2. Administrative Organization and Authority
2.7. Red Flags Rules
Effective Date: 4-21-2009
Revision Date: 4-17-2012
Eastern Michigan University is committed to preventing identity thieves from using someone else's identifying information to commit fraud. It is the policy of Eastern Michigan University to comply with the Fair and Accurate Credit Transactions Act of 2003 (FACTA), Public Law 108-159. This amendment to the Fair Credit Reporting Act charged the Federal Trade Commission (FTC) with promulgating rules regarding identity theft. On November 7, 2007, the FTC promulgated the final rules, known as "Red Flags" rules, which have an effective date of December 31, 2010.
To ensure compliance with the Red Flags rules, the Board of Regents authorizes the administration to develop and implement a written Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft.
Upon completion and presentation, the initial Identity Theft Prevention Program will be reviewed and approved by the Finance and Audit Committee of the Board of Regents.
The Red Flags rules are three different but related rules, two of which apply to Eastern Michigan University:
1. Users of consumer reports must develop reasonable policies and procedures to apply when they receive notice of an address discrepancy from a consumer reporting agency.
2. Financial institutions and creditors holding "covered accounts" must develop and implement a written identify theft prevention program for both new and existing accounts.
Although the FTC, in many contexts, does not have jurisdiction over not-for-profit entities, it has taken the position that not-for-profits are subject to FTC jurisdiction when they engage in activities in which a for-profit entity would also engage. In its July 2008 guidance, the FTC stated, "where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors."
University practices for implementing this policy include:
1. The development and enforcement of guidelines and procedures for an identity theft prevention program after consideration of the size and complexity of the University's operations and account system, as well as the nature and scope of the University's activities.
2. Train staff, as necessary to implement the program effectively.
3. Exercise appropriate and effective oversight of service provider arrangements.
RESPONSIBILITY FOR IMPLEMENTATION:
The President shall delegate to the Chief Financial Officer and the Provost and Vice President the responsibility to oversee, develop, implement and administer the Identity Theft Prevention Program.
SCOPE OF POLICY COVERAGE:
This policy applies to all relevant University personnel and only insofar as necessary to supplement other training programs.