CSU Policy: Red Flags

Policy Title: Red Flags Category: Information Technology
Owner: Vice President for Information Technology Policy ID#: 4-1018-012
Division of Information Technology
Web: https://it.colostate.edu
Phone: 970-491-5133

Also Contact:
Office of General Counsel
Web: http://csusystem.edu/general-counsel
Phone: (970) 491-6270
Original Effective Date: 5/6/2009
Print Version: Click Here to Print


Colorado State University developed the Red Flags Fiscal Policy as an Identity Theft Prevention Program pursuant to the Federal Trade Commission's Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003.


Identity Theft is a fraud committed or attempted using the identifying information of another person without authority.

A Red Flag is a pattern, practice, or specific activity that indicates the possible existence of Identity Theft.

A Covered Individual includes all individuals, students, faculty and staff, in CSU’s central administrative systems that are administered by the University who are subject to the provisions of this Program.

The Program Administrator is the individual designated with primary responsibility for oversight of the Program.

Sensitive Identifying Information includes any name or number that may be used, alone or I conjunction with any other personal information, to identify a specific person, including: name, e-mail address, U.S. postal address, social security number, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, bank routing and account codes, and central computer account name and password.


This Program was developed with oversight and approval of the Board of Governors of the Colorado State University System. After consideration of the size and complexity of the University’s operations and account systems, and the nature and scope of the University’s activities, this Program is deemed appropriate for the University to comply with the requirements of the Act.

Under the Red Flags Rule, the University is required to establish an “Identity Theft Prevention Program” tailored to its size, complexity and the nature of its operation. Its Program must contain reasonable policies and procedures to:

  1. Identify relevant Red Flags for new and existing covered accounts and incorporate those Red Flags into the program;
  2. Detect Red Flags that have been incorporated into the Program;
  3. Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft; and
  4. Ensure the Program is updated periodically to reflect changes in risks to Covered Individuals of Identity Theft.

To identify relevant Red Flags, the University considered the types of accounts that it offers and maintains, methods it provides to open its accounts, methods it provides to access its accounts, and its previous experiences with Identity Theft. To ensure maximum protection to its users, and to simplify implementation, the University will treat any changes in the Sensitive Identifying Information on central IT systems of record to be treated as Red Flag.

Authority for this document is vested in the Program Administrator, who shall be responsible for this policy, publication of this policy, and interpretation of this policy.


On a nightly basis, the University will identify all changes to Sensitive Identifying Information with Red Flags. Each Red Flag will be communicated to the respective Covered Individual via an electronic mail message indicating the specific elements of their Sensitive Identifying Information that have been changed. The message will inform the Covered Individual that his/her Sensitive Identifying Information has been changed, and instruct them to contact appropriate University offices for further analysis and/or action if the Covered Individual did not make the change or believes the change may be a result of Identity Theft. Should the email address be one of the elements that has changed, the notification will be sent to both the old and new email address. University staff will work with Covered Individuals as necessary to investigate the circumstances surrounding the Red Flag and assist them with identifying appropriate remedial actions.

The Division of Information Technology shall be responsible for identifying changes to computer accounts and passwords and for identifying changes to all other Sensitive Identifying Information elements in central University databases. The Division of Information Technology shall be responsible for ensuring that emails are sent as described above.

The University Controller shall be the Program Administrator and shall ensure that the Program is reviewed annually. The Program Administrator shall also coordinate among participating departments to implement, refine and adjust the Program as appropriate in the best interests of the University and its users.


CSU Policy on Social Security Numbers



Print Version: Click Here to Print

csu ramhead logo

The CSU Policy Library is maintained by the University Policy Office