Skip Navigation

Return to Campus Information ››

HCC Main Campus
10901 Little Patuxent Parkway
Columbia MD, 21044
Laurel College Center
312 Marshall Avenue, Suite 205
Laurel, MD 20707
Training & Development Solution
Maryland Innovation Center
6751 Columbia Gateway Drive
Columbia MD 21046
Take a Virtual Tour
Take an interactive look at HCC's campus
 
Background
 
 

Red Flags Procedures Procedure - 61.19.01

College Policy Number/Title:

Purpose

This procedure is based on the Federal Trade Commission (FTC) regulations issued in accordance with Section 114 of the Fair and Accurate Credit Transactions Act (FACTA), also known as the Red Flags Rules. In accordance with the FTC regulation known as the Red Flags Rule, Howard Community College (HCC) has established an identity theft program. This program was established to protect the college community’s financial account information and other sensitive information, which if compromised or combined with other information, could lead to identity theft. HCC’s identify theft program will be known as the Red Flags Program, and related procedures will be known as Red Flags procedures.

Definitions

Identity Theft
The fraudulent acquisition and use of a person’s private identifying information, usually for financial gain.

Red Flag
A warning sign through specific or patterns of activities that may indicate identity theft.

Covered Accounts

A covered account is a new or existing account (record, transaction, or service) where a continuing relationship or transaction exists between the college and students or staff, regulated and confidential information is maintained. Covered accounts must be handled in a manner to protect information at risk and to prevent identity theft. Examples of information at risk include name, Social Security number (SSN), date of birth, birth certificate, driver’s license number, address, student and staff identification numbers, passport number, credit card information, and college login credentials.

Responsibilities and Roles

The vice president of information technology (VPIT) or designee administers the college Red Flags Program. The Red Flags committee consists of representatives from the college functional areas responsible for implementing identity theft prevention action plans. They identify covered accounts and associated Red Flags; develop Red Flag procedures to detect, prevent and mitigate identity theft; and generates an annual program report.

Each functional area identified by the committee to routinely handle covered accounts are responsible to train employees to detect identity theft.

Identification and Detection of Red Flags

Information at risk within the covered accounts has been identified, as well as the red flag or alarm that indicates a possible occurrence of identity theft. Mitigation activities for issues of possible identity theft and procedures to protect information at risk to prevent identity theft have been established for covered accounts as follows:

Name of Covered Account

Purpose of Covered Account

Information at Risk

Red Flags and Alarms

Mitigating Actions/ Preventative Measures

Student Financial Record

Track student receivables and payments

·SSN

·Colleague identification number

·address

·phone number

·date of birth

·returned mail

·mismatched SSN and name

·notification from a collection agency that funds cannot be recovered

·verifying mismatched information with records

·placing a registration hold in order to validate personal identity

·picking up checks returned in the mail only in the finance office with proof of identification that includes an address

Student account college login credentials

Provide online access to student registration, schedules, financial information, grades and transcripts

·SSN

·Colleague identification number

·Address

·phone number

·date of birth  address

·attempts to obtain student account information over the phone without providing validating information

·report of unauthorized password reset or other account changes by the user

·presence of multiple failed login attempts indicative of a brute-force attack

·alerts, notifications, or other warnings from consumer reporting agencies, or service providers

·breach in HCC’s information systems

·suspicious email sent from student account that includes malicious links or attachments

·not releasing logins, passwords, or student identification numbers over the phone

·validating student identity including student, major, classes taken last semester

·directing students to the “what is my user online identification” tool or to the HCC Technology Service Center (TSC) when verifying information, identification card and other picture identification cannot be provided  to reset the account in person

·lock the student account and contact the student to change their password

·provide credit monitoring to the affected individuals

·determine if there is grounds for notifying law enforcement

Student Financial Aid Record

Used for all aspects of application, processing, and awarding of financial aid

·SSN

·date of birth

·financial records including taxes

·birth certificate

·permanent residency cards

·returned mail

·conflicting information with the United States Department of Education (USDE)

·change of address requested followed by change of student name

·sending returned mail to the office of origin for proper handling

·resolving conflicts with the USDE by validating government issued original information

Student Records

Used for all aspects of admissions, registration, and transcript processing

·SSN

·date of birth

·address

·previous academic records

·citizenship information

·ethnicity

·returned mail

·mismatched personal data

·alerts, notifications, or other warnings from consumer reporting agencies, or service providers

·contacting students to verify information

·placing holds for returned mail

·validating student identity with two forms of government-issued identification card, or student identification card

·lock the student account and contact the student to change their password

·provide credit monitoring to the affected individuals

·determine if there is grounds for notifying law enforcement

Student Disciplinary Records

Used to document disciplinary actions and sanctions of students

·SSN

·date of birth

·address

·academic standing

N/A

·ensuring that these records are maintained in a locked, secure area

Employee Payroll

Used to compute payroll and deductions, and generate checks, direct deposits, and college and employee tax records

