SP 6-20a – Personally Identifiable Information Security Program

Colorado Community College System / System Procedure


SP 6-20a

APPROVED: May 16, 2018
EFFECTIVE: May 16, 2018
REVISED: February 8, 2023
RETITLED: February 8, 2023
RENUMBERED: February 8, 2023

REFERENCE(S): Board Policy (BP) 6-20, Personally Identifiable Information Security Program

APPROVED:

/ Joseph A. Garcia /
Joseph A. Garcia, Chancellor

SCOPE

This procedure applies to all CCCS employees who have access to personally identifiable information maintained or transmitted by CCCS.

PURPOSE

The System recognizes the importance of complying with federal and state laws that require the System to implement and maintain a program to safeguard personally identifiable information, including, but not limited to, student education records, student financial information, and protected health information, as those terms are defined herein.

DEFINITIONS

“Identity Theft” is a fraud committed using the personally identifying information of another person or an attempt to use the personally identifying information of another person without authority.

“Personally Identifiable Information (PII)” means information maintained or transmitted by CCCS that can be used to locate or identify an individual, and the unauthorized disclosure of which may lead to identity theft or other fraudulent use of the information, resulting in substantial harm, embarrassment, or inconvenience to the individual. PII includes protected health information, student education records, student financial information, and other personal information of students, employees or others, including, but not limited to, name, address, phone number, email, date of birth, identification number (e.g., Student number or S number), social security number, financial account number, biometric data, user name, password, etc.

“Protected Health Information (PHI)” means information in a medical record that can be used to identify an individual, and that was created, used, or disclosed by a Covered Entity, as that term is defined by the Health Insurance Portability and Accountability Act (HIPAA), in the course of providing a health care service, such as diagnosis or treatment. PHI is applicable to Colleges that operate health or dental hygiene clinics.

“Student Education Records” are records, files, documents, and other materials which contain information directly related to a student and are maintained by CCCS, unless subject to an exception as outlined in the Family Educational Rights and Privacy Act (FERPA). Student education records include grades, transcripts, disciplinary records, financial aid awards, etc.

“Student Financial Information” means any customer data as defined in the Gramm-Leach-Bliley Act (GLB) and includes any record containing nonpublic personal information about a student that is collected or maintained in connection with offering a financial product or service to the student. Offering a financial product or service includes offering student loans, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories, and social security numbers, or other personally identifiable information or sensitive student data, in both paper and electronic format.

“Security Breach” means any unauthorized disclosure, unauthorized access, misuse, alteration, destruction, or other compromise of PII.

PROCEDURE

This Personally Identifiable Information Security Program implements reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of PII.

The Program is designed to ensure the security and confidentiality of PII, protect against any anticipated threats to the integrity of such information, and protect against unwarranted, unlawful, or unauthorized disclosure, misuse, alteration, or compromise of such information.

