Financial Policies

FN23 Identity Theft Detection, Prevention and Mitigation Program

Policy Status: 

Under Review

Subject Matter Expert: 

Carolyn Saona, 814-865-6528,

Policy Steward: 

Associate Vice President for Finance and Corporate Controller



In compliance with the Red Flags Rule issued by the Federal Trade Commission, Penn State University has established an Identity Theft Prevention Program. Using reasonable policies and procedures, this Program is intended to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing account and to provide administration of the Program in compliance with Federal Trade Commission requirements, 16 CFR Part 681.

This policy outlines the parameters by which the program will be coordinated and administered. It applies at all University locations.


This program enables Penn State University, in its capacity as a creditor, to protect existing consumers, reduce risk from identity fraud, and minimize potential damage from fraudulent accounts with the least possible impact on business operations.

Note Regarding Third Party Contractors and Service Providers: Penn State University’s Third Party Contractors and Service Providers are expected to follow and be compliant with all federal, state, and local laws or regulations which are applicable to the University. Service Providers and Contractors are required to report any "red flags" to the Chief Privacy Officer. The specific terms and issues of such compliance are addressed in Penn State University’s contractual documents with these providers.

This program applies to business practices used by employees, Third Party Contractors and Service Providers when conducting business activity relating to a "covered account," as defined below. In order to achieve program objectives, these parties will:

  • Identify risks that signify potentially fraudulent activity within new or existing covered accounts.
  • Follow the steps prescribed in program training to detect and evaluate risks if/when they occur during the handling of covered accounts.
  • Respond to risks, and act appropriately, if fraudulent activity has been attempted or committed.
  • Provide information to the Chief Privacy Officer (the Program Administrator), so that the Chief Privacy Officer may evaluate the effectiveness of the Program, and recommend improvements to the Program, as needed.


Identity Theft -A fraud committed or attempted using the "personally identifying information" of another individual without that individual's authority.

Personally Identifying Information -Any full name (first and last) or last name and first initial used in conjunction with other information to identify a specific person. Other identifying information may include their:

  • address
  • telephone number
  • social security number
  • date of birth
  • driver’s license number
  • identification card number
  • credit/debit card number, in combination with a password

Covered Accounts - For the purposes of the Identify Theft Program at Penn State University, covered accounts specifically refer to any account the University offers or maintains primarily for personal, family or household purposes, that involves multiple payments or transactions. A covered account also includes any other accounts offered or maintained for which there is a reasonable foreseeable risk to customers or to the safety and soundness of the University from identity theft.

Customer - An individual who has a “covered account” with the University.

Creditor - Entities that defer payment for services rendered and bill customers later; who regularly participate in the decision to extend, renew, or continue credit. Includes University departments, as well as Penn State’s Third Party Contractors and Service Providers.

Red Flag– A practice, pattern of behavior, or specific activity that indicates the possible existence of identity theft.


Authorized by the Board of Trustees in March 2009, this program is intended to detect, prevent, and mitigate identity theft in connection with "covered accounts," and to provide guidelines for the administration of the Program per Federal Trade Commission requirements, 16 CFR Part 681.

Upon Board of Trustee authorization, the Senior Vice President for Finance and Business (or Designee) has delegated operational responsibility of the program to the Chief Privacy Officer, who serves as the Program Administrator. The Program Administrator shall exercise appropriate and effective oversight over the program and shall report regularly to theSenior Vice President for Finance and Business (or Designee) on the program.

The Program Administrator is responsible for developing, implementing and updating the program throughout the University system.

The program will be periodically reviewed and updated to assure reasonable policies and procedures to identify relevant red flags, detect red flags, and respond appropriately to red flags. The Program Administrator will consider the University’s experiences with identity theft; changes in identity theft methods; changes in types of accounts the University maintains; changes in the University’s business arrangements with other entities; and any changes in legal requirements in the area of identity theft.

The Program Administrator shall confer with all appropriate University personnel as necessary to ensure compliance with the program. The Program Administrator shall annually report to the Senior Vice President for Finance and Business (or Designee) on the effectiveness of the program. The Program Administrator shall present any recommended changes to the Senior Vice President for Finance and Business (or Designee) for approval. Senior Vice President for Finance and Business (or Designee) approval shall be sufficient to make changes to Penn State University’s Identity Theft Program.


Training shall be required for all employees whose responsibilities result in their conducting business activity relating to covered accounts. This training will provide the appropriate information that, upon completion, will enable participants to identify, detect, respond to, and minimize the impact of identity theft at the University. Subsequent training will be required when significant changes occur, as recommended and announced by the by the Program Administrator.

Training may be accessed as follows:

  1. Go to
  2. Press the “Logon” button and login in with your Penn State Access Account
  3. Under My Groups, click on “Find a Group”
  4. In the Keyword Search box, type in “Identity Theft Prevention Program” and click on the Search button
  5. Click on the “Identity Theft Prevention Program” link


For questions, additional detail, or to request changes to this policy, please contact the Privacy Office.

Most Recent Changes:

  • November 8, 2018 - Subject Matter Expert added.

Revision History (and effective dates):

  • September 13, 2018 - Editorial changes to remove redundant Date Approved, Date Published, and Effective Date information.
  • January 29, 2014 - Editorial changes. Updated policy steward, per request of the Chief Privacy Officer.

  • September 27, 2013 - Editorial changes. Addition of policy steward information, in the event that there are questions or requests for changes to the policy.
  • June 29, 2010 - New Policy.

Date Approved: 

June 25, 2010

Date Published: 

June 29, 2010

Effective Date: 

June 29, 2010