Policy

Definitions of Confidential and Sensitive Information

________________________________________
Document Number: REDFLAG--102
Revision #: 2.0
Document Owner:VP of Academic Affairs
Date Last Updated: 04/23/2018
Primary Author: VP of Academic Affairs
Status: Approved
Date Originally Created: 12/14/2011
________________________________________
General Description

Description:
Information about confidential and sensitive information (CSI).

Purpose:
Delineation of policy and definitions.

Scope:
All faculty, staff, students, and administrators

Responsibility:
Administration
Executive VP
VP of Business and Finance
________________________________________
Requirements

Relevant Knowledge:
 
Current University policy
Federal statutes
Standard company policies
Standards of good practice
State statutes

Terms and Definitions:
Additional training
Corrective Action
Fine
Loss of privilege, general
Termination
Staff members who knowingly and blatantly violate this policy may be terminated.
________________________________________
Policy Provisions

1. Definitions of Confidential and Sensitive Information (CSI)

Confidential and Sensitive Information includes, but is not limited to, the following identifiers whether contained in hard copy or electronic format.


1.1 Personal Information

1. Social Security Number
2. Social Insurance Number
3. Date of Birth
4. Mother’s Maiden Name
5. Driver’s License Information
6. Professional License Information
7. Paychecks, Pay stubs, Pay rates
8. Passport Information


1.2 Financial Information

1. Credit Card Numbers
2. Credit Card Expiration Dates
3. Credit Card CCV Numbers
4. Bank/Credit Union Account Numbers
5. Billing Information
6. Payment History


1.3 Medical Information

1. Medical Records
2. Doctor Names and Claims
3. Health, Life, Disability Insurance Policy Information
4. Prescription Information


1.4 Business Information

1. Federal ID Numbers
2. Proprietary Information
3. Trade Secrets
4. Business Systems
5. Security Systems
6. Employee Identifiers
7. Student Identifiers
8. Access Numbers / Passwords
9. Customer, Student, Patient Identifiers
10. Vendor Numbers
11. Account Numbers



2. Account

An account is a body of information, or a record, or an individual, group, or entity that is kept for the purpose of transacting on an on-going basis with another individual, group, or entity. The terms “accounts” and “records” are used interchangeably because they share similar functions and characteristics. Both contain identifiable information on an individual,
group, or entity. They each allow for access to products or services, and keep a history of transaction activity.


3. Covered Account

Both new and existing accounts where a continuing relationship exists between the University and an individual, group, or entity are considered “covered accounts.” There are two definitions.
1. An account that the University offers or maintains, primarily for personal, family, or household purposes, that involve or is designated to permit multiple payments or transactions. Examples include a credit card account, tuition and fee payment, bookstore purchases, and/or other financial transactions of matriculated and non-matriculated students and of employees.
2. Any other account that the University offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or mitigation risks.


4. Electronic or Soft Copy Format

Electronic or Soft Copy Format refers to any Confidential and Sensitive Information that exists electronically on CDs, DVDs, phones, computers, networks, portable devices, etc.


5. Hard Copy Format

Hard Copy Format refers to any Confidential and Sensitive Information that exists physically on paper.


6. Physical Access Zone

A physical access zone is a clearly defined physical or implied boundary established to control and limit access to CSI areas.


7. Red Flags

Red Flags are patterns, practices, or specific activities involving covered accounts that indicate the possible risk of identity theft.


8. Service Provider

A service provider is any individual, group, or entity that directly provides a service to the University or on behalf of the University for its customers or clients.


9. Spoken Word

Spoken Word refers to the transfer of Confidential and Sensitive Information verbally or audibly through electronic media.




________________________________________
Performance Evaluation

Performance Metrics:
 
Compliance with standard policy and procedure
Compliance with federal mandate

Consequences:
Further training
Job Termination
Loss of privileges
________________________________________
Subject Experts

The following may be consulted for additional information.

VP of Academic Affairs

VP of Business and Finance