  1. Designation of a PII Security Program Coordinator: The Chancellor designates the System Chief Technology Officer/Deputy Chief Information Officer as the System Office PII Coordinator to coordinate the protection of PII. The Chancellor designates to each College President the responsibility for complying with this procedure with respect to their particular Colleges, including designating a College PII Coordinator for their College. The System Office PII Coordinator will coordinate the protection of PII with applicable CCCS personnel, including the System Financial Aid Director, the System Chief Human Resources Officer, the System Director of Student Affairs, the System Senior Network Security Administrator, the System Controller, and each College PII Coordinator, College IT Director, and College Financial Aid Officer designated by each College President. They will work together to assist the System Office and Colleges in identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of PII; to evaluate the effectiveness of the current safeguards for controlling these risks; to design and implement a safeguards program; and to regularly monitor and test the program. The System Office PII Coordinator will evaluate the program periodically to make appropriate adjustments and send reminders to the Colleges.
  2. Risk Assessment and Safeguards: The System Office PII Coordinator will identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of PII that could result in the unauthorized disclosure, misuse, alteration, destruction, or compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.
    The System Office PII Coordinator will work with all relevant areas of the System to identify potential and actual risks to security and privacy of the IT systems that contain PII.
    The System Office PII Coordinator will ensure the College PII Coordinator(s) have procedures concerning the physical security of all central systems that contain or have access to PII and the network that is utilized to access the systems, and will conduct a survey of other physical security risks, including the storage of covered paper records in non-secure environments, document retention policies, and other procedures that may expose the System to risks.
    The System Office PII Coordinator has developed written plans and procedures to detect any actual or attempted attacks on covered systems across CCCS, and has developed incident response procedures for actual or attempted unauthorized access to PII.
    The System Office PII Coordinator will periodically review the System disaster recovery program for critical systems.
  3. Employee Training: The System Office PII Coordinator will implement training and education programs on applicable laws and this Program for all employees who have access to PII. Employees are subject to all applicable Board Polices, System Procedures, and other rules which govern confidential data, passwords, and basic computer security procedures. Functional areas, such as Financial Aid, Registrar, and Student Account Receivable may need to develop more specific detailed training or business processes to ensure the confidentiality of PII.
  4. Oversight of Service Providers and Contracts: Applicable laws require the System to take reasonable steps to select and retain service providers who maintain appropriate safeguards for certain PII. The System has developed contract language to ensure that all contracts that involve these types of PII include appropriate privacy clauses in compliance with applicable laws.
  5. Identity Theft Detection and Prevention Program: The System Office PII Coordinator and each College PII Coordinator shall be responsible for administering a program to detect, prevent, and mitigate identity theft in accordance with this procedure. This program specifically applies to Covered Accounts under the Fair and Accurate Credit Transaction Act (FACTA) Red Flags Rule. Covered Accounts are accounts used mostly for personal, family, or household purposes, and that involve multiple payments or transactions. Covered Accounts are also accounts for which there are foreseeable risks of identity theft (e.g., deferred payment plans, loan accounts, student accounts, and stored value cards).
  6. Identification of Red Flags: A red flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft. CCCS has considered the types of accounts, method of opening an account, method of accessing an account, and prior experience with identity theft, and has identified the following red flags:
    • Suspicious Documents – Identification documents that appear to be forged, altered, inauthentic, or the photograph/description is inconsistent with the person presenting the document; other documents with information that is inconsistent with existing PII; or an application that appears to have been altered or forged.
    • Suspicious PII – PII presented that is inconsistent with other information provided or other existing sources of information (e.g., different dates of birth or addresses); PII presented that is the same as other fraudulent documents; fictitious identifying information (e.g., invalid phone number); social security numbers, addresses, or phone numbers that are duplicative of ones given to CCCS by another person; or applications that leave PII sections blank.
    • Suspicious Account Activity – Change of address followed by a request for name change; payments stop on an otherwise up-to-date account; account use that is inconsistent with prior use; mail returned as undeliverable; notice from an account holder that they are not receiving notices from CCCS; notice of unauthorized activity on an account; a breach in computer system security; or unauthorized access/use of account information.
    • Alerts from Others – Notice from a student, employee, identity theft victim, law enforcement, or other person that CCCS has opened or is maintaining a fraudulent account for a person engaged in identity theft.
  7. Detecting Red Flags: CCCS will take the following steps to verify the identity of a person opening an account as follows:
    • Student Enrollment – Require PII, such as name, date of birth, academic records, home address, or other identification on the College application; and CCCS may also verify the student’s identity at the time of issuance of a student identification card (e.g., by reviewing a government-issued photo identification or using an alternative identity verification).
    • Existing Accounts – Verify the identification of account holders who request information from CCCS about sensitive or restricted data; verify the validity of requests to change billing addresses by mail or email; provide reasonable means of reporting incorrect billing address changes; and verify changes in banking information given for billing and payment purposes.
    • Consumer Reports Requests – When background reports are sought for employment, volunteer, or financial aid purposes, social security number discrepancies may trigger verification of the validity of the social security number and/or verification that the consumer report pertains to the correct person.
  8. Preventing and Mitigating Identity Theft: When CCCS detects a red flag, depending on the level of risk posed, CCCS will monitor the account for evidence of identity theft; contact the person for which a consumer report was obtained; change any passwords or other security devices that permit access to the account; close the account; reopen a new account with a different number; provide a student or employee with a new identification number; notify the System Office PII Coordinator and/or College PII Coordinator; notify law enforcement; or determine that no response is warranted.
  9. Gramm-Leach-Bliley Requirements: CCCS must perform a risk assessment, and document a safeguard for each identified risk, that addresses three areas:
    • Employee training and management;
    • Information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and
    • Detecting, preventing, and responding to attacks, intrusions, or other systems failures.
  10. Evaluation and Revision of the PII Security Program: This PII Security Program is subject to periodic review and adjustment. Processes such as data access procedures and the training program will undergo regular review by the System Office PII Coordinator, in consultation with the College PII Coordinators.
  11. Notice of Security Breach: Colleges shall notify the System Office of any security breach of PII pursuant to the requirements of applicable laws and contracts (including the Federal Student Aid Program Participation Agreement and the Student Aid Internet Gateway Agreement). Actual and suspected data breaches can be reported using the “Security Incident Reporting Form” attached to this procedure as Appendix A. The System Office will work with appropriate College personnel to evaluate next steps including notification to the U.S. Department of Education on the day a GLB data breach is detected or suspected, and other required internal and external notices, if applicable.
  12. Record Retention: PII will be disposed of in accordance with applicable laws.

REVISING THIS PROCEDURE

CCCS reserves the right to change any provision or requirement of this procedure at any time and the changes shall become effective immediately.

APPENDIX A

PII Program – Security Incident Reporting Form

Pursuant to System Procedure (SP) 6-20a, this Form is to be used to make a report to the System Office of a detected or suspected security breach or unauthorized disclosure of Personally Identifiable Information (PII). This Form should not be used as a substitute for directly contacting appropriate System Office and College personnel in emergency security situations that require immediate action or attention.

SP 6-20A SECURITY INCIDENT REPORTING FORM:

As soon as possible following detection of the breach, please provide a copy of this Security Incident Reporting Form to your College PII Coordinator and System Office at DataSecurityReport@cccs.edu. System Office personnel will follow up for consultation on next steps.