Comply with the Red Flags Rule
Before You Begin
If the Red Flags Rule applies to your unit, you must have procedures in place to detect, prevent, respond to, and lessen the effects of identity theft for accounts covered by the Rule.
Begin
To comply with the Red Flags Rule:
- Consult the University of Illinois Red Flags Rule Identity Theft Prevention Program Best Practices for suggestions on implementing your Red Flag procedures.
- Ensure you are following the University’s data security and privacy policies as well as legislation for FERPA (Family Educational Rights and Privacy Act), HIPAA (Health Insurance Portability and Accountability Act), and PIPA (Illinois Personal Information Protection Act).
- Document your procedures for monitoring and detecting instances of red flags. Include step-by-step instructions for compliance to the Rule and what to do if you suspect a security breach.
- Ensure all involved employees and supervisors are trained in these procedures.
- Ensure that any third-party service providers your unit contracts with comply with the relevant requirements of the Red Flags Rule. Ensure that service providers report to you any incidents related to the data they handle on your behalf.
- Designate a Red Flags unit contact person.
- Follow the guidelines in Verify Identity for In-Person Services when providing in-person services.
- Complete and submit the Red Flags Unit Registration and Update form each year.
- Report confirmed or suspected identity theft, including incidents reported by third-party service providers. Complete and submit the Red Flags Incident Report form for each incident as soon as possible.
Forms Associated with this Procedure
Red Flags Unit Registration and Update
Red Flags Incident Report
Determine if the Red Flags Rule Applies to Your Unit
Verify Identity for In-Person Services
University of Illinois Red Flags Rule Identity-Theft Prevention Program Best Practices
Last Updated: October 21, 2011 | Approved: Senior Associate Vice President for Business and Finance - January 2002