Identity Theft Prevention Policy

Policy Number: OCP 200-18

The risk of data loss and identity theft to the college, its employees, students and applicants is a significant concern of Olympic College. In response to the Fair and Accurate Credit Transactions Act of 2003 (FACTA), and in accordance with the Federal Trade Commission (FTC), the college will maintain procedures to identify, detect, and respond appropriately to a pattern, practice, or specific activity indicating the possible existence of identity theft (“red flag”) in order to prevent and/or mitigate harm.


  • Recommended by Barbara Martin
  • Submitted to President’s Cabinet for Review February 23, 2010
  • Approved by President February 23, 2010
  • Submitted to Board of Trustees March 23, 2010
  • Approved by Board of Trustees April 27, 2010
  • Published in Washington Administrative Code n/a

Identity Theft Prevention Procedures

Policy Number: OCP 200-18-01

I. Definitions

  1. Covered Account: A covered account involves multiple payments or transactions, as well as any other account the College offers or maintains for which there is a foreseeable identity theft risk, most often in payroll, human resources, accounting, admissions, or financial aid functions.
  2. Customer: All current and prospective students and employees of Olympic College.
  3. Identity Theft: Identity theft means fraud committed or attempted using the identifying information of another person without authority.
  4. Identity Theft Committee: The identity theft committee is a team, including the program administrator, who is responsible for developing, implementing and updating the identity theft program, as well as reviewing, investigating, and responding to suspicious activity reports.
  5. Program Administrator: The program administrator is responsible for program administration and updating the policy.
  6. Red Flag: A red flag is a pattern, practice, or specific activity indicating the possible existence of identity theft.

II. Identifying Red Flags

Each department should identify relevant red flags and conduct a risk assessment. Possible sources used for identifying red flags include:

  1. Credit reporting agency warnings of fraud, credit freezes, or inconsistent credit activity.
  2. Suspicious documents, such as forged, altered, or inauthentic identification cards.
  3. Suspicious personal identifying information, including forged, altered, incomplete, inconsistent, or inauthentic data, presented on applications, drivers’ licenses, social security number, phone number, address, or student records.
  4. Suspicious account activity or unusual use of account, including:
    1. Change of address followed by a request to change the account holder's name.
    2. Payments stopped on an otherwise consistently up-to-date account.
    3. Account use inconsistent with prior use.
    4. Mail sent to the account holder repeatedly returned as undeliverable.
    5. Notice to the college that a student is not receiving mail sent by the college.
    6. Notice to the college that an account has unauthorized activity.
    7. Breach in the college’s computer system security.
    8. Unauthorized access to or use of student or staff account information.
    9. Unreasonable change requests.
  5. Notice to the college from a customer, a victim of identity theft, a law enforcement authority or other person, of an act or acts of identity theft.

III. Confirming Identity

Each department should develop methods for confirming identity when a Red Flag is identified. Possible methods for confirming identities include:

  1. Verifying the identity of people making transactions by requiring identifying information such as name, date of birth, residential or business address, principal place of business for an entity, driver's license, or student identification card.
  2. Contacting the student or staff member independently.
  3. Verifying changes requested through a separate contact.

IV. Preventing and Mitigating Identity Theft

Upon detection and depending upon the degree of risk, staff should take one or more of the following steps to prevent and/or mitigate identity theft as appropriate:

  1. Notify the identity theft committee in writing of the suspicious activity.
  2. Monitor the account for further evidence of identity theft.
  3. Contact the customer who is the proper owner of the account.
  4. Change passwords or other security codes and devices that permit access to the account.
  5. Disallow opening a new account under the same name.
  6. Close the existing account.
  7. Reopen the account with a new number.
  8. Stop attempts to collect payment on the account.
  9. Notify the Program Administrator for determination of the appropriate step(s) to take.
  10. Notify law enforcement.

V. Protecting Student or Staff Identifying Information

In order to further prevent the likelihood of identity theft, the college shall take the following steps to protect customer identifying information:

  1. Post proper signage in staff/student interaction areas where audio privacy may be a concern.
  2. Undertake complete and secure destruction of paper documents and computer files containing student or staff information.
  3. Make office computers password protected and provide that computer screens lock after a set period of time.
  4. Keep offices clear of papers containing customer identifying information.
  5. Maintain up-to-date computer virus protection.
  6. Require and keep only the kinds of customer information that are necessary for College purposes.
  7. Require program administrators to work with the identity theft committee to review this policy periodically so that improvements in identity theft detection and prevention can be identified and implemented.
  8. Require service providers engaged by the college to perform their activities in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.

Initiated April 27, 2010