Non-Public Personal Information (NPPI)

29th December 2020 | Cybrary

Non-Public Personal Information (NPPI) is personal and private information that’s provided by a consumer to some entity for their use. This information includes the following examples:

Name, address, income, social security number, or job information
Information from transactions involving financial transactions including:
- Consumer account numbers, payment history, loan and deposit data, or debit card purchases
New privacy regulations enacted across many countries of the world, including the General Data Privacy Regulations in the European Union, have included the following within their definitions of NPPI:
- genetic markers
- physical characteristics
- marital status
- age
- ethnicity
- religious and political affiliations, as well as
- sexual orientation

To understand what could be considered NPPI, one simply needs to ask, what has a group of people been persecuted for in the past? The answer to that is what could and should be considered NPPI for the purposes of data protection and privacy.

As an SMB or MSP Owner, Should I be Concerned with NPPI?

Absolutely. Nearly all businesses collect and store NPPI on employees, 3rd parties, and end-users of their solutions. Know what NPPI data you collect, ensure there are safeguards in place within your business to protect it from unnecessary and unauthorized disclosure, and develop a privacy policy to publish on your website that describes the NPPI you collect, how it is used, how to request your NPPI from your company, how to request that your NPPI is deleted or not sold to 3rd parties, and when it is removed from use by your company. These are required measures under California’s Consumer Privacy Act (CCPA) as well as the EU’s General Data Privacy Regulations (GDPR). Countless other states are in the process of publishing their own regulations governing the use and handling of NPPI. Defining your processes will help you remain compliant and protect your brand, reputation, and professionalism.

Source: Cybercecurity.com, Identity Theft – Cybrary Term

Related Terms: Personal Identifiable Information (PII)

What does this mean for an SMB?

NPPI is something that businesses should be aware of. This type of information is categorized as ‘confidential’, meaning only specified parties are allowed to interact with the data. If this type of information isn’t taken care of properly in your business it can be detrimental in the event of an attack. Ensure that you have these cybersecurity measures in place so you and your SMB are prepared when the time comes:

Learn how to spot and avoid phishing attacks
- Train and test employees on phishing attacks
- Phishing emails have tell-tale signs you can use to quickly and confidently identify them and delete them before they take advantage of you. Ask yourself these questions before proceeding. Was the email:
  - Unexpected
  - From a strange email address
  - Generically addressed (Dear Ma’am, Dear Sir)
  - Contain spelling, grammar, and punctuation mistakes
  - Have strange-looking links where you can’t tell what website you’re going to (i.e.: bit.ly, TinyURL, Ow.ly)
  - Urging you to take critical immediate action of any kind
  - Contain an attachment you are compelled to open which may contain malware, or in this IRS Fraud case, seek to collect your Non-Public Personal Information (NPPI).
Adopt a Password Manager
- Password managers refuse to log you into a phishing attack website if you accidentally click on a phishing email.
- Password managers help you eliminate password reuse. A leading cause of account breaches where hackers reuse a stolen password from website A on website B.
- Password managers help you choose random, long passwords and eliminate typing them in when authenticating at websites, speeding up your shopping experiences