Skip Navigation

This procedure is based on the Federal Trade Commission (FTC) regulations issued in accordance with Section 114 of the Fair and Accurate Credit Transactions Act (FACTA), also known as the Red Flags Rules.  In accordance with the FTC regulation known as the Red Flags Rule, Howard Community College (HCC) has established an identity theft program.  This program was established to protect the college community’s financial account information and other sensitive information, which if compromised or combined with other information, could lead to identity theft.  HCC’s identify theft program will be known as the Red Flags Program, and related procedures will be known as Red Flags procedures.  

Covered Accounts

A covered account is a new or existing account (record, transaction, or service) where a continuing relationship or transaction exists between the college and students or staff, regulated and confidential information is maintained.  Covered accounts must be handled in a manner to protect information at risk and to prevent identity theft.  Examples of information at risk include name, Social Security number (SSN), date of birth, birth certificate, driver’s license number, address, student and staff identification numbers, passport number, credit card information, and HCC Express login and password.

Information at risk within the covered accounts has been identified, as well as the red flag or alarm that indicates a possible occurrence of identity theft.  Mitigation activities for issues of possible identity theft and procedures to protect information at risk to prevent identity theft have been established for covered accounts as follows:

Name of Covered Account

Purpose of Covered Account

Information at Risk

Red Flags and Alarms

Mitigating Actions/ Preventative Measures

Student Financial Record

Track student receivables and payments


·Colleague identification number


·phone number

·date of birth

·returned mail

·mismatched SSN and name

·notification from a collection agency that funds cannot be recovered

·verifying mismatched information with records

·placing a registration hold in order to validate personal identity

·picking up checks returned in the mail only in the finance office with proof of identification that includes an address

Student HCC Express Account

Provide online access to student registration, schedules, financial information, grades and transcripts


·Colleague identification number


·phone number

·date of birth  address

·attempts to obtain student account information over the phone without providing validating information, including SSN, date of birth, and address

·not releasing logins, passwords, or student identification numbers over the phone

·validating student identity including student identification number, birthdate, major, classes taken last semester, and street address

·directing students to the “what is my user online identification” tool or to the HCC help desk when verifying information, identification card and other picture identification cannot be provided  to reset the account in person

Student Financial Aid Record

Used for all aspects of application, processing, and awarding of financial aid


·date of birth

·financial records including taxes

·birth certificate

·permanent residency cards

·returned mail

·conflicting information with the United States Department of Education (USDE)

·sending returned mail to the records, registration, and veterans’ affairs office for proper handling

·resolving conflicts with the USDE by validating government issued original information

Student Records

Used for all aspects of admissions, registration, and transcript processing


·date of birth


·previous academic records

·citizenship information


·returned mail

·mismatched personal data

·contacting students to verify information

·placing holds for returned mail

·validating student identity with two forms of identification such as photo identification, driver’s license, or student identification card

Student Disciplinary Records

Used to document disciplinary actions and sanctions of students


·date of birth


·academic standing


·ensuring that these records are maintained in a locked, secure area

Employee Payroll

Used to compute payroll and deductions, and generate checks, direct deposits, and college and employee tax records


·Colleague identification number


·phone number

·date of birth

·bank records

·mismatched SSN with name

·direct deposit rejects

·verifying a mismatched SSN with the Social Security Administration website

·generating a Colleague report comparing payroll information with name and address (NAE) information

·validating employee identity by verifying rejected deposit information with the college’s bank to guarantee that the college received the rejected deposit back and that the employee’s bank did not seize the deposit prior to re-issue

·requiring identification to pick up checks in the finance office

Employees that manage a contract with an outside firm that involves performance of services relating to a covered account shall ensure that the outside firm performs their work in accordance with these procedures, including the inclusion of the college’s red flags requirements within the terms of the contract, as appropriate.  

