The FTC 'Red Flags Rule' -- A Model or Directive for 'Best Practices' in Preventing Identity Theft & Implementing Privacy Protections in On-Line Enrollment/Financial Aid in Colleges & Universities?

July 29, 2013

Increasingly, colleges and universities are facing claims of identity theft and the theft and/or misuse of confidential personal information of their students.  For instance, students have complained about identity theft where:  a person using the student's name and personal information (including student identifier) has enrolled in online courses, applied for financial aid, and then withdrawn after aid was disbursed.  The student whose information was stolen - and who never signed up for the online course or received the financial aid - then contacts the institution, claiming that they are being wrongfully pursued by the school or another creditor for the financial aid payments.  There are a variety of industry-specific 'best practices' for early detection and prevention of identity theft and the theft and/or misuse of confidential personal information.  The FTC's 'Red Flags Rule' - which may apply to some colleges and universities - mandates a written identity theft prevention program and "playbook" to detect "red flags" of identity theft.  The FTC's 'Red Flags Rule' "playbook" must include details to:  (1) identify relevant patterns, practices, and specific forms of activity — the "red flags" — that signal possible identity theft (e.g. suspicious login activity in time, number, frequency, duration, etc.); (2) incorporate business practices to detect red flags (e.g. designate a responsible person(s), reporting structure, vendors, etc.) ; (3) detail appropriate response to any red flags you detect to prevent and mitigate identity theft (e.g. mandate written reporting structure and reporting form, etc.); and (4) be updated periodically to reflect changes in risks from identity theft (e.g. regularly conduct risk based assessments internally or periodically with an outside vendor, etc.).

CLIENT TIP:  In a general way, the FTC's 'Red Flags Rule' may be instructive on how colleges and universities can monitor, detect, and resolve data privacy threats or thefts of confidential information belonging to students.  In a more targeted way, colleges and universities must consider whether they are subject to the FTC's 'Red Flags Rule', which applies to a variety of "creditors", including "anyone who directly or indirectly holds a transaction account belonging to a consumer."  Since December 2010, this catch-all category applies to a wide ranging group of entities who regularly, and in the ordinary course of business, meet one of three general criteria; they:  (1) obtain or use consumer reports in connection with a credit transaction; or (2) furnish information to consumer reporting agencies in connection with a credit transaction; or (3) advance funds to -- or on behalf of -- someone, except for funds for expenses incidental to a service provided by the creditor to that person.  If a college or university meets any of these three criteria, then they could be subject to the FTC's 'Red Flags Rule'.