Regulations for NPI & PII Print E-mail

Regulations for the Protection of NPI and PII

To give a quick overview of the regulatory landscape, listed below are the relevant regulations which must be observed for the protection of NPI and PII.  Compliance with these various regulations is typically determined during a regulatory examination, or if a security breach/compromise is reported.

Gramm-Leach-Bliley Act Data Protection Act of 1999 (GLBA) – Section 501(b) of GLBA requires financial services companies to protect the confidentiality and integrity of NPI, and to ensure it is secure from unauthorized access.  In order to do so, organizations must identify potential threats to their information and implement controls which include: policies, procedures and technologies.  These technologies include monitoring and detection systems for actual and attempted actions for gaining access to NPI.  Noncompliance with GLBA may result in:

  • civil monetary fines of varying amounts up to $1 million or more,
  • prison sentences of up to five years,
  • lower examination ratings and increased reporting requirements, and
  • enforcement actions, which can include board resolutions, memorandums of understanding, written agreements, and cease and desist orders.

The specific action is based upon the number of deficiencies, risk profile, and whether or not violations have been encountered (such as transmitting unencrypted information to third parties, such as programmers, credit bureaus, loan processors, or other service providers).

Identity Theft and Assumption Deterrence Act of 1998 – This Act was created to address the growing problem of identity theft in the U.S. and it addresses:

  • the fraudulent creation, use or transfer of identification documents, and
  • the theft and/or criminal use of the underlying personal information.

It applies to anyone who knowingly transfers or uses NPI or PII with the intent to commit, or aid and abet any unlawful activity.  While identity theft can occur through a variety of means, unprotected electronic communications is a primary target.  Therefore, electronic communications should be subject to content monitoring and filtering to lessen the potential for data leakage through these network channels.  Violations of the Act are generally subject to a fine and/or imprisonment of up to 15 years.  Specific actions are determined at the time when the infraction is reported, or during a regulatory examination.

The USA Patriot Act – Section 314 of this regulation requires financial institutions to implement prudent steps to protect the confidentiality of NPI.  Proactive monitoring and auditing of electronically transmitted information is required for alerting organizations to: unauthorized access, unauthorized sharing, or other compromises of protected information.  The integrity and protection of NPI is imperative for the monitoring and investigation of money laundering and terrorist financing.  Fines in an amount not more than 3 times the monetary equivalent of the thing of value, or imprisonment up to 15 years, or both may be assessed for violations of this Act.

Sarbanes-Oxley Act of 2002 (SOX) – Section 404 of SOX mandates that publicly traded companies implement and maintain internal controls for the protection of corporate financial information, and for the timely detection of unauthorized access, insider abuse and unauthorized sharing of the information.  Organizations found in noncompliance will be subject to substantial fines of up to $1 million and sentences of up to 10 years in prison.

NASD – The NASD has implemented various regulations and guidance on the use of electronic communications for transmitting NPI, PII, corporate confidential data, misleading or insider information, or inappropriate solicitations or guarantees.  The NASD rules require the monitoring and review of content for all outgoing messages.  Fines of varying amounts up to $1 million and sanctions may be assessed for noncompliance. 

CA SB1386 and AB 1950, State Data Protection Laws – As of January 1, 2006, 23 states  have passed data protection laws which require organizations that electronically collect and maintain NPI and PII, to implement security controls and to protect the confidentiality of the information through various safeguards including monitoring and reporting systems.  A national law is under debate.  If data is compromised, organizations must notify all customers.  Failure to do so may result in lawsuits and regulatory penalties. 

Basel II – Operational Risk – Basel II proposes a new capital adequacy framework for institutions who demonstrate proactive risk management strategies associated with operational risks.  Risk management strategies are to include policies and practices for controlling and mitigating operational risks.  The protection of information assets, which would include the monitoring and reporting of unauthorized access and sharing, will be necessary to comply with the requirements.  The federal agencies are retaining current prompt corrective actions and capital requirements. 

European Union Privacy Directive – Similar to the U.S. GLBA, the EU Privacy Directive addresses the protection and confidentiality of NPI.  The requirements under the EU Privacy Directive closely mirror those of GLBA, requiring adequate measures to safeguard the information from unauthorized access and unauthorized sharing, whether the data is at rest or in-transit.  Entities found in noncompliance may be subject to fines and sanctions, established by each EU Member. 

Payment Card Industry (PCI) Security Standards – PCI security requirements, issued by MasterCard and Visa, went into effect in July 2005.  These standards apply to merchants and financial institutions whom accept credit card transactions.  All entities that accept credit cards must encrypt all transmissions of cardholder data, and implement logging and monitoring, among other controls.  Noncompliance can result in fines of up to $500,000 per incident if card data is compromised.