University of Illinois Red Flags Rule Best Practices for Units that Enter, Generate, or Alter Personally Identifying Information
Use the guidelines below in conjunction with the main Red Flags Rule Identity-Theft Prevention Program Best Practices, which apply to all units.
What Personally Identifying Information Is Covered by the Red Flags Rule?
Information Related to Accounts
The Red Flags Rule (the “Rule”) seeks to protect individuals from identity theft involving the misuse of accounts. Other federal and state legislation addresses other dimensions of identity theft. Compliance with other mandates is embodied in the Section 19: Business Systems Access and Security of the Business and Financial Policies and Procedures manual and other University, campus, and unit-level policies. Those policies remain in effect, and the University’s Red Flags program supplements them.
The University’s Red Flags program covers only personally identifying information that is or may become associated with covered accounts at the University. If the data your unit handles enters Banner, i-card, or any other system that may be used when accounts are opened or used, your unit is required to follow these guidelines.
Units that enter or alter data only for the purpose of hiring already comply with these guidelines as a result of filing I-9 forms for new hires. If your unit enters or alters data only for the purpose of hiring, you do not need to register with the Red Flags Steering Committee. There is one exception: If your unit grants 0% appointments for individuals who do not file I-9 forms, you must register with the Red Flags Steering Committee to confirm that you follow these guidelines for 0% appointments.
The following pieces of personally identifying information can be used alone or with each other to uniquely identify an individual account holder. Therefore, unauthorized use of that information puts accounts at risk for unauthorized use. The list below is not exhaustive. Your unit may be aware of other identifiers relevant to its business practices, such as driver’s license numbers or passport numbers.
Most individuals’ University records include several phone numbers and addresses. Any addresses or phone numbers that are or may become associated with an account are covered by the Rule.
- Name (surname/last name, first name, middle name, and suffix; also, any previous names)
- Phone number
- Date of birth
- Campus network ID (NetID)
- University Enterprise ID
- Email address
- University identification number (UIN)
- Social Security number (SSN)
What Actions Are Covered?
- Entering new data into a system
- Altering data that is already in a system
- Maintaining a system that generates UINs, network IDs, Enterprise IDs, or email addresses
What Are My Unit’s Responsibilities?
Verify Identity When Establishing or Changing Information in University Systems
- Offices that originally enter or change personally identifying information must have procedures for verifying personally identifying information.
- Follow the guidelines in the Verify Identity section of the main best-practice guidelines.
- Verify in person when establishing a record; verify in person or by secure login when changing information.
- Use photo IDs to verify only the personally identifying information contained on the ID. Elements not on the ID require supporting documentation that matches the person’s name on the ID.
Be Able to Recognize Red Flags
Define which patterns, practices, or specific activities indicate the possible presence of identity theft; that is, identify red flags that alert your unit to potential cases. The Rule includes a list of 26 examples of red flags. The following table shows the examples that apply to entry, generation, and alteration of personally identifying information. Your unit should also monitor for other red flags that you have identified as relevant to your operations. Be sure to report these additional red flags to the Red Flags Steering Committee using the Red Flags Unit Registration and Update form .
FTC Red Flags Examples—Personally Identifying Information
- Documents provided for identification appear to have been altered or forged.
- The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
- Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification.
- Other information on the identification is not consistent with readily accessible information that is on file with [the University/unit], such as a signature card or a recent check.
- An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
- Personal[ly] identifying information provided is inconsistent when compared against external information sources used by [the University/unit]. For example:
- The address does not match any address in the consumer report; or
- The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s Death Master File.
- Personal[ly] identifying information provided by the customer is not consistent with other personal[ly] identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth.
- Personal[ly] identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the [University/unit]. For example:
- The address on an application is the same as the address provided on a fraudulent application; or
- The phone number on an application is the same as the number provided on a fraudulent application.
- Personal[ly] identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by [the University/unit]. For example:
- The address on an application is fictitious, a mail drop, or prison; or
- The phone number is invalid, or is associated with a pager or answering service.
- The SSN provided is the same as that submitted by other persons opening an account or other customers.
- The address or telephone number provided is the same as or similar to the account number [sic] or telephone number submitted by an unusually large number of other persons opening accounts or other customers.
- The person opening the covered account or the customer fails to provide all required personal[ly] identifying information on an application or in response to notification that the application is incomplete.
- Personal[ly] identifying information provided is not consistent with personal[ly] identifying information that is on file with [the University/unit].
- For [units] that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
Who To Ask
Direct any questions to the Red Flags Steering Committee at email@example.com.
Last Updated: July 8, 2011