September 29, 2022
What is NPI Data Privacy? And How Can it be Achieved?
Achieving NPI Data Privacy and GLBA Compliance
Protecting PII is only the tip of the data security iceberg for financial organizations. Financial transactions often include a great deal of personal information, as they must verify the identity of the purchasing party. The result is a volume of information that creates unique data security challenges in the financial service industry. Protecting nonpublic personal information (NPI) is one such challenge.
What is NPI?
NPI is a category of data defined by the Gramm-Leach Bliley Act (GLBA). GLBA compliance requirements specifically apply to financial services institutions. NPI is any personally identifiable financial information that is not publicly available.
Consumers provide NPI to financial institutions in interactions including transactions and the performance of financial services. Such information may include any of the following:
- Date of Birth
- Mother’s Maiden Name
- Phone Number
- Social Security Number
- Bank Account Number
- Credit Card Account Number
- Credit or Debit Card Purchase Records
NPI does not include publicly available information, so the data types above might not be covered by GLBA compliance after wide distribution through other records or media.
The Privacy Rule
The Privacy of Consumer Financial Information Rule (Privacy Rule) is at the core of NPI data privacy and GLBA compliance regulation. GLBA compliance is crucial for financial services organizations doing business in the United States. An organization’s core responsibilities under the Privacy Rule are to safeguard NPI and deliver privacy notices as appropriate.
The Federal Trade Commission (FTC) is responsible for monitoring financial services organizations and enforcing the Privacy Rule. Organizations that fail to maintain GLBA compliance can face significant consequences. Fortunately, the FTC provides thorough guidelines on safeguarding NPI to satisfy the Privacy Rule.
Consequences for NPI Data Privacy Violations
The most direct results of lapsed GLBA compliance are penalties and fines. Organizations can incur fines of $100,000 per violation. Officers and directors can incur fines of up to $10,000 per violation. In some cases, individuals may have licenses revoked and face criminal penalties of up to five years.
Consequences handed down by the FTC are only the beginning. Organizations and individuals may also suffer exposure to civil lawsuits and claims. Offending organizations may receive lousy press, suffer reputational damage, and lose customers. To avoid these consequences, organizations commit to data privacy in financial services .
Safeguarding NPI Under the GLBA’s Privacy Rule
The FTC provides abundant documentation on complying with the GLBA Privacy Rule. The organization even issued a separate rule specifically to address the requirements for safeguarding NPI. Published May 23, 2002, the Safeguards Rule defines its own purpose:
To set forth “standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”
Navigating the entirety of the FTC’s documentation surrounding NPI data privacy is an arduous task, best suited for a team of attorneys and data privacy experts. At its simplest, the Privacy Rule requires financial services organizations to do two things:
- Develop policies and practices to keep NPI confidential and secure.
- Provide privacy notices to describe those policies and practices. “For example,” instructs the FTC, “if you restrict access to NPI to employees who need the information to provide products or services to your consumers or customers, say so.”
The Financial Privacy Rule is all about limiting disclosure of NPI, and making those limitations known.
Layers of NPI Data Privacy
NPI flows into financial services organizations from a variety of sources. As a result, financial data protection plans must be comprehensive and interconnected. There is even an element of physical security related to the storage and destruction of documents.
Managing document security is nothing new for financial organizations. GLBA compliance gets much more complicated when Big Data comes into play. When information is digital, just as when it’s physical, organizations have to control where data is stored and who has access.
Passwords, timeouts, and theft protection help control access at the computer level. Password protection, spam filters, and encryption can protect emails. Anti-virus solutions, firewalls, and data anonymization safeguard information online.
Building a Data Privacy Strategy for GLBA Compliance
The FTC’s Safeguards Rule requires financial institutions to implement data privacy measures to secure their customer information. But which specific data protection practices are best for any given situation?
The FTC gives some examples, such as data encryption, but also notes that organizations must “protect against any anticipated threats or hazards to the security or integrity of such information.” In other words, it falls on every organization to take proactive steps toward a comprehensive data privacy solution.
First, sensitive data discovery might help uncover hidden locations of NPI throughout the organization. Data discovery is the first step in a complete data protection plan. In fact, repeating this step often helps satisfy the FTC’s demand for periodic risk assessments.
Access Controls and Compliance Reporting
After identifying and classifying sensitive information, an organization must limit data access to what’s necessary. Monitoring database activity and controlling data subject access rights provides visibility into data utilization and threats. Near-real time reporting helps organizations stay compliant instead of getting compliant.
Keeping tabs on everything is easier with a unified platform instead of disparate solutions. The FTC is clear about the importance of integration: “You shall develop, implement, and maintain a comprehensive information security program.”
Data Privacy Technologies
With visibility established and a centralized platform in place, organizations can protect sensitive information in all states (at rest, in transit, and in use). Increasingly, financial services organizations turn to Privacy Enhancing Technologies (PETs) to get more from their data without compromising security or privacy.
Encryption, tokenization, and data masking protect sensitive information like NPI while keeping the data functional. This enables secure testing and analytics while limiting access to sensitive information. Privacy enhancing techniques like data masking minimize the risk of re-identification, even when data is in production environments or third-party analytics environments.
Financial services organizations that commit to NPI data privacy stay on the right side of the GLBA’s Financial Privacy Rule. Indeed, investing in holistic data protection keeps organizations compliant with all applicable data security and data privacy regulations. To see the difference a converged approach makes, contact Mage for a demo.