SF State "Red Flag" Program
This Practice Directive outlines the SF State implementation of the Red Flag Rule. The Red Flag rule requires “financial institutions” and “creditors” holding “covered accounts” to develop and implement a written identity theft prevention program designed to identify, detect and respond to “Red Flags.”
In 2003, the U.S. Congress enacted the Fair and Accurate Credit Transaction Act of 2003 (FACT Act) which required the Federal Trade Commission (FTC) to issue regulations requiring “creditors” to adopt policies and procedures to prevent identify theft. In 2007, the Federal Trade Commission (FTC) issued a regulation known as the Red Flag Rule. The rule requires “financial institutions” and “creditors” holding “covered accounts” to develop and implement a written identity theft prevention program designed to identify, detect and respond to “Red Flags.” The following is a statement regarding San Francisco State University's implementation of the Red Flag Rule regulation.
Covered Accounts & Creditors
A covered account under the Red Flag Rules regulation is a consumer account designed to permit multiple payments or transactions. These are accounts where payments are deferred and made by a borrower periodically over time such as a tuition or fee installment payment plan. The definition of “creditor” under the Red Flag Rule is broad, and includes any entity that regularly extends credit.
The rules apply to any institution that provides goods or services that are not fully paid for in advance (e.g., if tuition, room and board, etc. are not due in full prior to the start or a semester, or if installment payments are permitted on tuition, etc.). Government entities that defer payment for goods or services are considered creditors. Examples of activities that indicate a college or university is a “creditor” are:
- Participation in the Federal Perkins Loan program;
- Participation as a school lender in the Federal Family Education Loan Program;
- Offering institutional loans to students, faculty or staff;
- Offering a plan for payment of tuition or fees throughout the semester, rather than requiring full payment at the beginning of the semester
Broadly, accounts included under the Red Flag Rule at San Francisco State may include the following:
- Campus Billing for Tuition & Fee Deferral
- Financial Aid
- Student Health Service
- OneCard and University Corporate Credit Cards (see details below where the Red Flag Programs are administered primarily by the card issuing banks)
- Human Resources & Payroll
The Red Flag Program at San Francisco State University is established and centrally administered by the campus Chief Information Officer (CIO) in conjunction with individual departments and programs which may manage applications and accounts that could be used to orchestrate identity theft schemes. The larger administration of the program, annual review and legal determination of applicability is established by the CSU Board of Trustees.
The campus Red Flag Program is reviewed as part San Francisco State's existing CISP (Confidentiality and Information Security Plan (UED #04-32)) and combined incident monitoring efforts with campus police and outside law enforcement which monitor other types of computing security incidents and identity theft scenarios beyond just Red Flag conditions. The CISP, Red Flag and other applicable regulations for the University population are reviewed on a continual basis and updated as appropriate.
The campus effort to protect sensitive information of the type typically targeted in identity theft is addressed in the Safeguarding Information section of the SF State Safe Computing Website at Security / Policies. SF State policies and procedures limit access to private information to individuals with a legitimate "need-to-know". Staff with authorized access to administrative information databases are restricted to using the data only in the conduct of their assigned official duties. Inappropriate use of access or data may result in disciplinary action, including dismissal from the University.
Red Flag Identification and Response
SF State monitors a number of variables and indicators which are generally described below. Detailed elements are not publicized to prevent exploit and the crafting of phishing or fraudulent email. Elements and variables included in monitoring may include:
- Requests to change mailing address
- Request to change password or a password reset executed
- Changes of forwarding e-mail address
- Change of account names
- Reports to email@example.com
- Reports to the campus ISO regarding internal trends and external incidents
Response to Red Flag items are detailed in campus internal and incident response procedures.
- OneCard and University Corporate Credit Cards are covered under two Red Flag Programs, that of SF State and the banks that provide the cards. SF State University will only make notifications regarding mailing address changes for students and SF State IDs and passwords. Individuals may receive multiple notifications under both SF State's Red Flag plan and that of the card issuing bank, especially for address changes.
- For staff using the University Corporate Card for Travel (not the P-Card), enrollment with the bank's online service is required and users are encouraged to set up alerts that may indicate misuse or identity theft.
- San Francisco State University Student Health Services has developed a supplemental plan to verify identity to require a second picture ID in addition to the SF State ID card for identity verification.
Identity theft and phishing continue to be an ongoing threat in online communities. Although SF State's Red Flag Program is aimed at helping individuals become aware of changes that might be a prelude to identity theft, the individual mechanisms and system cannot detect all forms of identity theft and still requires vigilance by individuals to protect their own sensitive information.
Report suspected identity theft involving SF State accounts to firstname.lastname@example.org.