Financial Information - Identity Theft Prevention Program
The Fair and Accurate Credit Transactions Act of 2003 amended the Fair Credit Reporting Act, and required the Federal Trade Commission (FTC), together with other regulatory agencies, to issue and enact regulations requiring financial institutions and creditors to develop and implement written identity theft prevention programs. These regulations apply to the University because it is a “creditor”, which is defined as any person who defers payment for services rendered. Instances of such activity would be permitting medical patients to pay for services over time, permitting students to pay tuition throughout the semester rather than requiring payment in full at the beginning of the semester, and participating in the Federal Family Education Loan (FFEL) and Perkins student loan programs.
The University has developed and implemented an “Identity Theft Prevention Program” (ITPP) for the identification, detection, prevention and mitigation of theft of personally identifiable financial information in covered accounts, which are defined as those accounts where multiple payments or transactions are permitted.
The University of Missouri’s ITPP was approved by the Board of Curators on February 6, 2009.
ITPP program: http://www.umsystem.edu/ums/fa/itpp/itpp_index
ITPP Training: http://www.umsystem.edu/ums/fa/itpp/training
BPM 110 (Protection of Personally Identifiable Financial and Account Information) - http://www.umsystem.edu/ums/rules/bpm/bpm100/manual_110
BPM 1203 (Information Security) - http://www.umsystem.edu/ums/rules/bpm/bpm1200/manual_1203
Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transaction Act of 2003 (16 CFR . § 681.2). On November 9, 2007, the Federal Trade Commission (“FTC”), the federal bank regulatory agencies, and the National Credit Union Administration, published a joint notice of final rulemaking in the Federal Register finalizing the Identity Theft Red Flags regulations and guidelines. http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf
All employees are responsible for protecting the personal information that the University of Missouri gathers and uses - it only takes a few details about an individual for a criminal to steal an identity: information that the University faculty and staff compile, store and access regularly.
Whenever you gather information (especially sensitive or private information), make sure you understand and clearly note the purpose(s) for which that information is being gathered. That way, you can ensure the information is used appropriately in the future.
As a general rule, you should only be accessing information or records when you have a legitimate need to know or access that information - for instance, only accessing student records when there is a legitimate educational purpose, and only accessing business records when there is a legitimate business purpose.
Privacy regulations may apply to sensitive information that is stored or transmitted on any type of media - electronic, paper, microfiche, and even verbal communication.
ITPP Committee Contacts: http://www.umsystem.edu/ums/fa/itpp/contact
For legal assistance, please contact the Office of the General Counsel at http://www.umsystem.edu/ums/gc/