INTRODUCTION TO THE RED FLAGS RULE – 15.91 – Identity Theft Protection


The Federal Trade Commission (FTC) Red Flags Rule 16 C.F.R. Part 681.1, as pursuant to the Fair and Accurate Credit Transactions Act (FACTA), requires the development and implementation of a written identity theft prevention, detection, and mitigation program. The purpose of the program is to detect patterns, practices, and specific forms of activity that indicate the existence of identity theft and prevent an individual from using false identifying information to obtain goods, services, or credit.

The FTC rule 16 C.F.R. Part 641 requires development of policies and procedures in association with debit cards and change of address requests to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card.

The FTC rule 16 C.F.R. Part 681.2 requires development of policies and procedures to verify when a notice of address discrepancy is received from a consumer reporting agency in response to a credit check.


The Red Flags Rule was primarily issued by the Federal Trade Commission (FTC) to help organizations detect, prevent, and mitigate identity theft in their daily operations.  Red Flags are suspicious patterns or practices or specific activities that indicate the possibility that identity theft may occur.  The University’s Identity Theft Prevention Program (ITPP), or Red Flags Rule Program, was approved by the University’s Board of Regents in 2009. All departments, colleges, and units who are involved with handling Personally Identifiable Information (PII) must comply with the University’s ITPP and develop reasonable processes and procedures to verify the identity of persons for whom services are being provided and to detect, prevent, and mitigate any instances of identity theft.

POLICIES, PROCEDURES AND APPLICABILITY – 15.91 – Identity Theft Protection

This policy applies to all university entities and employees, students, contractors, service providers, and volunteers who have access to Covered Account information.

Covered Account

For purposes of the Red Flags Identity Theft Prevention Program, a Covered Account includes the following:

  • an account that receives multiple payments or transactions, deferred payments, extensions of credit, loans, or which establishes a continuing relationship with an individual who has received services from the university (e.g., student accounts, tuition payment plans, patient accounts, accounts associated with student lending activity, debit cards for use at off-campus vendors).
  • Any other new or existing account that may pose a reasonably foreseeable risk to consumers or the institution from identity theft due to information retained and/or maintained by the institution. This includes single transaction, one-time payment accounts or records that may be vulnerable to identity theft because of the information collected and retained such as date of birth, copies of checks, credit card numbers, social security number, and other personal indentifying information.

Identity Theft

Any use or attempt by an individual to use another person’s identifying information to obtain a thing of value to which the individual is not entitled including, but not limited to money, credit, goods, or services such as education or medical care.

Notice of Address Discrepancy

Notice from a consumer reporting agency indicating a substantial difference between the address provided by the employee or applicant and the address the consumer reporting agency has on file.

Personal Identifying Information – Refer to NMSU’s Administrative Rule and Procedure for details 15.91 – Identity Theft Protection

Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including:

  • name, social security number, date of birth, official state or government-issued driver license or identification number, alien registration number, government passport number, employer or taxpayer identification number
  • unique biometric data, such as fingerprint, voice print, retina or iris image, or other
  • unique physical representation
  • unique electronic identification number, address, or routing code
  • debit/credit card or any other access device including any card, plate, code, account number, electronic serial number, mobile identification number, personal identification number; other telecommunications service, equipment, or instrument identifier; or other means of account access that can be used, alone or in conjunction with another device to obtain money, goods, services, other items of value, or to initiate a transfer of funds.

Red Flag

A pattern, practice, or specific activity that indicates the possible existence of identity theft.

Service Provider

Contractor engaged by the university to perform an activity in connection with a Covered Account.


University Program Administrator – IT Compliance Officer and Chief Privacy Officer (CPO)

  • Implement the Red Flags Identity Theft Prevention Program.
  • Periodically evaluate the Program considering incidents of and attempts at identity theft, and update to reflect the current threat environment.
  • Take necessary corrective action if it is determined that a department is not adequately guarding against threats of identity theft.
  • Ascertain that service provider agreements are monitored so that, where applicable, such providers have adequate identity theft prevention programs in place.
  • Retain records relevant to the Program, including:
    • Red Flags Identify Theft Prevention Policy
    • documentation on instances of identity theft and attempted identity theft
    • allow auditors and compliance officers access to the records.
  • Schedule periodic reviews of departmental Red Flags Rule Procedures.

Departmental Red Flags Rule Contact Person

  • Document the department’s Red Flags Rule Procedures.
  • Report incidents of identity theft by completing the Red Flags Incident Reporting form and submitting a copy to their supervisor and the University Program Administrator.
  • Report noncompliance with the Red Flags Rule Procedures to their supervisor, and if unresolved, to the University Program Administrator.
  • Maintain relevant records and make them available for review, including:
    • Red Flags Rule Procedures
    • documentation on training, including name, title, and date
    • documentation on instances of and attempts at identity theft
    • contracts with service providers that perform activities related to Covered Accounts
    • Annually review the departmental Red Flags Rule Procedures to identify new Covered Accounts, changes to existing Covered Accounts, and changes in procedures for detecting, mitigating, and preventing identity theft.  Maintain documentation of the annual review.
  • Develop departmental awareness of the Red Flags Identity Theft Prevention Policy and appropriate responses to incidents of attempted identity theft.

Responsible Staff

  • Perform the day-to-day application of the Red Flags Rule Procedures to Covered Accounts by detecting and responding to red flags.


  • Notify their Red Flags Rule Contact Person, supervisor, or the University Program Administrator if they become aware of an incident of identity theft or a failure to comply with the Red Flags Rule Procedures.


The CPO is the individual responsible for the development and implementation of information security policies and procedures for NMSU, and who is the primary contact to manage situations in which identity theft occurs or customer information is compromised.   Anyone at the NMSU community can and should report a known or suspected violation of this program, security or University policy.  Known or suspected violations should be reported to the CPO by phone at (575) 646-5902, or by email at  You can also report identity theft and get a recovery plan from the Federal Trade Commission by visiting

Other links of interest:

For more information contact:

Carlos S. Lobato, CPA
Chief Privacy Officer