Identity theft has become one of the fastest-growing crimes today. Identity theft is the deliberate assumption of another individual's identity, usually to gain access to a person's finances or to frame that person for a crime.
Identity theft is primarily used to perform financial transactions using accounts in your name. These can include making purchases using a credit card number or taking out a loan. Less commonly, it is used to obtain medical insurance, file fraudulent tax returns, open an account in your name, or even attempt to blackmail someone.
Personal identity information can be stolen by rummaging through rubbish for sensitive documents, infiltrating organizations that manage large amounts of personal information, and hacking into computer systems.
The Red Flags Rule (issued by the Federal Trade Commission) requires many businesses and organizations (including universities) to implement a written identity theft prevention program designed to detect the “red flags” of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate its damage. The bottom line is that a program can help businesses spot suspicious patterns and prevent the costly consequences of identity theft. As such, Ohio University has Policy 48.001 – Identity Theft Prevention (Red Flag Rules) .
The Red Flags Rule applies to “covered accounts” which is defined as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. Examples include the Bursar student account, student loans, the Bobcat Cash account, patient/client accounts (e.g. WellWorks, clinics), and program/travel/research/payroll advances.
If you are someone that handles personally identifiable information (PII) you need to watch for the categories of red flags which can include:
- Alerts, notifications, or other warnings received from consumer reporting agencies or service providers
- Presentation of suspicious documents
- Presentation of suspicious personal identifying information (PII - is any data that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.)
- Unusual use of, or other suspicious activity related to, a covered account
- Notice from customers, victims of identity theft, or law enforcement authorities
Once a red flag or potential red flag is detected, the employee must act quickly to gather all related documentation and present it to the department supervisor. The supervisor should then work with the Program Administrator (Controller) or her designee to determine whether the transaction was fraudulent or authentic. Appropriate responses may include:
Monitoring account for evidence of identity theft
- Contacting the customer
- Changing any passwords, security codes, or other security devices that permit access to the account
- Notifying law enforcement
- Determining no response is warranted under the particular circumstances
You can fight identity theft by taking the following precautions:
- Never give out personal or financial information over the phone, in email, or any chat platforms you may use at work/home.
- Beware of "phishing" scams, where a pop-up message or email asks you for personal or financial information.
- Always use strong passwords at least eight characters long that have numbers and special characters (like: $, %, &), and that do not contain a word found in the dictionary. Change your passwords frequently and never share them.
- Make sure updates are installed on your computer regularly.
- Avoid using software downloaded from unknown websites or peer-to-peer file sharing services. Avoid software that claims to be game, a screensaver, collects information for "marketing purposes" or promises to "accelerate your internet connections." These are programs that can include spyware.
- Shred credit card receipts, junk mail, and other such documents with sensitive personal or financial information. Never leave these types of documents exposed in a public space (such as an office desktop).
- Never make personal information about yourself (like your birthdate, place of birth, family members' names) publicly available on social networking websites. This information can be easily found by search engines and used to help perpetrate identity theft against you.
- For additional recommendations to protect your own personal information please visit the IT Security’s “ Protecting Your Personal Information ” page.
If you are someone that handles this type of information in your role at the University, you are required to receive training. This includes staff directly involved in the customer identity verification process, staff who respond to customer inquiries, and staff who have the type of access to account information such that they could recognize potential red flags in account activity. If you are new to the University/role and handle this information you are required to complete this training. If you are an existing employee, you are strongly encouraged to complete this training, once per fiscal year, to stay up to date on the information.
- An online training is currently available on the Human Resources Professional Development page
- Scroll down to the Skillsoft Login and click the login button
- In the search box at the top of the page, type Preventing Identity Theft (filter by content type of ‘courses’ to narrow the search)
- Select the course titled “CEH v11: Social Engineering, Insider Threats & Identity Theft”
- Once the course is completed, print the Completion Status Report to a pdf and save it for proof of completion
For questions related to the Red Flags policy please contact Sherry Rossiter, downs@ohio.edu or 740-593-4129.