Document Actions
Compliance with NPPI
Rutgers University is responsible for compliance to a number of laws requiring the confidentiality of personal data.
Laws requiring confidentiality of personal data include but are not limited to:
- Family Educational Rights and Privacy Act (FERPA) (educational records)
- Gramm-Leach-Bliley Act (GLBA) (financial institution and customer data)
- Health Insurance Portability and Accountability Act (HIPAA) (health information)
- NJ Identity Theft legislation
- Federal, state and private grants requiring confidentiality
In order to protect the university and privacy of the university community it is important that the department
- Prevent the storing of non-public private information locally.
- Encrypt electronic transmissions.
- Keep private information private.
- Follow best practices on the desktop and telecommuting.
Do you know of websites that accept SSN's through web forms that are NOT encrypted? If they are not encrypted, they are in public view.
NJ ID Theft Prevention Law states:
13. a. No person, including any public or private entity, shall:
(1) Publicly post or publicly display an individual's Social Security number, or any four or more consecutive numbers taken from the individual's Social Security number;
IPS strongly suggests the management be advised to:
1. Remove the existing web site.
2. Determine if another unique identifier is really what should be collected, instead of SSN.
3. Use secure http (https). Https is encrypted.
4. If a computer is used to collect, store and/or process SSN's; it needs more protection than what is defined by "baseline security". Our advice for "advanced security" would be to comply with the credit card (PCI) security guidelines. If any machines are compromised, there are reporting requirements which are mandatory.
Identity Theft Compliance Policy (Rutgers)
PCI credit card guidelines
On line collection of SSN requires Encryption
NJ Law prohibiting SSNs on rosters and grade lists
Departments, exposures and consequences:
Area | Compromise | Exposures | Consequences | Proactive activities |
| Financial | Computer moved from an accountant's office to a student assistant's desk without having NPPI removed or security settings checked. | SSN, Bank & Charge accounts | University integrity; individual identity theft; notification to those individuals whose NPPI was compromised; public relations ;possible legal ramifications & fines. | When equipment is recycled ensure that all sensitive data (NPPI and University data) has been wiped clean and the system rebuilt with appropriate security settings. |
| Medical | Server compromised as a result of out-of-date antivirus software and an administrative account without a password. | Confidential health information; health insurance identification numbers; medical history | Individual integrity; university integrity; possible legal ramifications & fines; notification to those individuals whose NPPI was compromised. | Keep operating systems and antivirus up to date, automatically if possible. Install firewall software. Make sure all accounts have complex passwords. Encrypt any files containing NPPI that your department decides to keep locally (on desktops). |
| Academic | Computer with a non-supported version of Windows; no administrator password; and files containing uncrypted NPPI was compromised. | Grades; transcript history; confidential accessability information | University/department integrity; notification to those individuals whose NPPI was compromised. | Keep all NPPI on secure server. |
| Research | Stolen laptop with unencrypted disclosures and sensitive research information stored. | Personally identifiable information (medical/financial/personal for research purposes) | Loss of funding; possible legal ramifications & fines; notification to those individuals whose NPPI was compromised. | Store sensitive information (NPPI) on a secure server. |
Additional resources: