Document Actions
What is NPPI?
Non-public Personal Information is any data or information considered to be personal in nature and not subject to public availability.
Personal information includes, but is not limited to:
• Individual names
• Social Security numbers
• Credit or debit card numbers
• State identification card numbers
• Driver's license numbers
• Dates of birth
• Health records when the disclosure of the information in question would reasonably be considered to be harmful or an invasion of privacy
Since February 2005, Over 60 of the 150 breaches disclosed below victimized nearly 55 million people whose personal information was compromised. A number of these involved higher education institutions. (Privacy Rights Clearinghouse)
The following are samples of recent breaches and ways they might have been prevented:
Type of Institution | Type of Breach | Methods of prevention |
| A State College | Stolen laptop containing names and Social Security numbers (NPPI) of students who registered for courses between the 1996 fall semester and the 2005 summer semester. 93,000 disclosed | Store NPPI on secure servers; |
| A University | Hacking. Personal information including names, birthdates and Social Security numbers(NPPI) of District seniors served by the Office on Aging. 41,000 disclosed | Scan systems regularly to identify and resolve vulnerabilities; Ensure antivirus and operating system patches are up to date; Enable firewalls; Encrypt NPPI files. |
| A State office | Hacker exploited security flaw to gain access to confidential information including Social Security numbers and bank-account details of state pensioners. 573,000 disclosed | Scan systems regularly to identify and resolve vulnerabilities; |
| A Medical School | Hackers accessed Social Security numbers, loan information, and other confidential financial information of students and alumni. 1,850 disclosed | Scan systems regularly to identify and resolve vulnerabilities; Ensure antivirus and operating system patches are up to date; Enable firewalls; Encrypt NPPI files. |
| Military Incident | Portable drive lost that contains personal information used for research on re-enlistment bonuses. 207,750 disclosed | Do not store NPPI on mobile or local machines; Password protect the machine; Encrypt files. |
| Software/online shopping | Hackers access credit card information of online shoppers through software vulnerability in web site's "shopping cart" feature. Suspicious transactions, most for $500 or $700, were pushed through the merchant accounts of at least three companies. 3,000 disclosed | Ensure the site is secure by checking to see that the URL reads https:// (note the 's') for security; Check credit card statements monthly. |
| A State University | In a computer-security breach at a major university, personal information on about 300,000 alumni and faculty and staff members was exposed for more than a year. Among the data left unsecured on a server were the names and addresses of donors to the university and their donation amounts. More than 137,000 Social Security numbers were exposed because of the break-in. In addition to the above, the FBI told the university that a server containing "e-mails and patent and intellectual property files" had been exposed. | Scan systems regularly to identify and resolve vulnerabilities; Ensure antivirus and operating system patches are up to date; Enable firewalls; Encrypt NPPI files. |
| A State office | Computer glitch sends state Employment Development Division 1099 tax forms containing Social Security numbers and income information to the wrong addresses, potentially exposing taxpayers to identity theft. 64,000 disclosed | Make IT security awareness imperitive for staff; Ensure antivirus and operating system patches are up to date; Keep systems administrators aware of department activities. |