Indiana University Red Flag Rules Frequently Asked Questions

 

Why is my department/unit deemed a covered account?

 

The following reasons are the most common reasons for a department/unit to be deemed a covered account:

a.  The department/unit sells goods or services to individual consumers and invoices the customer after they receive the goods or services.

b.  The department/unit allows the individual consumer to make installment payments.

c.  The department/unit utilizes credit bureau reports.

Is there a materiality threshold when considering if my department/unit is deemed a Covered Account?

No. The Identity Theft Prevention Program approved by the Board of Trustees was put into place based on the Federal Trade Commission's (FTC) Red Flag Rules regulation found in 16 CFR Part 681.2. This regulation is intended to ensure that measures are put into place to prevent identity theft of individual consumers. There is no dollar limit to the amount of credit being extended and one individual consumer makes the department/unit subject to the regulation.

If my department collects a deposit from a customer and then receives the remainder of the payment AFTER the event (i.e., for a reception, training event), am I considered a Covered Account?

Yes, if the department/unit collects a deposit and receives the remainder after the event then the department is considered to extend credit and is a Covered Account.  A Covered Account is subject to the reporting requirement outlined in the Indiana University Red Flag Program.

If my department/unit gives customers the option to make installment payments or pay one lump sum but requires payment in full prior to providing the good or service, am I considered a Covered Account?

No.  If your department/unit collects the full payment prior to the event occurring, the University is not extending credit and your department/unit is not subject to the reporting requirements of a Covered Account.  The number of payments is not a factor in determining if the department/unit is a Covered Account in this circumstance.

If my department/unit sells to another University or Corporation and that is my only customer base where invoicing is an option, is my department/unit considered a Covered Account?

No, if your department does not allow any invoicing options to individual consumers, the invoicing aspect will not deem your department/unit a Covered Account.  However, if your department/unit bills one individual consumer then your unit is subject to the reporting requirements of a Covered Account.

Does the 2010 Red Flag Program Clarification Act, which redefines the meaning of a creditor, exclude patient accounts as a creditor?

Indiana University meets the definition of the Creditor, so collectively; the Red Flag Rules apply to the University.  As a result, some departments/units within Indiana University that may have otherwise not been deemed a Creditor (i.e. patient accounts) individually based on the 2010 Red Flag Program Clarification Act, are still considered to be within the scope of IU's Identity Theft Prevention Program, because they are a part of Indiana University and their account is considered to meet the definition of a Covered Account.

If my department/unit is billing a sponsored account for an international student's tuition, am I considered a Covered Account?

If another college, university or corporation is sponsoring all of the students then the department/unit may be excluded from a Covered Account.  If the department/unit is billing an individual for one or more students within the last year, then the unit qualifies as a Covered Account.

How should we report any instances of possible identity theft? What do we do if we have a disclosure of any of these types of data?

If at any time you become aware of an unauthorized disclosure or exposure of any personal date (i.e., SSN (if more that last four digits), driver's license number, state identification card number, credit card number, debit card number, financial accounts, security codes, access codes or passwords of a financial account), please immediately call your campus Support Center or Network Operations Center, and send details to the IT Policy & Security office at it-incident@iu.edu and copy the Red Flag Committee at jmabry@iu.edu.  The IT Policy and Security Office will coordinate incident response and ensure that all appropriate steps are taken.

 

For additional data, please refer to:  http://protect.iu.edu/cybersecurity/data/laws/IN#disposal

My department uses the approved list of external collection agencies. Do I need to request a copy of their Red Flag program as a service provider?

The Red Flag Committee will collect the Red Flag documentation from all approved external collection agencies.  If your department is using one of the approved external collection agencies, you do not need to collect any data from this service provider.

I participated in a Red Flag Survey last year; do I need to complete the survey again?

Yes. Fiscal Officers and activities within departments/units change and the survey is the easiest way for us to ensure we identify potential Covered Accounts and remain in compliance with the Identity Theft Red Flag Rules.

My department/unit was deemed a Covered Account in the previous year. Do I need to complete the certification process, conduct training, and fulfill the other requirements described in Standard Operating Procedure again this year?

Yes. The requirements of the Indiana University Identity Theft Prevention Program described in the Standard Operating Procedure are required on an annual basis.  The department/unit head or their designee should fulfill the following requirements on an annual basis:

  • Conduct a review of University IT policies related to personal and data security to ensure customer master file is secure.
  • Complete their annual review of controls in place to prevent, detect, and mitigate Identity Theft.
  • Complete employee training for all existing and new employees.
  • Certify their Identity Theft Program has no additional changes or update their plan. A copy of the plan will need to be submitted each year.
  • Certify any instances of potential Identity Theft.
  • Verify compliance of the Red Flag Rules with any Service Provider that are using.
My email has been blocked from receiving the Red Flag Survey's electronically (from SurveyMonkey), can I unblock my email?
  • You can opt in by going to http://www.surveymonkey.com/OptOut.aspx.
  • Please enter your email address and then click Unblock Email Address.
  • You will receive a follow-up message asking you to confirm this request. Once you confirm, your email is automatically updated into the account holder's address book(s) and email list(s).
What are stored value cards? Are stored value cards treated as Covered Accounts by Indiana University?

A stored-value card is a payment card with a monetary value stored on the card itself. A stored-value card is not in an external account maintained by a financial institution and differs from debit cards where money is on deposit with the issuer. Another difference between stored-value cards and debit cards is that debits cards are usually in the name of the individual account holders, while stored value cards are anonymous.

 

If a card is not associated with a specific person (i.e., has the cardholders name on the card), does not have personal information associated with the card itself and does not allow the cardholder to add additional funds to the card online, Indiana University would not consider the stored value card a covered account.

 

Indiana University campus cards are considered covered accounts for purposes of Red Flags.

If I take security deposits, does that make me a Covered Account?

Typically no.  Accepting security deposits by itself does not create a covered account; however, if your unit does collect security deposits, we suggest contacting your campus Red Flags contact to discuss whether the particular arrangement creates any material risk of identity theft and could create a covered account based on other characteristics.