Administrative Regulation Title:  Identity Theft Prevention Program

Regulation Number:  6.10.2

_____________________________________________________________________________________

Eastern Wyoming College (“College”) developed an Identity Theft Prevention Program (“Program”) pursuant to the Federal Trade Commission’s (“FTC”) Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003.   The Program was developed after considering the size and complexity of the College’s operations and account systems, and the nature and scope of the College’s activities.

The program must contain reasonable policies and procedures to:

  1. Identify relevant red flags for new and existing covered accounts and incorporate those red flags into the Program;
  2. Detect red flags that have been incorporated into the Program;
  3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
  4. Ensure the Program is updated periodically to reflect changes in risks to students or to the safety and soundness of the student from identity theft.

PROGRAM ADMINISTRATION

Oversight

Responsibility for developing, implementing and updating the Program lies with a designated EWC Identity Theft Prevention Committee (“Committee”) for the College. The Committee is headed by a Program Administrator who is the Vice President of Administrative Services or his or her appointee. Three or more individuals from Business Services, Student Services and College Relations appointed by the Program Administrator comprise the remainder of the Committee membership. The Program Administrator will be responsible for ensuring appropriate training of College Staff on the Program, for reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program.

Staff Training and Reports

College staff responsible for implementing the Program shall be trained either by or under the direction of the Program Administrator in the detection of red flags and the responsive steps to be taken when a red flag is detected. College staff shall be trained, as necessary, to effectively implement the Program. College employees are expected to notify the Program Administrator once they become aware of an incident of identity theft or of the College’s failure to comply with this Program. At least annually or as otherwise requested by the Program Administrator, College staff responsible for development, implementation, and administration of the Program shall report to the Program Administrator on compliance with this Program. The report should address such issues as effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening and maintenance of covered accounts, service provider arrangements, significant incidents involving identity theft and management’s response, and recommendations for changes to the Program.

Service Provider Arrangements

In the event the College engages a service provider to perform an activity in connection with one or more covered accounts, the College will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft:

  1. Require that the service providers have such policies and procedures in place; and
  2. Require that service providers review the College’s Program and report any red flags to the Program Administrator or the College employee with primary oversight of the service provider relationship.

Non-disclosure of Specific Practices

For the effectiveness of this Identity Prevention Program, knowledge about specific red flag identification, detection, mitigation, and prevention practices may need to be limited to the Committee who developed this Program and to other employees on a need-to-know basis.  Any documents that may have been produced or are produced in order to develop or implement this program that list or describe such specific practices and the information those documents contain are considered “confidential” and should not be shared with other Eastern Wyoming College employees or the public. The Program Administrator shall inform the Committee and those employees with a need to know the information on those documents or specific practices which should be maintained in a confidential manner.

Program Updates

The Committee will periodically review and update this Program to reflect changes in risks to students and the soundness of the College from identity theft. In doing so, the Committee will consider the College’s experiences with identity theft situations, changes in identity theft methods, changes in identity theft detection and prevention methods, and changes in the College’s business arrangements with other entities.  After considering these factors, the Program Administrator will determine whether changes to the Program are warranted.

 

Original Adoption Date: 4/14/09

Revision Date(s): 2/11/14, 10/10/11 (RN)

Date reviewed, no change: