Re: Institution-Wide Identity Theft Management

[Jeff Giacobbe <giacobbej () MAIL MONTCLAIR EDU>]

Colleagues-

Has anyone done an analysis of the Red Flag rules specifically as they
apply to the re-issuance of 'account numbers' when there has been an
exposure or potential exposure of internal student IDs?

My takeaway from a (admittedly cursory) look at the rules is that
financial institutions are required to issue customers new account
numbers (i.e. checking/savings/ATM accounts) within a certain amount of
time that a data exposure is discovered. However it is unclear to me how
this rule applies to, for example, a students campus ID number used to
access SIS information, register for classes, etc. Such numbers are
commonly used instead of SSN for precisely the reason that they only
have relevance within the institutions systems and cannot be used for
the traditional definition of "identity theft" In fact, student IDs are
often used for meal cards, residence hall assignments and other
functions in higher ed and are therefore much more 'public' than a SSN.

So my question is, if a student ID number is exposed does the 're-issue
the account number' clause of Red Flag kick in or not? In many cases
re-issuing a student ID has a ripple effect on a lot of other systems
and is a non-trivial effort.

Thanks,

Jeff Giacobbe
Montclair State University


On 02/17/11 06:04 PM, Valerie Vogel wrote:
> Dennis,
>
> EDUCAUSE has collected several campus policies and programs related to
> the FTC “Red Flags” rules: http://www.educause.edu/IDTheftRedFlags/164655.
>
>  
>
> The FTC also has a Red Flags website with more resources, including a
> compliance template that can help you design your own Identity Theft
> Prevention Program:
> http://www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml.
>
>  
>
> If you have any questions, please let me know.
>
> Thank you,
>
> Valerie
>
> _______________
>
>  
>
> Valerie M. Vogel
>
> Program Manager, EDUCAUSE
>
> office: (202) 331-5374
>
> e-mail: vvogel () educause edu <mailto:vvogel () educause edu>
>
>  
>
> *From:*The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Trevor Wallis
> *Sent:* Thursday, February 17, 2011 7:26 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Institution-Wide Identity Theft Management
>
>  
>
> Dennis,
>
>  
>
> In compliance with the FTC’s Identity Theft Red Flags and Address
> Discrepancies rule at 16 CFR part 681, my institution established an
> Identify Theft Prevention Program including a set of “Red Flags” rules,
> response procedures, and employee training.  Let me know if you’re
> interested in the details.
>
>  
>
> All regards,
>
>  
>
> Trevor
>
>  
>
> *Trevor A. Wallis*
> /Vice President of Campus Technology/
>
> /Chief Information Officer/
>
> Description: The SBTS shield logo.
>
> Southern Seminary
> 2820 Lexington Road
> Louisville, KY 40280
>
> *Phone: 502.897.4193*
> Fax: 502.897.4125
> twallis () sbts edu <mailto:twallis () sbts edu>
>
>  
>
> */Don't be a phishing victim – Southern Seminary and other reputable
> organizations will never use email to ask for your password, social
> security number or confidential personal information.  /*
>
>  
>
>  
>
> *From:*The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU
> <mailto:SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Self, Dennis
> *Sent:* Thursday, February 17, 2011 10:19 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject:* [SECURITY] Institution-Wide Identity Theft Management
>
>  
>
> Please forgive this repost.  With only three responses (thanks to those
> who did), it is obviously best to ask for open responses to the list!  
>
>  
>
> I proposed the notion of pursuing an institution-wide identity theft
> management policy and practice at my institution, to cover multiple
> compliance requirements.  In summary, the notion is to require
> authorization, training, certification, audit and periodic renewal of
> privilege to process SSN, payment instrument account and security
> numbers, etc.  I have been asked if other universities are pursuing this
> as well.  Have you taken this approach?
>
>  
>
> Dennis Self
>
> Director, IT Security & Compliance
>
> Samford University
>
> 800 Lakeshore Drive
>
> Birmingham, AL 35229-2293
>
> (205) 726-2692