Know What’s Considered Non-public Personal Information and Where It’s Located in Your Company
|December 19, 2013
The third pillar of ALTA’s Title Insurance and Settlement Company Best Practices encourages companies to adopt and adopt and maintain a written privacy and information security program to protect Non-public Personal Information (NPI) as required by local, state and federal law.
To be able to comply with this pillar of the Best Practices, it’s important to understand what constitutes NPI and where it can be found in a company, including how information is collected, acquired, stored, transmitted and disposed.
The Federal Trade Commission defines NPI as:
- any information an individual gives you to get a financial product or service (for example, name, address, income, Social Security number, or other information on an application);
- any information you get about an individual from a transaction involving your financial product(s) or service(s) (for example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or
- any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).”
Examples of NPI include bank, loan payoff and credit card statements; insurance, retirement and tax information; Social Security numbers and dates of birth; and real estate/title related items, commission amounts and loan fees.
NPI does not include information that you have a reasonable basis to believe is lawfully made "publicly available." In other words, information is not NPI when you have taken steps to determine:
- that the information is generally made lawfully available to the public
- that the individual can direct that it not be made public and has not done so
Here’s a list of additional resources:
There are many sources within a company where NPI can be found. Physical locations include paper-based files, desktop or reception area, the closing table and warehouse. With the widespread use of smartphones, companies should be cognizant of the documents visible at the closing table, according to Todd Hougaard of GreenFolders. If the closer steps out to get a cup of coffee, someone could use his or her smartphone and take a picture of the buyer’s loan application, he said.
Meanwhile, there are many electronic locations where NPI is housed. These include:
- Computers, network servers, email servers, instant messaging servers, fax servers, copy machines with internal hard drives or network storage devices, web servers, etc.
- Cloud storage (e.g., Google, Dropbox)
- Backup tapes; online backup services
- User-provided devices/media (e.g., employee smart phones, tablets, USB storage devices)
Additionally, NPI can be found and in possession of vendors a company may utilize. These include mobile notaries and closers, couriers, online backup services or off-site backup tape storage vendors, email service providers, and server and website hosts. Michael Volin of Title Resource Group, said companies should take reasonable steps to select and retain service providers that are capable of appropriately safeguarding NPI. Volin said creating a list of all vendors can aid in this process.
For more information, go to ALTA’s Best Practices resource page