Do you handle sensitive data that is considered Personally Identifiable (“PII”) or non-public information (“NPI”)?  If you do, are they stored in the correct places?  If you are collaborating with others, are the data kept in secure and encrypted locations?  Are the files transferred using a secure method such as Kiteworks?

Please refer to the Data Classification and Secure Storage Policy for more information on approved storage and transmission methods.

In general, PII refers to any information that allows the identity of an individual to be indirectly or directly inferred.  The following are some examples of PII:

• Names
• Addresses
• Social Security numbers
• Telephone numbers
• Email addresses
• Purchase history
• Internet browsing history
• Fingerprints
• Combination of gender, race, birth dates, and/or geographic indicators

The Federal Trade Commission (“FTC”) defines NPI in the Gramm-Leach-Bliley Act.  According to the FTC, NPI includes any information that an individual provides to obtain a financial product or service, unless that information is otherwise “publicly available”. It can also include information obtained from a transaction or in connection with providing a financial product or service.

The following are some examples of NPI:

• Names
• Addresses
• Income information
• Social Security numbers
• Data submitted on an application
• Account numbers
• Payment history

If you have access to any PII or NPI data that are not secure according to the Data Classification and Secure Storage Policy, please reach out to Technology for assistance.