CSUF Identity Theft Prevention Implementation Plan
Red Flags Rule
The Red Flags Rule applies to financial institutions and “creditors” that offer or maintain accounts that provide for multiple transactions primarily for personal, family, or household purposes. The definition of “creditor” is broad, and includes any entity that regularly extends credit. Institutions are considered creditors if they provide goods or services that are not fully paid for in advance or allow individuals to defer payment for goods or services. The rule does not apply if the institution is merely accepting a credit card for payment.
Red Flags are defined as those events that should alert an organization to potential risk of identity theft. Under the Red Flags Rule, the CSU is required to establish a documented Identity Theft Prevention program that provides for the identification, detection, and response to patterns, practices, or specific activities that could indicate identity theft.
CSUF remains responsible for compliance with the Red Flags Rule even if it outsources operations to a third party service provider. (For CSUF: ECSI) Whenever CSUF engages a service provider to perform an activity in connection with one or more covered accounts, the campus will take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. For example, CSUF could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider’s activities, and either report the Red Flags to CSUF, or to take appropriate steps to prevent or mitigate identity theft.
Red Flags Rule Complete Implementation Plan