(Approved by the CEO of UW Medicine, Executive Vice President for Medical Affairs, and Dean of the School of Medicine by Executive Order No. 6 and the Senior Vice President for Finance and Facilities by authority of Administrative Order No. 9)
In its capacity as a creditor, the University of Washington (UW) is subject to 16 CFR 681, "Identity Theft Rules," which requires the establishment of a written Identity Theft Prevention Program for covered accounts (defined below). To protect existing consumers, reduce risk from identity fraud, and minimize potential damage from fraudulent new accounts with the least possible impact on business operations, the University establishes this Identity Theft Prevention Program (hereafter, the program). The program policies and guidelines apply to UW entities, departments, and employees when conducting business activity relating to UW covered accounts. Additional policies and procedures may be imposed by UW entities that have unique types of covered accounts.
Covered Account: A consumer account that the University offers or maintains primarily for personal purposes and that involves multiple payments for goods or services provided by the University, or any other account for which there is a reasonably foreseeable risk of identity theft. Covered accounts may include, but are not limited to, tuition receivables, student loans and collections, and patient billing.
Identity Theft: Fraud committed using the identifying information of another person.
Personally Identifiable Information: An individual's first name and last name and at least one of the following data elements: social security number, driver's license number or identification card number, account number, credit card number, debit card number, security code, access code, or password of an individual's covered account.
Red Flag: A pattern, practice, or specific activity that indicates the possible existence of identity theft.
It is the policy of the University to:
#1 | Compare information received from the consumer/credit
reporting agency with entity records (registration changes, change of address notifications,
account information, etc.). |
#2 | Contact the student, faculty member, staff member, or patient
to verify their address. |
#3 | Use other reasonable means to verify that the correct address
is associated with the student, faculty member, staff member, or patient and consumer
report. |
The UW recognizes that the following types of notices, documents, personal information, and activities may be indicators or red flags that an individual's identity may be compromised:
A. | Alerts, Notifications, or Warnings from a
Consumer Reporting Agency |
||
#1 | A fraud or credit alert is included
with a consumer report. |
||
#2 | A notice of credit freeze on a consumer report is
provided from a consumer reporting agency. |
||
#3 | A consumer report agency provides a notice of address
discrepancy. |
||
#4 | A consumer report indicates a pattern of activity
inconsistent with the history and usual pattern of activity of a customer. |
||
B. | Suspicious Documents |
||
#1 | Documents provided for identification appear to have been
altered or forged. |
||
#2 | The photograph and/or physical description on the
identification is not consistent with the appearance of the customer presenting the
identification. |
||
#3 | Other information on the identification is not
consistent with information provided by the person opening an account or presenting
the identification. |
||
#4 | Other information on the identification is not
consistent with readily accessible information that is on file with the
University. |
||
#5 | An application appears to have been altered or forged, or
gives the appearance of having been destroyed and reassembled. |
||
C. | Suspicious Personal Identifying
Information |
||
#1 | Personal identifying information provided is
not consistent with external information sources used by the University. |
||
#2 | Personal identifying information provided by the
customer is not consistent with other personal identifying information provided
by the customer. |
||
#3 | Personal identifying information provided is associated
with known fraudulent activity as indicated by internal or third-party sources used
by the University. |
||
#4 | The social security number provided is the same
as that submitted by other persons opening an account or other customers. |
||
#5 | The address or telephone number provided is the same
as or similar to the account number or telephone number submitted by an unusually
large number of other persons opening accounts or to other customers. |
||
#6 | The person opening the account fails to provide all
required personal identifying information on an application or in response to
notification that the application is incomplete. |
||
#7 | Personal identifying information provided is not
consistent with personal identifying information that is on file with the
University. |
||
#8 | If the University uses a challenge question, the
customer cannot provide authenticating information beyond that which generally
would be available from a wallet or consumer report. |
||
D. | Unusual Use of, or Suspicious Activity
Related to, the Covered Account |
||
#1 | Shortly following the notice of a change of address,
the University is made aware of a new cell phone number or the addition of
authorized users on the account. |
||
#2 | A new revolving credit account is used in a manner
commonly associated with known patterns of fraud. |
||
#3 | An account is used in a manner that is not consistent
with established patterns of activity on the account. |
||
#4 | An account that has been inactive for a reasonably
lengthy period of time is used. |
||
#5 | Mail sent to the customer is returned repeatedly as
undeliverable although transactions continue to be conducted in connection with
the account. |
||
#6 | The University is notified of unauthorized charges
or transactions in connection with a customer's account. |
||
E. | Notice from Customers, Victims of
Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible
Identity Theft in Connection with Covered Accounts The University is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that a fraudulent account has been opened. |
||
F. | Compromised Systems Detection of compromised or breached systems that store covered accounts or personally identifiable information. |
||
G. | Additional Red Flags The University recognizes that additional red flags may be identified by UW entities, units, and/or departments for specific types of covered accounts. |
The University will respond appropriately to identified and detected red flags in order to prevent and mitigate identity theft. The response shall be commensurate with the degree of risk posed.
Once potentially fraudulent activity is detected, an employee must act quickly as a rapid appropriate response can protect customers and the University from damages and loss.
Approved standards and responsive action must be maintained by each unit based upon business and technical needs. The University recommends the following responses to red flags:
A. | Board Approval of Written
Program The UW Board of Regents adopted the program on July 16, 2009. |
|
B. | Designation of University Official The UW has designated the Senior Vice President for Finance and Facilities, and, for UW Medicine, the CEO of UW Medicine, Executive Vice President for Medical Affairs, and Dean of the School of Medicine, to be the program's two institutional officials. These officials are responsible for implementing program policies; seeing that entity-specific procedures are established; assigning responsibility for investigating and responding to red flags; periodically reassessing entity operations to verify where covered accounts are opened and maintained; recommending program modifications as needed; generating periodic status reports; and reporting annually to the Board of Regents' Finance, Audit, and Facilities Committee on the effectiveness of the UW Identity Theft Prevention Program. |
|
C. | Training The University will train all employees, officials, and contractors for whom contact with covered accounts is reasonably foreseeable. Training will also be provided as changes to the program are made. Training will include operating procedures for identifying and detecting identity theft as well as responding to identity theft. |
|
D. | Security Practices of Contractors and
Service Providers The UW expects all third party contractors and service providers who handle covered accounts to follow and be compliant with all federal, state, and local laws or regulations that are applicable to the University, as well as University policies and procedures that are relevant to the underlying contract between the parties. The specific terms and issues of such compliance are addressed in the University contractual documents. |
|
E. | Reporting Requirements Annual reporting requirements will be presented to the Board of Regents' Finance, Audit, and Facilities Committee. |
For related policies, see:
For additional information, contact one of the following offices:
July 16, 2009; RC, June 20, 2012.