Nonpublic Personal Information (NPI) is any "personally identifiable financial information" that a financial institution collects about an individual in connection with providing a financial product or service. Unlike public records (like real estate tax assessments), NPI is private and protected by federal law, specifically the Gramm-Leach-Bliley Act (GLBA).

NPI is not just the data itself, but also the fact that an individual is a customer of a specific financial institution. If the information is derived from a private transaction or a non-public application, it is classified as NPI.

Examples of NPI

  • Information on Applications: Social Security Numbers (SSN), income, and assets are provided to get a loan or credit card.
  • Transaction Data: Account balances, credit card purchase history, and payment records.
  • Derived Information: Data obtained from a consumer report or through a "cookie" on a financial website.
  • Listings: Any list or grouping of consumers that is created using NPI (e.g., a list of individuals who have defaulted on loans).

NPI vs. PII: What’s the Difference?

While the terms are often used interchangeably, they have distinct regulatory meanings:

  • Personally Identifiable Information (PII): A broad term used across all industries (governed by various state laws and GDPR) to describe any data that can identify a person (email, name, address).
  • NPI: A specific legal subset of PII defined by the GLBA. It specifically refers to financial data that is not public. If a name and address are associated with a bank account number, that entire record becomes NPI.

Industry Applications of NPI

While NPI is fundamentally a financial regulatory term, its protection is a critical requirement across multiple sectors:

  • Finance (GLBA Compliance): This is the "home" of NPI. Financial institutions—including banks, lenders, and FinTechs—must protect NPI to comply with the Gramm-Leach-Bliley Act (GLBA). Examples include Social Security Numbers, credit scores, and loan application data. Failure to secure this data leads to heavy FTC fines and loss of consumer trust.
  • Healthcare (The NPI/PHI Intersection): In healthcare, NPI specifically refers to the financial side of the patient relationship (billing details, insurance policy numbers, and payment history). While medical records are governed by HIPAA (as PHI), the underlying financial data is governed by the GLBA. Organizations must ensure their security posture covers both to avoid regulatory gaps.
  • Defense (CUI & Personnel Security): For the Defense Industrial Base (DIB), NPI often manifests as Controlled Unclassified Information (CUI). This includes the financial records used for security clearance background checks, contractor payroll data, and non-public pricing for government bids. Protecting this NPI is essential for maintaining CMMC 2.0 certification and safeguarding national security interests.
💡
Theodosiana Perspective: Regardless of the industry, the risk remains the same: if your cloud provider holds the keys to your NPI, you don't truly have control. Theodosiana ensures that sensitive NPI is encrypted with keys held exclusively by your organization, providing a "Zero-Knowledge" environment that satisfies GLBA, HIPAA, and CMMC requirements simultaneously.

FAQs: Nonpublic Personal Information (NPI)

Is NPI only relevant for banks?

No. Under the GLBA, "financial institutions" include any company significantly engaged in financial activities. This includes mortgage brokers, payday lenders, tax preparers, non-bank lenders, and even some auto dealers.

Does the FTC Safeguards Rule apply to NPI?

Yes. The FTC Safeguards Rule requires non-banking financial institutions to develop, implement, and maintain a comprehensive information security program to protect NPI. This includes requirements for encryption, "Multi-Factor Authentication (MFA)," and regular "Vulnerability" scanning.

What is the "Publicly Available Information" exception?

Information is not NPI if a financial institution has a reasonable basis to believe it is lawfully made available to the general public from government records, widely distributed media, or disclosures required by law (e.g., a publicly recorded mortgage lien).

Can NPI be shared with third-party service providers?

Yes, but only under specific conditions. Financial institutions must provide customers with a Privacy Notice and, in many cases, an "Opt-Out" right. Additionally, they must ensure that third-party vendors have "Access Controls" and security measures in place that are at least as stringent as their own.

How does encryption satisfy NPI requirements?

Both the GLBA and the New York DFS (NYDFS) Cybersecurity Regulation mandate that NPI be protected. "at-rest encryption" and "in-transit encryption" are considered the primary safeguards. If NPI is encrypted and the keys are properly managed (such as through "BYOK" or Theodosiana's independent management), the data is often considered "safe harbored" in the event of a physical theft of hardware.