Identity Theft Prevention Program

Picture of columns of Butler Library

Identity Theft Prevention Program

Identity Theft is a crime in which an individual wrongfully obtains and uses another person's personal data, usually for economic gain, in some way involving deception or fraud.  Identity theft may include various types of personal data such as an individual’s Social Security number, bank account or credit card number, medical insurance card number and other valuable identifying data. 

The Identity Theft Prevention Program at Columbia University sets forth the actions which must be taken by the University and by its employees in order to prevent the use of personally identifiable information (PII) at Columbia University to commit Identity Theft.  The program includes a policy, training, committee, and protocols for potential incidents.  
 

volume-control-phone icon

Reporting Suspected or Detected Identity Theft

If you suspect or detect identity theft, you must take the following steps immediately:

  • Inform your manager/supervisor AND appropriate Program Managers of an incident or suspicion of identity theft immediately
  • Document any suspicious activity or information that may suggest Identity Theft using the Red Flag Incident Report
  • Contact the Identity Theft Prevention Team with any questions at [email protected]
book icon

Policy: Identity Theft Prevention Policy

This policy applies to all individuals who access, use or control personally identifiable information at Columbia University for an account, known as a “Covered Account.” Those individuals may include, but are not limited to, faculty, staff, students, contractors, consultants, those working on behalf of the University and/or individuals authorized by affiliated institutions and organizations.


What is a Covered Account?

A Covered Account is an account the University offers or maintains that involves or is designed to permit multiple payments or transactions, and any other account potentially posing a reasonably foreseeable risk of Identity Theft to students, patients, employees and other relevant third parties (a candidate for matriculation or for employment, for example). 

Identity Theft Prevention policy
pencil-square icon

Training: Identity Theft Prevention at Columbia

The online training module provides an introduction to Columbia University's Identity Theft Prevention Program. Its objective is to ensure that the University and its employees comply with their legal and institutional responsibilities to protect personally identifying information. This includes providing employees with the tools they need to comply with the Federal Trade Commission's Red Flag Rules.

Who should take this Course?

It is mandatory training for any University personnel working with personally identifiable information (social security numbers, bank accounts, credit cards, insurance records...etc.). 

Identity Theft Prevention training
address-card icon

Find Your Program Manager

user-plus icon

Columbia University Service Providers

Service Providers identified as “creditors” or “financial institutions” that provide “covered accounts” (as those terms are defined in the Red Flags Rule) should maintain and follow their own ID Theft Prevention Policies. If the Service provider does not have an ID Theft Prevention Policy, it must follow Columbia’s policy.

Read a copy of Columbia’s written Identity Theft Prevention Program (ITPP) pursuant to the FTC Red Flags Rule, 16 C.F.R. §681.2.
All service providers need to complete an Identity Theft Prevention Program Attestation.

More Information

What are covered accounts?

Any account the University identifies as posing a reasonably foreseeable risk to students, patients, employees, and relevant third parties or to the safety and soundness of the University from identity theft, including financial, operational, compliance, reputation or litigation risks.
 

Examples of these accounts for the University may include, but are not limited to:

  • All student accounts or loans administered by the University or by 3rd parties hired by the University to administer such accounts
  • All accounts established to register new patients at CUMC and Student Health Services
  • Certain tenant accounts
  • Certain faculty accounts or loans, and
  • Certain potential employee information
  • Certain potential customer information, including credit cardholder data
  • counts for the University are:
  • Accounts the University offers or maintains primarily for personal, family, or household purpose that involve or are designed to permit multiple payments or transactions

What are Red Flags?

A Red Flag is defined as a pattern, practice, or specific activity that could indicate a risk of identity theft. 

Examples of Red Flags:

  • Alerts or notifications from consumer reporting agencies or service providers, such as fraud detection services
  • Presentation of suspicious documents, such as identification documents which have been forged or altered
  • Presentation of suspicious personal identifying information, such as a suspicious address change or social security number
  • Presentation of suspicious personal identifying information, such as a suspicious address change or social security number
  • Unusual use of or other suspicious activity relating to a Covered Account, such as identification of use of an account in a manner inconsistent with established patterns of activity on the account
  • Notices from customers, victims of Identity Theft, law enforcement, or other persons regarding Identity Theft in connection with Covered Accounts held by the creditor

 

If you are a program manager, you are responsible for:

  • Identifying and familiarizing yourself with examples of “Red Flags” in your area
  • Designing procedures to detect the Red Flags you’ve identified

If you are a program manager, you are responsible for the following required actions:

  • Read and comply with the Identity Theft Prevention Policy
  • Take the Identity Theft Prevention training
  • Identify and familiarize yourself with examples of “Red Flags” in your area
  • Design procedures to detect the Red Flags you’ve identified
  • Ensure that new service providers with covered accounts have signed the Service Provider Attestation
  • Contact procurement if you have a new services provider with covered accounts
     

If you suspect or detect Identity Theft:

  • Inform your manager/supervisor AND appropriate Program Managers of an incident or suspicion of identity theft immediately
  • Document any suspicious activity or information that may suggest Identity Theft using the Red Flag Incident Report
  • Contact the Identity Theft Prevention Team with any questions at [email protected]

Primary Guidance to Which This Program Responds

Federal Trade Commission's (“FTC”) Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003.  For additional information, view this guide from the Federal Trade Commission entitled "Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business."

In addition, this policy responds to all applicable state statutes pertaining to Identity Theft protection and the protection of personally identifiable information, including but not limited to, the New York State Information Security Breach and Notification Act.

Cross References to Related Policies

Red Flag Incident Report
Document any suspicious activity or information that may suggest Identity Theft using the Red Flag Incident Report.

Service Provider Attestation Form
All service providers need to complete an Identity Theft Prevention Program Attestation.