Red Flags Rule
In response to the growing threats of identity theft in the United States, Congress passed the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which amended a previous law, the Fair Credit Reporting Act (FCRA). This amendment to FCRA charged the Federal Trade Commission (FTC) and several other federal agencies with promulgating rules regarding identity theft. On November 7, 2007, the FTC, in conjunction with several other federal agencies, promulgated a set of final regulations known as the “Red Flags Rule”. The Red Flags Rule became effective November 1, 2008.
The Red Flags Rule regulations require entities with accounts covered by the Red Flags Rule regulations, including universities, to develop and implement a written Identity Theft Prevention Program (hereinafter, the “Program” or the “Identity Theft Program”) for combating identity theft in connection with certain accounts. The Program must include reasonable policies and procedures for detecting, preventing and mitigating identity theft and enable the entity with covered accounts to:
- Identify relevant patterns, practices, and activities, dubbed “Red Flags”, signaling possible identity theft and incorporate those Red Flags into the Program;
- Detect Red Flags;
- Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
- Ensure the program is updated periodically to reflect changes in risks.
This document outlines the required Red Flags Rule Program of the University of Connecticut, but is extended to encompass not just financial or credit accounts, but any University account or database for which the University believes there is a reasonably foreseeable risk to the University, its students, faculty, staff, patients, constituents or customers from identity theft.