Indiana University Red Flag Rules Frequently Asked Questions
The following reasons are the most common reasons for a department/unit to be deemed a covered account:
a. The department/unit sells goods or services to individual consumers and invoices the customer after they receive the goods or services.
b. The department/unit allows the individual consumer to make installment payments.
c. The department/unit utilizes credit bureau reports.
No. The Identity Theft Prevention Program approved by the Board of Trustees was put into place based on the Federal Trade Commission's (FTC) Red Flag Rules regulation found in 16 CFR Part 681.2. This regulation is intended to ensure that measures are put into place to prevent identity theft of individual consumers. There is no dollar limit to the amount of credit being extended and one individual consumer makes the department/unit subject to the regulation.
Yes, if the department/unit collects a deposit and receives the remainder after the event then the department is considered to extend credit and is a Covered Account. A Covered Account is subject to the reporting requirement outlined in the Indiana University Red Flag Program.
No. If your department/unit collects the full payment prior to the event occurring, the University is not extending credit and your department/unit is not subject to the reporting requirements of a Covered Account. The number of payments is not a factor in determining if the department/unit is a Covered Account in this circumstance.
No, if your department does not allow any invoicing options to individual consumers, the invoicing aspect will not deem your department/unit a Covered Account. However, if your department/unit bills one individual consumer then your unit is subject to the reporting requirements of a Covered Account.
Indiana University meets the definition of the Creditor, so collectively; the Red Flag Rules apply to the University. As a result, some departments/units within Indiana University that may have otherwise not been deemed a Creditor (i.e. patient accounts) individually based on the 2010 Red Flag Program Clarification Act, are still considered to be within the scope of IU's Identity Theft Prevention Program, because they are a part of Indiana University and their account is considered to meet the definition of a Covered Account.
If another college, university or corporation is sponsoring all of the students then the department/unit may be excluded from a Covered Account. If the department/unit is billing an individual for one or more students within the last year, then the unit qualifies as a Covered Account.
If at any time you become aware of an unauthorized disclosure or exposure of any personal date (i.e., SSN (if more that last four digits), driver's license number, state identification card number, credit card number, debit card number, financial accounts, security codes, access codes or passwords of a financial account), please immediately call your campus Support Center or Network Operations Center, and send details to the IT Policy & Security office at firstname.lastname@example.org and copy the Red Flag Committee at email@example.com. The IT Policy and Security Office will coordinate incident response and ensure that all appropriate steps are taken.
For additional data, please refer to: http://protect.iu.edu/cybersecurity/data/laws/IN#disposal
The Red Flag Committee will collect the Red Flag documentation from all approved external collection agencies. If your department is using one of the approved external collection agencies, you do not need to collect any data from this service provider.
Yes. Fiscal Officers and activities within departments/units change and the survey is the easiest way for us to ensure we identify potential Covered Accounts and remain in compliance with the Identity Theft Red Flag Rules.
Yes. The requirements of the Indiana University Identity Theft Prevention Program described in the Standard Operating Procedure are required on an annual basis. The department/unit head or their designee should fulfill the following requirements on an annual basis:
- Conduct a review of University IT policies related to personal and data security to ensure customer master file is secure.
- Complete their annual review of controls in place to prevent, detect, and mitigate Identity Theft.
- Complete employee training for all existing and new employees.
- Certify their Identity Theft Program has no additional changes or update their plan. A copy of the plan will need to be submitted each year.
- Certify any instances of potential Identity Theft.
- Verify compliance of the Red Flag Rules with any Service Provider that are using.
- You can opt in by going to http://www.surveymonkey.com/OptOut.aspx.
- Please enter your email address and then click Unblock Email Address.
- You will receive a follow-up message asking you to confirm this request. Once you confirm, your email is automatically updated into the account holder's address book(s) and email list(s).
A stored-value card is a payment card with a monetary value stored on the card itself. A stored-value card is not in an external account maintained by a financial institution and differs from debit cards where money is on deposit with the issuer. Another difference between stored-value cards and debit cards is that debits cards are usually in the name of the individual account holders, while stored value cards are anonymous.
If a card is not associated with a specific person (i.e., has the cardholders name on the card), does not have personal information associated with the card itself and does not allow the cardholder to add additional funds to the card online, Indiana University would not consider the stored value card a covered account.
Indiana University campus cards are considered covered accounts for purposes of Red Flags.
Typically no. Accepting security deposits by itself does not create a covered account; however, if your unit does collect security deposits, we suggest contacting your campus Red Flags contact to discuss whether the particular arrangement creates any material risk of identity theft and could create a covered account based on other characteristics.