Preventing, Detecting and Mitigating Identity Theft
The Red Flag regulations require all financial institutions (the University of Washington is considered a financial institution) to implement identity theft protection programs, including reasonable policies and procedures for preventing identity theft and the ability to track red flag activities and notify victims. The University has an administrative policy statement (APS 35.2) governing Red Flag Rules.
Purpose and Scope
In its capacity as a creditor to protect existing consumers, reduce risk from identity fraud, and minimize potential damage from fraudulent new accounts with the least possible impact on business operations, the University of Washington is subject to 16 CFR 68.12 “Identify Theft Rules” which requires the establishment of a written Identify Theft Prevention Program (ITPP) for covered accounts. This program applies to business practices used by employees when conducting business activity relating to a Covered Account.
The program must include reasonable policies and procedures to:
- Identify relevant Red Flags for the covered accounts that the UW offers or maintains and incorporate those Red Flags into its Identity Theft Prevention Program.
- Detect Red Flags that have been incorporated into the University's Identity Theft Prevention Program.
- Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft.
- Ensure the Identity Theft Prevention Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution.
Administration of the Red Flag Program and Contact
- Board Approval of Written Program
- Designation of University Official
The University will train all employees, officials and contractors for whom it is reasonably foreseeable that they may come into contact with Covered Accounts that may constitute a risk to the University or its customers. Training will also be provided as changes to the program are made. Training will include operating procedures for identifying and detecting identity theft as well as responding to identity theft.
- Security Practices of Contractors and Service Providers
The University of Washington expects all third party contractors and service providers that handle Covered Accounts to follow and be compliant with all federal, state and local laws or regulations that are applicable to the University, as well as University policies and procedures that are relevant to the underlying contract between the parties. The specific terms and issues of such compliance are addressed in the University contractual documents.
Administrative References and Policies:
- Cash Management at UW
- UW Information Security Controls and Operational Practices
- Student Records and FERPA
Computing References and Policies
- Information Security and Privacy Laws and Regulations
- University's Information Security and Privacy Policies
1400 NE Campus Parkway
129 Schmitz Hall
Seattle, WA 98195