What is NPPI?

 

Non-public Personal Information is any data or information considered to be personal in nature and not subject to public availability.

Personal information includes, but is not limited to:

  • Individual names 
  • Dates of birth 
  • Social Security numbers 
  • Credit or debit card numbers 
  • State identification card numbers 
  • Driver's license numbers 
  • Health records

The Family Educational Rights and Privacy Act (FERPA) uses the term directory information as that would "not generally be considered harmful or an invasion of privacy if disclosed." Directory information is made up of a wide variety of data that can be harmful and be an invasion of privacy.

"Directory information includes, but is not limited to, the student's name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status ( e.g., undergraduate or graduate, full-time or part-time); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors, and awards received; and the most recent educational agency or institution attended."

The following are samples of breaches provided by Privacy Rights Clearinghouse and ways they might have been prevented:

 

Type of Institution
Type of Breach
Methods of prevention
A State CollegeLaptop stolen containing names and Social Security numbers (NPPI) of students who registered for courses between the 1996 fall semester and the 2005 summer semester. 
93,000 disclosed

Store NPPI on secure servers; 
Do not store NPPI on mobile or local machines; Password protect the machine;
Encrypt files.

A UniversityHacker accessed personal information including names, birthdates and Social Security numbers (NPPI) of District seniors served by the Office on Aging. 
41,000 disclosed
Scan systems regularly to identify and resolve vulnerabilities;
Ensure antivirus and operating system patches are up to date;
Enable firewalls;
Encrypt NPPI files.
A State OfficeHacker exploited security flaw to gain access to confidential information including Social Security numbers and bank-account details of state pensioners. 
573,000 disclosed

Scan systems regularly to identify and resolve vulnerabilities;
Ensure antivirus and operating system patches are up to date; 
Enable firewalls;
Encrypt NPPI files.

A Medical SchoolHackers accessed Social Security numbers, loan information, and other confidential financial information of students and alumni. 
1,850 disclosed
Scan systems regularly to identify and resolve vulnerabilities;
Ensure antivirus and operating system patches are up to date; 
Enable firewalls;
Encrypt NPPI files.
Military IncidentPortable drive lost that contained personal information used for research on re-enlistment bonuses. 
207,750 disclosed
Do not store NPPI on mobile or local machines; Password protect the machine;
Encrypt files.
Software/online shoppingHackers accessed credit card information of online shoppers through software vulnerability in web site's "shopping cart" feature. Suspicious transactions, most for $500 or $700, were pushed through the merchant accounts of at least three companies.
3,000 disclosed
Ensure the site is secure by checking to see that the URL reads https:// (note the 's') for security;
Check credit card statements monthly.
A State UniversityIn a computer-security breach at a major university, personal information on about 300,000 alumni and faculty and staff members was exposed for more than a year. Among the data left unsecured on a server were the names and addresses of donors to the university and their donation amounts. More than 137,000 Social Security numbers were exposed because of the break-in. In addition to the above, the FBI told the university that a server containing "e-mails and patent and intellectual property files" had been exposed.Scan systems regularly to identify and resolve vulnerabilities;
Ensure antivirus and operating system patches are up to date; 
Enable firewalls;
Encrypt NPPI files.
A State OfficeComputer glitch sends state Employment Development Division 1099 tax forms containing Social Security numbers and income information to the wrong addresses, potentially exposing taxpayers to identity theft. 
64,000 disclosed
Make IT security awareness imperative for staff;
Ensure antivirus and operating system patches are up to date;
Keep systems administrators aware of department activities.