Educause Security Discussion mailing list archives
Re: Institution-Wide Identity Theft Management
From: Jeff Giacobbe <giacobbej () MAIL MONTCLAIR EDU>
Date: Fri, 18 Feb 2011 11:02:01 -0500
Colleagues- Has anyone done an analysis of the Red Flag rules specifically as they apply to the re-issuance of 'account numbers' when there has been an exposure or potential exposure of internal student IDs? My takeaway from a (admittedly cursory) look at the rules is that financial institutions are required to issue customers new account numbers (i.e. checking/savings/ATM accounts) within a certain amount of time that a data exposure is discovered. However it is unclear to me how this rule applies to, for example, a students campus ID number used to access SIS information, register for classes, etc. Such numbers are commonly used instead of SSN for precisely the reason that they only have relevance within the institutions systems and cannot be used for the traditional definition of "identity theft" In fact, student IDs are often used for meal cards, residence hall assignments and other functions in higher ed and are therefore much more 'public' than a SSN. So my question is, if a student ID number is exposed does the 're-issue the account number' clause of Red Flag kick in or not? In many cases re-issuing a student ID has a ripple effect on a lot of other systems and is a non-trivial effort. Thanks, Jeff Giacobbe Montclair State University On 02/17/11 06:04 PM, Valerie Vogel wrote:
Dennis, EDUCAUSE has collected several campus policies and programs related to the FTC “Red Flags” rules: http://www.educause.edu/IDTheftRedFlags/164655. The FTC also has a Red Flags website with more resources, including a compliance template that can help you design your own Identity Theft Prevention Program: http://www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml. If you have any questions, please let me know. Thank you, Valerie _______________ Valerie M. Vogel Program Manager, EDUCAUSE office: (202) 331-5374 e-mail: vvogel () educause edu <mailto:vvogel () educause edu> *From:*The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Trevor Wallis *Sent:* Thursday, February 17, 2011 7:26 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Institution-Wide Identity Theft Management Dennis, In compliance with the FTC’s Identity Theft Red Flags and Address Discrepancies rule at 16 CFR part 681, my institution established an Identify Theft Prevention Program including a set of “Red Flags” rules, response procedures, and employee training. Let me know if you’re interested in the details. All regards, Trevor *Trevor A. Wallis* /Vice President of Campus Technology/ /Chief Information Officer/ Description: The SBTS shield logo. Southern Seminary 2820 Lexington Road Louisville, KY 40280 *Phone: 502.897.4193* Fax: 502.897.4125 twallis () sbts edu <mailto:twallis () sbts edu> */Don't be a phishing victim – Southern Seminary and other reputable organizations will never use email to ask for your password, social security number or confidential personal information. /* *From:*The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Self, Dennis *Sent:* Thursday, February 17, 2011 10:19 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> *Subject:* [SECURITY] Institution-Wide Identity Theft Management Please forgive this repost. With only three responses (thanks to those who did), it is obviously best to ask for open responses to the list! I proposed the notion of pursuing an institution-wide identity theft management policy and practice at my institution, to cover multiple compliance requirements. In summary, the notion is to require authorization, training, certification, audit and periodic renewal of privilege to process SSN, payment instrument account and security numbers, etc. I have been asked if other universities are pursuing this as well. Have you taken this approach? Dennis Self Director, IT Security & Compliance Samford University 800 Lakeshore Drive Birmingham, AL 35229-2293 (205) 726-2692
Current thread:
- RSA/cryptography history lesson Allison F Dolan (Feb 16)
- Institution-Wide Identity Theft Management Self, Dennis (Feb 16)
- Institution-Wide Identity Theft Management Self, Dennis (Feb 17)
- Re: Institution-Wide Identity Theft Management Trevor Wallis (Feb 17)
- Re: Institution-Wide Identity Theft Management Valerie Vogel (Feb 17)
- Re: Institution-Wide Identity Theft Management Jeff Giacobbe (Feb 18)
- Re: Institution-Wide Identity Theft Management Self, Dennis (Feb 25)
- Re: Institution-Wide Identity Theft Management Semmens, Theresa (Feb 25)
- Institution-Wide Identity Theft Management Self, Dennis (Feb 17)
- Institution-Wide Identity Theft Management Self, Dennis (Feb 16)
- Re: Institution-Wide Identity Theft Management Patria, Patricia (Feb 17)