University of Illinois Red Flags Rule
Identity-Theft Prevention Program Best Practices
What Is the Red Flags Rule?
The Red Flags Rule (the “Rule”) is a set of Federal Trade Commission (FTC) regulations that seek to protect individuals from identity theft. The Rule covers certain types of credit, billing, and debit accounts, and it applies to all institutions that handle covered accounts. The Rule requires institutions to put programs in place to detect warning signs—or “red flags”—of identity theft in day-to-day operations. Institutions must also take steps to respond to warning signs and mitigate damage caused by identity theft.
The University of Illinois must comply with the Rule because the University bills through Accounts Receivable, offers declining balance meal plans, and administers several other types of accounts covered by the Rule. Each University Administration and campus unit is responsible to comply with the Rule in its operations. The University’s Red Flags Steering Committee (RFSC) has written these best-practice guidelines to help units understand what they must do to comply.
What Activities Are Covered by the Rule and How Does My Unit Comply?
All units must follow the best-practice guidelines given in the next section, “What Guidelines Must All Units with Covered Activities Follow?” Additional guidelines apply, based on your unit's activities. Follow the links shown below for additional, activity-based guidelines. Follow all guidelines that apply to your unit’s activities. In addition, if your unit sells or transfers debt to a non-University third party, report the information in the Red Flags Unit Registration and Update form .
- If your unit administers billing, declining balance, debit, loan, or other accounts, go to Red Flags Rule Best Practices for Units that Administer Accounts for information on how to comply with the Rule.
- If your unit offers leases to individuals for their personal, nonbusiness purposes, follow the guidelines of Red Flags Rule Best Practices For Units that Enter, Generate, or Alter Personally Identifying Information.
- If your unit (a) bills for fines or (b) requires payment when goods or services are rendered but pursues debt collection from nonpaying patrons,
- If your unit provides goods or services that are are paid for later, go to Red Flags Rule Best Practices For Units that Provide Goods or Services That Are Paid For Later for compliance information.
- If your unit enters, generates, or alters personally identifying information (such as name, address, phone number, date of birth, gender, NetID, Enterprise ID, email address, UIN, SSN, or any other identifier), go to Red Flags Rule Best Practices For Units that Enter, Generate, or Alter Personally Identifying Information for information on how to comply.
- If your unit issues cards that can be used to access covered accounts, you can find compliance information at Red Flags Rule Best Practices For Units that Issue Cards That Can Be Used to Access Accounts.
What Guidelines Must All Units with Covered Activities Follow?
Follow Existing Policies
Because other legislation addresses data security for personally identifying information, the Rule does not specifically address data security. The Rule assumes that other mandates are being followed so that good data security and privacy measures are in place. Other mandates include FERPA, HIPAA, and PIPA. The University’s data security and privacy policies ensure that these other requirements are being met. The University’s Red Flags program is therefore in addition to the Section 19: Business Systems Access and Security of the Business and Financial Policies and Procedures manual. The Information Security Policy and other University, campus, and unit-level policies addressing identity theft, fraud, and misuse of University ID cards remain in effect, and the University’s Red Flags program supplements them.
Have Appropriate Procedures, Training, and Supervision in Place
- Outline and document procedures for preventing, detecting, and mitigating the effects of identity theft. Procedures must include means to monitor and detect instances of red flags. Procedures should include instructions on how to handle all of the unit responsibilities related to your unit’s covered activities.
- Ensure that staff members are trained to carry out your unit’s procedures.
- Provide ongoing supervisory guidance.
- Ensure that any third-party vendor(s) your unit contracts with are in compliance with the relevant requirements of the Red Flags Rule and that they report to you any Red Flags incidents related to the data they handle on behalf of your unit.
Establish a Red Flags Unit Contact Person
If your unit has a covered activity, identify a unit contact person on the Red Flags Unit Registration and Update form . Unit contacts are responsible to:
- Communicate with the Red Flags Steering Committee
- Participate in Red Flags–related training and information sessions
- Report relevant information to the Red Flags Steering Committee
For In-Person Services
- Always check IDs for in-person services.
- Require a University of Illinois ID card or a government-issued photo ID such as a driver’s license or passport. A list of acceptable government IDs is posted at www.icard.uillinois.edu/proofs .
- Check that the ID has not expired.
- Be sure the photo matches the person in front of you.
- Inspect IDs and other documents carefully for signs of fraud or alteration. Check that the photo, text, and other elements have not been tampered with.
- Require clear, legible IDs and documents. If a photo is too worn for you to compare with the person, ask for an alternate ID. If IDs or other documents are not legible, ask for alternate IDs/documents. (Worn i-cards are replaced free of charge at campus ID Centers as long as the worn card is turned in to the ID Center and is not otherwise damaged.)
- If your unit provides services to people who have an i-card, visitor card, or other University-issued magnetic-stripe card, it is best to use an electronic card swipe to verify a cardholder’s eligibility for service. Card swipes are provided by the i-card Programs Office. Contact the i-card Help Desk at email@example.com if your unit needs a card swipe.
For Online Services
Require a password-protected login for online access and transactions. Logins must comply with the Section 19: Business Systems Access and Security of the Business and Financial Policies and Procedures manual. Bluestem and Enterprise ID logins are recommended where feasible.
Over the Phone
- Avoid account transactions and disclosure of confidential information over the phone.
- Avoid making changes to personally identifying information over the phone.
- If there is an unavoidable business need to allow phone access, require callers to verify identity by providing nonpublic information about themselves and checking it against your office’s records. Ensure that you rely on information that is truly nonpublic. Date of birth, mother’s maiden name, and other information can be found on the web and are often known to family members, friends, and others.
Report Relevant Information to the University’s Red Flags Steering Committee
Use the Red Flags Unit Registration and Update form to report the following information to the RFSC:
- Covered activities, as listed in the “What Activities Are Covered” section above
- Red flags that are not listed in the activity-specific documents linked to from the “What Activities Are Covered” section above
- Third-party (non-University) service provider arrangements and any changes to them
- Sale or transfer of debt to any (non-University) third parties
Use the Red Flags Incident Report form to report any incidents of confirmed or suspected identity theft, including red flags reported to your unit by non-University service providers. Reports should be filed as soon as a case is confirmed.
Who To Ask
Direct any questions to the Red Flags Steering Committee at firstname.lastname@example.org.
Last Updated: June 3, 2011