General Requirements for All Units
The requirements listed here apply to each unit that performs or outsources any activity covered by the Red Flags Rule. Additional activity-specific requirements apply for account- and card-related activities. To determine whether your unit must comply with the Red Flags Rule, read Covered Activities.
Follow Existing Policies
Because other legislation addresses data security for personally identifying information, the Rule assumes that other mandates are being followed so that good data security and privacy measures are already in place. Other mandates include FERPA, HIPAA, and PIPA. The University's data security and privacy policies ensure that these other requirements are being met.
The University's Red Flags program is therefore in addition to
its information security policy and other University, campus, and unit policies that address identity theft, fraud, and misuse of University ID cards. (AITS's IT Policies
page contains links to many of these related policies.)
When Establishing or Changing Information in University Systems
Ensuring the truth of personally identifying information and the person presenting it as his or hers is vital to preventing identity theft. Specific requirements apply for in-person, online, or phone service situations, and these are guided by three overarching "musts":
- When you establish (add) a record in any system, verify identity in person whenever possible.
- When you change information in any system, verify identity in person or by secure login.
- Use photo IDs to verify only the personally identifying information that ID contains. Elements not on an ID (such as an address) require other supporting documentation that matches the name on the photo ID.
For In-Person Services
- Always check IDs for in-person services.
- Require a University of Illinois ID card or a government-issued photo ID such as a driver's license or passport. A list of acceptable government IDs is posted at go.illinois.edu/ProofsOfIdentity.
- Require clear, legible IDs and documents. If a photo is too worn for you to compare with the person, ask for an alternate ID.
- Check that IDs and supporting documents are valid and legitimate, as follows:
- The ID is not expired, or the document(s) are recent.
- The photo matches the person in front of you.
- Any photo, text, or other elements have not been tampered with.
- There are no other signs of fraud or alteration.
- If any information is not legible or a document is suspect, ask for alternate IDs or documents.
Note: If your unit provides services to people who have an i-card, visitor card, or other University-issued magnetic-stripe card, it is best to use an electronic card swipe to verify a cardholder's eligibility for service. Card swipes rely on current University records. Card swipes are provided by i-card Programs.
For Online Services
Require a password-protected login for access and transactions. Logins must comply with the Section 19: Business Systems Access and Security of the Business and Financial Policies and Procedures manual. NetID logins are recommended.
Over the Phone
Avoid making changes to personally identifying information over the phone. If there is an unavoidable business need to allow phone access, require callers to verify identity by providing nonpublic information about themselves and checking it against your office's records.
Rely only on information that is truly nonpublic. (Date of birth, mother's maiden name, and other information can be found online and are often known to family, friends, and others.)
Have Appropriate Procedures, Training, and Supervision in Place
The Red Flags Rule mandates an identity theft protection program that is incorporated into daily operations. There is no "one size fits all" solution. The University requires that each unit's program must have documented procedures for:
- Identifying red flags.
- Detecting and responding to red flags.
- Keeping current to detect new threats.
Units must also:
- Ensure that staff members are trained to carry out your unit's Red Flags procedures.
- Provide ongoing supervisory guidance.
Identify Red Flags
In order to form procedures for detecting and responding to red flags, you must first identify and list the red flags you know and expect your unit will encounter. The Examples of Red Flags are a good starting point, but your unit may know of even more.
Be Able to Detect and Respond to Red Flags
Document how you will monitor for and detect red flags. Include procedures for how your unit will respond when any red flag is detected. Your procedures must include instructions on how to handle all of the responsibilities related to your unit's covered activities.
Keep Your Program Current
Make a detailed plan of how your unit will keep current, so it is able to identify and detect new red flags.
Ensure that Service Providers Follow the Red Flags Rule
If any non-University third parties handle account or debt-collection functions for your unit, you must:
- Inform providers of the University's Red Flags program and policy.
- Require and maintain a Red Flags compliance statement from each provider.
- Require providers to report confirmed incidents to you immediately that involve your accounts or the personally identifying information associated with them.
- Keep a list of these providers and what services (ongoing or new) they provide, used for annual reporting.
Establish a Red Flags Unit Contact Person
Choose an employee to serve as "reporter" for Red Flags Rule activities. Ideally, this person should be well-informed about your unit's operations relating to covered activities and personal information. Identify your contact person on the Unit Registration and Update form.
Unit contacts are responsible to report the information noted in the next topic. Unit contacts must also participate in Red Flags related training and information sessions.
Report Relevant Information to the Red Flags Steering Committee
What is "relevant"? Your unit contact is responsible to report:
- Incidents of confirmed or attempted identity theft. Report these cases immediately using an Incident Report form.
- Covered activities, third-party service provider arrangements, and new "red flags" encountered for the calendar year. Provide this information annually, when prompted to by the committee.
- Possible red flag activities. Email any questions or concerns immediately to firstname.lastname@example.org.
- Sale or transfer of debt to any (non-University) third parties
Who To Ask
Direct any questions to the Red Flags Steering Committee: email@example.com.
Last Updated: October 13, 2016