity theft, changes in methods of identity theft, changes in methods to detect, prevent and mitigate identity theft, review any changes in the types of accounts that NSU maintains, assess which accounts are covered by the program, and review any changes in NSU's business arrangements with other entities. As part of the review, red flags may be revised, replaced, or eliminated. Defining new red flags may also be appropriate.
- Staff Training and Reporting
NSU employees responsible for implementing the Program shall be trained under the direction of the Program Administrator in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected. Staff training shall be provided for all employees, officials and contractors for whom it is reasonably foreseeable that they may come into contact with covered accounts or personally identifiable information that may constitute a risk to NSU or its students or customers. Employees must receive annual training in all elements of the Red Flags Policy, and employees must continue to receive additional training as changes to the program are made. Employees shall follow the procedures for detecting and reporting Red Flags as outlined in the Red Flags Policy.
The Program Administrator shall report to the Board of Directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by NSU Colleges, Schools, and Clinics with the Red Flag Regulations (16 C.F.R. §681.1).
- Oversight of Service Provider Arrangements
It is the responsibility of NSU to ensure that the activities of all service providers are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. In the event NSU engages a service provider to perform an activity in connection with one or more accounts, the NSU will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft:
- Require, by contract, that service providers have such policies and procedures in place; and
- Require, by contract, that service providers review NSU's Program and report any Red Flags to the Program Administrator.
- A vendor that maintains its own identity theft prevention program, consistent with the guidance of the red flag rules and validated by appropriate due diligence, may be considered to be meeting these requirements.