Protecting information

The following security practices should be followed to prevent the occurrence of identity theft:

General office security practices include:

  • Primary offices and offices that have regulated and confidential information will be locked when unoccupied.
  • Employees will not allow students and other visitors to access administrative areas and offices unescorted.  Employees will always ask for identification when individuals are unrecognized.  The plant operations department issues temporary visitors’ passes to external workers and contractors.
  • Computer screens will not face high traffic areas.  Privacy screens for monitors are recommended for offices that routinely process regulated and confidential information.
  • Employees will notify intended recipients of fax transmissions containing regulated and confidential information prior to sending information and confirm receipt that the transmission was complete.
  • USB/Flash drives will not be left unattended.

Practices for storing electronic information include:   

  • Employees must exercise extreme care and caution when accessing regulated information to ensure proper safeguards and avoid disclosure.  Examples of regulated information include, but are not limited to, student and employee SSNs, identification numbers, counseling records, birthdate, education records, medical information, credit card information, bank information, and financial aid data.  This category of information must be stored only on college-owned computer equipment and not personal-storage devices.  If electronic transmission is required for government reporting purposes, regulated information must be encrypted for secure transmission.  Regulated information stored on college workstations or devices must be encrypted and password protected.  This protection includes using strong passwords to access computers and applications and using encryption with mobile storage devices. 
  • Employees must also exercise care and caution when accessing and transmitting confidential information.  Confidential information stored on college-owned computers or mobile storage devices must be password protected.  This protection includes using strong passwords to access computers and applications and using encryption with mobile storage devices.  This information includes, but is not limited to, confidential elements of donor information, employee evaluations, personnel information, passwords, intellectual research findings, marketing plans, business projections, and college financial data.
  • Only college-issued portable USB or flash drives are authorized to transport regulated and confidential information.  These devices allow encryption and password protection, and are centrally managed and controlled by the help desk.

For further information on storing electronic information, please refer to college procedure, 61.13.01, Safeguarding College Information.

Practices for destroying electronic equipment containing regulated and confidential information include:

  • The information technology department is responsible for the removal, destruction, and salvaging of all computer hardware.  The information technology department also sanitizes hard drives prior to the destruction of hardware through a vendor.
  • The information technology department maintains certificates of destruction for physical hard drives that have been disposed.
  • Office copiers may also have regulated and confidential information stored on internal hard drives.  Office copiers must have built-in security features to allow for automatic disk erase.  Administrative office staff must coordinate the removal or relocation of office copiers with the help desk for existing copiers that do not have this built-in security feature. 

Practices for protecting information storage (hard copy) include:

  • Employees must store paper copies of regulated and confidential information in a secure location, such as a locked desk, cabinet, or safe.  Regulated and confidential information must not be left in open view after normal working hours.
  • Incoming and outgoing mail will not be located in public areas in offices.
  • Regulated and confidential information must be protected when placed in inter-office mail.  Mail should be sealed and marked as “confidential.”  Regulated and confidential mail should be hand delivered or secured and given directly to mail handlers for safeguard and delivery. College mail handlers will secure mail marked sensitive or confidential during deliveries and will give mail marked “confidential” directly to office personnel.  If office staff is not available, mail handlers will attempt to deliver the confidential mail on the next delivery.  If staff are still not available, mailroom staff will follow-up with a phone call or voice mail requesting the office staff pick up the confidential mail at the mailroom.
  • Regulated and confidential information must not be stored at an employee’s residence.

Practices for destroying information (hard copy) include:

  • When required, regulated and confidential information must be destroyed using cross-cut or confetti-style shredders.
  • Regulated and confidential information must be secured until it is destroyed.
  • Shredders and destruction processes will be out of public areas.
  • If outside contractors are used for shredding information, the company must be verified by the National Association for Information Destruction, Inc. (NAID). 

For more information on records retention and disposition, please refer to college procedure, 61.06.01, Record Retention.  For additional general information related to red flags, please refer to college policy, 61.19 – Identity Theft Prevention/Red Flags Program and policies, 61.12, Proper Use of Information Technology and 61.13, Protection of College Information and Electronic Resources.

Personal Identity Safety Measures

Employees and students should store personal belongings in a secure location such as a locked desk, cabinet, or locker.

Policy Manual Review/Revision:    05/10/13