Recently, a real estate investor received a letter in the mail, notifying him that a financial company had sustained a data breach and that his information had been compromised. The data breach exposed hundreds of millions of sensitive digital records, many dating back nearly two decades.
It was only after rummaging through mortgage documents that the investor realized his connection to the hack. Nearly two decades before, the financial company had been used to perform a title search on a property he had acquired in New Jersey. This was the only tie between him and the victims of the cyberattack.
Like many people in his position, the investor wracked his brain thinking of how he could have kept his information safe and what he should do now that he’d been compromised. But there is another question that should be asked in this situation: Why did the hacked company still have his vital information nearly 20 years after the real estate deal closed?
Mapping information
The answer to this important question lies within the concepts of data collection, classification, retention and destruction. As everyone knows, data breaches have become part and parcel with modern life. This is why companies that collect and store information need a document security system. The difference between having a data classification, retention and destruction program and not having one could be the difference between losing eight or 800 million sensitive records.
All too often, information security relates to securing (or attempting to secure) data in transit, at rest or while in use. But cybersecurity and data-privacy professionals often fail to focus on the most fundamental aspects of both data security and privacy. This question involves whether there is a need to keep certain data at all. If the information and files are not needed, not used and not required to be maintained, then they no longer represent assets. Instead, they have become liabilities for everyone involved.
The information in question can become a major target for cybercriminals, as well as a costly problem to store, manage and monitor. To guard against the bad guys, companies that collect and store information (including commercial mortgage companies) need to begin by developing robust and enforceable policies and plans for document classification and data retention.
The first step in this process is to map a company’s data. Although some information officers interpret this to mean mapping networks, end points, software and other tools, this type of data mapping refers to determining what data is being collected by an organization (whether on paper, through an application, online, from vendors or suppliers, or elsewhere). Data mapping also answers the question of how the data is being collected (processing), who has access to the data (authorization), how these users handle it, and how the data is protected and secured.
If information officers don’t know what data they have, they can’t protect it, classify it or delete it when it’s no longer needed. Moreover, even if a mortgage company knows what data it has, it needs to know where the data is saved. This includes the locations for where data is supposed to go, as well as where the data may have gone inadvertently, as part of the job that it is meant to accomplish.
It’s also important to remember that email is not a data-storage medium, but it is treated as such. This means that documents — even critical and sensitive documents and data — can be found in the bodies of emails, or as attachments in emails, text messages, chats, etc., rather than simply on hard drives, subdirectories or other locations.
Classification conundrum
Once the important data and its location has been identified, the next step is to classify the information. There are many reasons for classifying data, including need and urgency. Data can be classified based on risk and reward (what would happen if…?) or by regulatory requirements. A mortgage company might want to classify data based on all of these criteria.
There are many ways to classify data, including at its most basic levels as public, nonpublic and confidential/secret. These categories, however, may be too simple. The same data may be confidential one day and public the next.
Similarly, there are many ways to automate the process of data classification. Some broad categories of information may be segregated, including tax records, human resources records or billing records. But a lot of what travels within an organization is a mixed bag of sensitive and nonsensitive data.
Some technologies such as data loss-prevention tools can identify certain types of data, including credit card numbers, social security information and more. No matter what tool is used, however, data classification is difficult and cumbersome.
Retention decisions
The next step is to decide on retention schedules for different classes of data. These should be based on actual business needs and regulatory requirements.
These categories could include tax records, which need to be kept for up to seven years but are likely to be kept forever. Sales records are often kept for at least three years, although Nabisco may have a record of the first cracker it sold in its earliest iteration as the Pearson & Sons Bakery in 1792. It’s human nature to want to keep important information — and as a society we simply don’t like to throw anything out.
The goal is to develop realistic retention schedules for the information a mortgage company needs to keep while identifying the information that no longer serves a purpose. This task is more difficult than it may sound and requires coordination with various stakeholders, including business operations, legal, risk management, human resources and information technology, just to name a few.
If a mortgage company has sensitive documents — such as former clients’ social security numbers, bank information and tax records — that are no longer needed, they should be deleted and wiped from the company’s system. If a company has this type of sensitive information that may be needed in the future (but is not needed on a regular basis), then it should at least be stored or archived in an encrypted manner. The encrypted files should be stored securely on a different system or network. And information officers need to know how to access the encryption and recovery keys.
● ● ●
The problem with data archiving and retention is that it takes time, money, energy and resources — as well as a corporate commitment. It’s much easier to simply keep everything where it is. At least, it is easier until there is a breach of sensitive corporate records. Too often, mortgage companies then decide what they should do to secure the data they need and how to delete the data they don’t. And by then, it’s too late. ●
