RRS_Series: Identity Theft Prevention

Activity
IV.05. FINANCE, ADMINISTRATION AND INFRASTRUCTURE/Public Safety
Series Name
Identity Theft Prevention
Series ID
405-10-810
Description

Document establishment and maintenance of procedures for the identification, prevention, and mitigation of possible instances of identity theft, also refered to as the "Red Flags Rule."

These records found in all media (paper, digital, or other) may include but are not limited to:

  • procedures for identifying red flags for new and existing covered accounts, detecting red flags, responding to any red flags detected;
  • determinations that the consumers whose personal information was subject to a breach of security are unlikely to suffer harm;
  • notifications from students, identity theft victims, law enforcement, or other party;
  • related documentation and correspondence, including e-mail.

 

 

Retention and Disposal Instructions

5 years, purge.

Exception: In the event of a subpoena, audit, legal hold, public records or similar state or federal information request, halt until further instructed any scheduled disposal activities, including purging or transferring material to University Archives.

Custodian
Finance and Administration: Vice President of Finance and Administration
Citations
2017 ORS 646A
Fair and Accurate Credit Transactions Act of 2003
Admin notes
"(7) Notwithstanding subsection (1) of this section, a person does not need to notify consumers of a breach of security if, after an appropriate investigation or after consultation with relevant federal, state or local law enforcement agencies, the person reasonably determines that the consumers whose personal information was subject to the breach of security are unlikely to suffer harm. The person must document the determination in writing and maintain the documentation for at least five years." https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html

618. Jurisdiction of courts; limitation of actions ‘‘An action to enforce any liability created under this title may be brought in any appropriate United States district court,
without regard to the amount in controversy, or in any other court of competent jurisdiction, not later than the earlier of— ‘‘(1) 2 years after the date of discovery by the plaintiff of the violation that is the basis for such liability; or ‘‘(2) 5 years after the date on which the violation that is the basis for such liability occurs.’’ https://www.congress.gov/108/plaws/publ159/PLAW-108publ159.pdf