·SSN

·Colleague identification number

·address

·phone number

·date of birth

·bank records

·mismatched SSN with name

·direct deposit rejects

·unauthorized changes reported by employee

·presented SSN that is the same as another individual

·fictitious billing address or invalid phone number

·verifying a mismatched SSN with the Social Security Administration website

·generating a Colleague report comparing payroll information with name and address (NAE) information

·validating employee identity by verifying rejected deposit information with the college’s bank to guarantee that the college received the rejected deposit back and that the employee’s bank did not seize the deposit prior to re-issue

·requiring identification to pick up checks in the finance office

·assign new colleague id to user

Employees that manage a contract with an outside firm that involves performance of services relating to a covered account shall ensure that the outside firm performs their work in accordance with these procedures, including the inclusion of the college’s red flags requirements within the terms of the contract, as appropriate.

Protecting information

The following security practices should be followed to prevent the occurrence of identity theft:

General office security practices include:

  • Primary offices and offices that have regulated and confidential information will be locked when unoccupied.
  • Employees will not allow students and other visitors to access administrative areas and offices unescorted. Employees will always ask for identification when individuals are unrecognized. The plant operations department issues temporary visitors’ passes to external workers and contractors.
  • Computer screens will not face high traffic areas. Privacy screens for monitors are recommended for offices that routinely process regulated and confidential information.
  • Employees will notify intended recipients of fax transmissions containing regulated and confidential information prior to sending information and confirm receipt that the transmission was complete.
  • External storage devices will not be left unattended.

Practices for storing electronic information include:

  • Employees must exercise extreme care and caution when accessing regulated information to ensure proper safeguards and avoid disclosure. Examples of regulated information include, but are not limited to, student and employee SSNs, identification numbers, counseling records, birthdate, education records, medical information, credit card information, bank information, and financial aid data. If electronic transmission is required for government reporting purposes, regulated information must be encrypted for secure transmission. Regulated information stored on workstations or devices must be encrypted and password protected. This protection includes using strong passwords that are not shared to access computers and applications and using encryption with mobile storage devices.
  • Employees must also exercise care and caution when accessing and transmitting confidential information. Confidential information stored on computers, mobile storage devices, or HCC-approved applications must be password protected. This protection includes using strong passwords to access computers and applications and using encryption with mobile storage devices. This information includes, but is not limited to, confidential elements of donor information, employee evaluations, personnel information, passwords, intellectual research findings, marketing plans, business projections, and college financial data.

 Regulated and confidential information are to be only on college-owned devices or college-approved applications and must be encrypted. For further information on storing electronic information, please refer to college procedure, 61.13.01, Safeguarding College Information.

Practices for destroying electronic equipment containing regulated and confidential information include:

  • The information technology department is responsible for the removal, destruction, and salvaging of all computer hardware. The information technology department also sanitizes hard drives prior to the destruction of hardware through a vendor.
  • The information technology department maintains certificates of destruction for physical hard drives that have been disposed.
  • Office copiers may also have regulated, and confidential information stored on internal hard drives. Office copiers must have built-in security features to allow for automatic disk erase. Administrative office staff must coordinate the removal or relocation of office copiers with the Technology Service Center (TSC) for existing copiers that do not have this built-in security feature.

Practices for protecting information storage (hard copy) include:

  • Employees must store paper copies of regulated and confidential information in a secure location, such as a locked desk, cabinet, or safe. Regulated and confidential information must not be left in open view after normal working hours.
  • Incoming and outgoing mail will not be located in public areas in offices.
  • Regulated and confidential information must be protected when placed in inter-office mail. Mail should be sealed and marked as “confidential.” Regulated and confidential mail should be hand delivered or secured and given directly to mail handlers for safeguard and delivery. College mail handlers will secure mail marked sensitive or confidential during deliveries and will give mail marked “confidential” directly to office personnel. .

Practices for destroying information (hard copy) include:

  • When required, regulated and confidential information must be destroyed using cross-cut or confetti-style shredders.
  • Regulated and confidential information must be secured until it is destroyed.
  • Shredders and destruction processes will be out of public areas.
  • If outside contractors are used for shredding information, the company must be verified by the National Association for Information Destruction, Inc. (NAID).

For more information on records retention and disposition, please refer to college procedure, 61.06.01, Record Retention. For additional general information related to red flags, please refer to college policy, 61.19 Identity Theft Prevention/Red Flags Program, and policies, 61.12, Proper Use of Information Technology, and 61.13, Protection of College Information and Electronic Resources.

Personal Identity Safety Measures

Employees and students should store personal belongings in a secure location such as a locked desk, cabinet, or locker.

Incident Reporting

Employees who detect identity theft, a pattern, a practice, or a suspicious activity that indicates the possibility of identity theft, will report it to their supervisor.  In turn, supervisors will inform the VPIT or designee who will then review reports to determine if an identity theft incident occurred and to implement mitigation and response activities.

Effective Date: 05/14/21

President's Office Use:  VPIT

Giving makes a difference! Your support helps students along their pathways to success.