Compliance with NPPI

 

Stevens Institute of Technology is responsible for compliance to a number of laws requiring the confidentiality of personal data.

The following are some laws requiring and pertaining to confidentiality of personal data:

  • Family Educational Rights and Privacy Act (FERPA) (educational records)
  • Gramm-Leach-Bliley Act (GLBA) (financial institution and customer data)
  • Health Insurance Portability and Accountability Act (HIPAA) (health information)
  • NJ Identity Theft legislation
  • Federal, state and private grants requiring confidentiality

A description of the above laws and additional Information Technology laws can be viewed on the IT Laws and Policiespage.

In order to protect the university and privacy of the university community it is important that the department

  • Prevent the storing of non-public private information locally
  • Encrypt electronic transmissions
  • Keep private information private
  • Follow best practices for desktops and telecommuting

Do you know of websites that accept SSN's through web forms that are NOT encrypted? If they are not encrypted, they are in public view.

NJ ID Theft Prevention Law states: 
13. a. No person, including any public or private entity, shall:
(1) Publicly post or publicly display an individual's Social Security number, or any four or more consecutive numbers taken from the individual's Social Security number;

IPS strongly suggests the management be advised to:
1. Remove the existing web site.
2. Determine if another unique identifier is really what should be collected, instead of SSN. 
3. Use secure http (https). Https is encrypted.
4. If a computer is used to collect, store and/or process SSN's, it needs more protection than what is defined by "baseline security". Our advice for "advanced security" would be to comply with the credit card (PCI) security standards. If any machines are compromised, there are reporting requirements which are mandatory.

 

Departments, exposures and consequences:

 

Area
Compromise
Exposures
Consequences
Proactive activities
FinancialComputer moved from an accountant's office to a student assistant's desk without having NPPI removed or security settings checked.SSN, Bank & Charge accountsUniversity integrity; individual identity theft; notification to those individuals whose NPPI was compromised; public relations; possible legal ramifications & fines.When equipment is recycled ensure that all sensitive data (NPPI and University data) has been wiped clean and the system rebuilt with appropriate security settings.
AcademicComputer with a non-supported version of Windows; no administrator password; and files containing uncrypted NPPI was compromised.Grades; transcript history; confidential accessability informationUniversity/department integrity; notification to those individuals whose NPPI was compromised.Keep all NPPI on secure server.
ResearchStolen laptop with unencrypted disclosures and sensitive research information stored.Personally identifiable information (medical/financial/personal for research purposes)Loss of funding; possible legal ramifications & fines; notification to those individuals whose NPPI was compromised.Store sensitive information (NPPI) on a secure server.