And you may want to differentiate
your strategy for specific elements. Understanding relevant state privacy laws,
and determining which elements pose
greater risk if breached, are important
factors in developing your strategy.
Once you have your strategy, it may
be up to the IT team to evaluate the best
identifiable information while removing
other elements, for example, it may be
as simple as deleting some records, or
perhaps overwriting those identifying
elements with masking values.
Is your system data-efficient and has
the data been stored in a single loca-
tion, or is it distributed or stored redun-
dantly in many places? Older systems
often have this problem as data was
distributed for better performance.
Perhaps you’ll need to create a new format for the data you wish to keep.
Do you capture electronic images to
reduce paper? An image of a mortgage
loan package would be a high-value
piece of data for an identity thief.
Where are those images stored, and are
they organized such that they can be
Paper? If you don’t image documents,
are you storing paper somewhere? This
is a different problem, but at least paper
documents cannot be hacked from the
Don’t overlook records
Once you’ve defined the approach
within your systems, don’t ignore backups and archives. What’s your retention
policy for backups? Do they expire in a
short period of time, so you can allow
the data to “roll off”?
If you have long-term archives of data,
you may spend significant effort deleting data from archives. Perhaps it’s time
to re-evaluate your archives policy. If
you send backups and archives to offsite
storage, don’t forget about that data.
Once you’ve addressed the data you
no longer need for business purposes,
then you may want to consider techniques to better protect the data you
decide to keep. Database technologies
now offer redaction capabilities to hide
sensitive data from all but the most
Tokenization is a technique to remove the actual data values from your
environment, but allows you to get
them back if or when you need them.
Tokenization is basically value-level encryption. This technique would require
an attacker to steal both your database
and your encryption-key vault, which
is itself encrypted. The technology is
now becoming mainstream and is not
n n n
Our previous mindsets of keeping all
the data because it might be useful or
because it’s too hard to delete must be
discarded. The ever-increasing number of
data breaches in the face of new regulations is changing the landscape in terms
of risk associated with holding data.
The mortgage industry must evaluate
its systems, data stored and retained,
and make thoughtful efforts at reducing
data risk. The costs of ignoring this problem could have a real impact on your
business and bottom line. To maintain
your reputation as a trusted partner,
consider your daily data-management
practices. Only keep what’s absolutely
needed and safely discard the rest. n
<< Consequences continued from Page 68 “Our previous mindsets of keeping all the
data because it might be useful or because
it’s too hard to delete must be discarded.”