| Ever wonder what, exactly, constitutes non-public personal information?
“Non-public personal information,” or NPI, is industry shorthand for the information a company must protect and keep private.
NPI often comes up in the context of explaining why we can’t do something. “We can’t post that client video in the lobby because that’s NPI.” “I can’t download my bank’s entire database onto Google Docs to make it easier to work while on vacation in Moscow visiting my old friend Pladimir Vutin because it includes NPI.” So frustrating!
But more seriously, if you are going to push back against what you interpret as unnecessary and bureaucratic data security limitations, you’ll need to start with a clear understanding of what exactly counts as NPI.
Data security is becoming an increasingly complex area of the law, but you can boil it down to one sentence: A company must take reasonable efforts to protect the NPI of its consumers. We can argue all day over what efforts are “reasonable” and probably even take some calculated risks, but no matter what, an intelligent discussion about our options must still be based on a clear understanding of NPI.
Know Your Definitions
The Gramm Leach Blilely Act (GLBA or Reg. P) is the primary source of law on consumer privacy and data security requirements for the financial services industry. Therefore, GLBA’s definition of NPI is the most important to understand: “Personally identifiable financial information; and any list … of consumers that is derived using any personally identifiable financial information that is not publicly available.”
“Financial information” includes any information that a “consumer provides” to obtain a financial product or service, that “results from” such a transaction, or that the institution obtains “in connection with” that transaction. This is a very broad definition and basically includes everything from the consumer’s application information to the mere fact they are a customer of the financial institution.
Information that is “publicly available” is not NPI. However, in practice, it is difficult to classify information as such under GLBA. Except official government records, most social media and similar accounts will not qualify as publicly available for these purposes.
Let’s look at some real-life examples to apply this to the real world. For all of these examples, remember that, just because something contains NPI, that doesn’t mean transfer is prohibited. It might just require transfer or sharing in compliance with certain data security requirements, like secure e-mail.
Mortgage loan officer sends list of borrowers to real estate agent.
Yes, this includes NPI. The mere fact that a person has applied with a lender, alone, constitutes NPI.
To identify consumers planning home improvement projects, a builder tries to buy a list of a bank’s consumers who have applied for home improvement loans.
Yes, this includes NPI. NPI extends to any list that is derived, even in part, from NPI.
Real estate agent sends list of customers to mortgage loan officer.
No, this does not include NPI. A real estate agent is not a financial institution and does not engage in financial transactions. Therefore, the fact that a consumer is a customer of the real estate agent does not constitute NPI. However, this same information may become NPI if it is combined it with other information later.
Bank’s branch manager posts public social media message thanking customer for taking out a student loan.
Yes, this includes NPI. Among other things, the fact that the borrower is intending to go to college is information that the borrower submitted as part of an application, and not publicly available. (Just imagine if the branch manager shared bad news – “So sorry that this great family wasn’t qualified to take out student loans. Fingers crossed on getting a scholarship!”
Bank’s business development officer keeps basic customer information in a CRM system, e.g., “Joe Smith, birthday 7/2/79, 2 kids, spoke about HELOC on 4/18/19 at library.”
Mixed. Some of these records will include NPI, some will not. If this business development officer reads a story in the local paper about a birthday celebration for the town’s police chief so as to send a birthday card from the bank next year, that information is not arising in the context of a financial transaction and is not NPI. On the other hand, if the business development officer holds a financial education seminar at the library and keeps a list of people who sign up to “receive more information about the bank’s products and services,” then that information is NPI.
Overall, it’s very likely that any CRM system used by a financial institution will include some NPI. When there is a mixture like this, with some records including NPI and some not, an institution has to just treat the whole list as if it had NPI, except when transferring specific pieces. While hypothetically possible, there’s really no practical way to separate the NPI from the non-NPI and no real reason to do so.
Ben Giumarra is the director of legal and regulatory affairs at Embrace Home Loans. He may be reached at bgiumarra@embracehomeloans.com.
