650  Identity Theft Prevention

Approved by President
Effective Date: June 5, 2017
Responsible Division: Business and Finance
Responsible Office:  Compliance and Enterprise Risk Management
Responsible Officer:  Assistant Vice President for Compliance and Enterprise Risk Management

I. Purpose

This policy outlines efforts to detect, prevent, and mitigate identity theft, and to help protect Middle Tennessee State University (MTSU or University), their faculty, staff, students, and other applicable constituents from damages related to the loss, or misuse of, identifying information due to identity theft.

II. Definitions

A.  Covered account. Includes:

1.  Any account that involves, or is designated to permit, multiple payments or transactions; or

2.  Any other account maintained by the University for which there is a reasonably foreseeable risk of identity theft to students, faculty, staff, or other applicable constituents, or for which there is a reasonably foreseeable risk to the safety or soundness of the University from identity theft, including financial, operational, compliance, reputation, or litigation risks.

B.  Identifying information. Any name or number that may be used alone, or in conjunction, with any other information, to identify a specific person, including, but not limited to:  name, address, telephone number, social security number, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer Internet Protocol address or routing code, credit card number, or other credit card information.

C.  Identity theft. Fraud committed, or attempted, using the identifying information of another person without authority.

D.  Red Flag. A pattern, practice, or specific activity that indicates the possible existence of identity theft.

III. Background

A.  The risk to MTSU, its faculty, staff, students, and other applicable constituents from data loss and identity theft is of significant concern. The University should make reasonable efforts to detect, prevent, and mitigate identity theft.

B.  Under this policy, the program will:

1.  Identify patterns, practices, or specific activities (red flags) that could indicate the existence of identity theft with regard to new or existing covered accounts (see Definitions);

2.  Detect red flags that are incorporated in the program;

3.  Respond appropriately to any red flags that are detected, under this program, to prevent and mitigate identity theft;

4.  Ensure periodic updating of the program, including reviewing the accounts that are covered and the identified red flags that are part of this program; and,

5.  Promote compliance with state and federal laws and regulations regarding identity theft protection.

C.  The program sh