Policy 6.6 - Red Flags Rule

Date: January 23, 2012, Resolution #12-11

This policy document directly relates to the Red Flags Rule, of the SUNY Schenectady
Board of Trustees, as hereto attached.

Resolutions to Approve the Red Flags Rule Policy

WHERE AS, the Federal Trade Commission (FTC), under the authority granted by the Fair and Accurate Credit Transaction Act of 2003 (FACTA), has issued a Red Flags Rule (16 CFR 681.2) requiring that financial institutions and creditors develop Identity Theft Prevention Programs aimed at recognizing and preventing activity related to identity theft; and

WHERE AS, the Identity Theft Prevention Program must include written policies and procedures for: (1) identifying "covered accounts"; (2) identifying relevant patterns, practices, and forms of activity within those accounts that are “red flags” signaling possible identity theft; (3) detecting red flags; (4) responding appropriately to any red flags that are detected in order to prevent and mitigate identity theft; and, (5) administering the program in a manner that ensures proper staff training, implementation, oversight, and updating; and

BE IT RESOLVED, the Board of Trustees approves the following policy to authorize the President to develop, implement and sustain an Identity Theft Prevention Program (Program) in accordance with the requirements of the Federal Trade Commission. At a minimum, the Program shall include reasonable steps to prevent frauds perpetrated by the misuse of identifying information. The Program will be tailored to the size and scope of the campus and will include appropriate mechanisms to ensure proper oversight, training, and updating. The Program shall be governed by written procedures (Written Program) which are either contained in a stand-alone document or incorporated as part of another broader procedure such as an Information Security Program.

Red Flags Rule

Policy

To authorize the President to develop, implement and sustain an Identity Theft Prevention Program (Program) in accordance with the requirements of the Federal Trade Commission. At a minimum, the Program shall include reasonable steps to prevent frauds perpetrated by the misuse of identifying information. The Program will be tailored to the size and scope of the campus and will include appropriate mechanisms to ensure proper oversight, training, and updating. The Program shall be governed by written procedures (Written Program) which are either contained in a stand-alone document or incorporated as part of another broader procedure such as an Information Security Program.