Clean Up Old Data or Suffer the Consequences

Mortgage information is a prime target for data thieves

By David Murray and Marcy Zeplin

This piece originally appeared in Scotsman Guide. Link here.

Think about all of the information required to process a mortgage: names, tax returns, pay stubs, bank statements. That information is a highly valuable target for identity thieves. And the risk isn’t just for borrowers.

Mortgage originators potentially could face fines and a loss of reputation if they allow old data to be vacuumed up by the wrong people. Imagine a mortgage company is considering an information technology project to eliminate data stored in systems. The data is no longer relevant, but since the company’s systems had not been built with automatic purge mechanisms, there is fear that if not done correctly, systems may malfunction.

Much analysis is needed, making it a costly project. A company executive remarks, “There’s no business value in this project. Why should we do this?”

What the executive is saying is there’s no business gain — no increase in revenue, reduction in cost, increase in operational efficiency, nor customer value in the project — just high cost and lost opportunity because the IT resources could be used elsewhere.

This is a logical business argument, but is this the entire story? Are there other factors to consider? Here is what should be added into the equation: data breaches, regulations and public/customer perception, along with the impacts those may have on your business.

Face the Risks

Data breaches are in the news every week. Boardrooms are feeling the pressure to be better protected. Politicians and regulators are deciding if the government should intervene. The more data you have that can be exposed, the greater the risk.

The Ponemon Institute’s 2017 Cost of a Data Breach Study puts the cost of a breach at $156 a record. For financial institutions, the cost is estimated at $245 a record. How many records do you have? How much would it cost if those records fell into the wrong hands? If you reduced that by 20 percent, what might your savings be?

Then there’s the concern over new regulations. Mortgage originators answer to many regulatory agencies. Most regulators now have some concern over protecting this data, what’s called personally identifiable information.

The New York Department of Financial Services cybersecurity regulation, which applies to any financial services company doing business in the state, provides guidance on data-retention rules. It suggests you must delete any nonpublic information no longer needed for business purposes.

The National Association Insurance Commission’s Insurance Data Security model law, recently adopted by South Carolina, imposes similar requirements on insurance companies. It is likely that in coming years many states will adopt similar laws setting guidance on data retention. This means that poor data hygiene could result in fines and penalties. Age and quantity of personally identifiable information will likely determine the size of any fine.

Culpability for Inaction

While data breaches have become more commonplace, actions leading up to the breach and how you respond do matter. Consider two different scenarios and how customers might respond after a breach.

In the first case, Company A has had a strong security posture and deleted unneeded personally identifiable information so the data breach involved only their current, active customers. The company responds timely, adequately and effectively demonstrates that they have routinely purged customer data no longer needed for business or compliance purposes. In today’s environment, they’ll likely be forgiven with negligible impact.

Our previous mindsets of keeping all the data because it might be useful or because it’s too hard to delete must be discarded.

Company B on the other hand has a good security posture but has not done a good job managing data. When they get breached, the data is not only for current customers, but customers from long ago. The size of the breach in terms of impacted consumers is larger by many times. The costs associated with notifications, credit monitoring, etc., increase dramatically.

A regulator may consider this as negligence and levy fines. Then there are the customers. Does the customer base lose faith in the business as not being well-managed and go elsewhere?

Department store retailer Target suffered considerably after a 2013 data breach when hackers stole credit and debit card information from about 40 million of its customers and other information affecting 70 million people.

Target saw a significant drop in customer traffic following the breach. Target did recover, but at a considerable cost. How would you personally feel if you lost a customer because of mishandling their sensitive information, especially with the influence of social media, which can be used to quickly spread this news?

Identify Business Need

So, what should you do? First, identify your data. Do you know exactly what data you have, its age, and where it is stored? After you have your inventory, then you need to develop a strategy for deciding what to keep and what to delete.

The first step should be to delete or trash any data that you know for a fact is no longer needed — and ask yourself if your client would expect you to retain anything other than contact information. Regulations like those adopted in New York indicate you should delete data you do not have a business need to keep.

It is possible many data elements may have long-term business value for maintaining a customer base, historical trending, cyclical analysis, etc. But what about personally identifiable information associated with those records? You should have a solid business need to keep this data, otherwise those elements should be deleted.

And you may want to differentiate your strategy for specific elements. Understanding relevant state privacy laws, and determining which elements pose greater risk if breached, are important factors in developing your strategy.

Once you have your strategy, it may be up to the IT team to evaluate the best approach in your environment. The complexity of your systems, data structures and policies may dictate what is possible. If you want to keep non-personally identifiable information while removing other elements, for example, it may be as simple as deleting some records, or perhaps overwriting those identifying elements with masking values.

Is your system data-efficient and has the data been stored in a single location, or is it distributed or stored redundantly in many places? Older systems often have this problem as data was distributed for better performance. Perhaps you’ll need to create a new format for the data you wish to keep.

Do you capture electronic images to reduce paper? An image of a mortgage loan package would be a high-value piece of data for an identity thief. Where are those images stored, and are they organized such that they can be deleted easily?

Paper? If you don’t image documents, are you storing paper somewhere? This is a different problem, but at least paper documents cannot be hacked from the internet.

Don’t Overlook Records

Once you’ve defined the approach within your systems, don’t ignore backups and archives. What’s your retention policy for backups? Do they expire in a short period of time, so you can allow the data to “roll off”?

If you have long-term archives of data, you may spend significant effort deleting data from archives. Perhaps it’s time to re-evaluate your archives policy. If you send backups and archives to offsite storage, don’t forget about that data.

Once you’ve addressed the data you no longer need for business purposes, then you may want to consider techniques to better protect the data you decide to keep. Database technologies now offer redaction capabilities to hide sensitive data from all but the most privileged users.

Tokenization is a technique to remove the actual data values from your environment, but allows you to get them back if or when you need them. Tokenization is basically value-level encryption. This technique would require an attacker to steal both your database and your encryption-key vault, which is itself encrypted. The technology is now becoming mainstream and is not extremely expensive.

Our previous mindsets of keeping all the data because it might be useful or because it’s too hard to delete must be discarded. The ever-increasing number of data breaches in the face of new regulations is changing the landscape in terms of risk associated with holding data.

The mortgage industry must evaluate its systems, data stored and retained, and make thoughtful efforts at reducing data risk. The costs of ignoring this problem could have a real impact on your business and bottom line. To maintain your reputation as a trusted partner, consider your daily data-management practices. Only keep what’s absolutely needed and safely discard the rest.