PERSON OF THE WEEK: Devdatta Patil is the release manager for IndiSoft, a company that provides a range of software solutions for the mortgage servicing industry, including WipeOut, a secure data destruction application. Now that the security of personal data has become critical for mortgage servicers, MortgageOrb decided to interview Patil to learn more about how servicers can ensure that sensitive borrower data doesn't end up in the wrong hands.
Q: How is data effectively destroyed?
Patil: Every enterprise, whether large or small in size, has been storing various data elements for its business. The data could be confidential, sensitive and proprietary in nature. Once there is no longer a need for the data, it is important that it is destroyed or disposed of effectively. Though paper records can be easily shredded, electronic data requires proven tools and techniques to be completely destroyed. The ‘delete’ button on a computer or any device is not effective enough to destroy the data electronically. Wiping is one of the most effective techniques to destroy data.
Q: What can happen if data is not correctly wiped out?
Patil: As per the National Institute of Standards and Technology guidelines, overwriting or wiping is one of the ways to destroy electronic data. However, if the data is not correctly wiped, there are chances to recover the deleted data. The ‘delete’ button only flags the file for deletion; hence, the data must be overwritten and wiped completely for it to be destroyed permanently.
Q: What role does technology play in helping companies remain compliant when destroying data?
Patil: There are various regulations each business must comply with, including the Health Insurance Portability and Accountability Act, the Payment Card Industry Data Security Standard, the Gramm-Leach-Bliley Act and state regulation of the guide to Protecting the Confidentiality of Personally Identifiable Information.
More than 30 states have mandated that businesses destroy data effectively once the usage is over. Technology can play a major role by providing proven tools for data destruction so that businesses can protect their data by securely removing unwanted data on a regular basis.
Q: What steps can institutions take in ensuring their data is properly destroyed?
Patil: To comply with regulations and to protect business data, an institution can assign a compliance manager who will be responsible for data destruction at an institutional level; identify the type of electronic data an institution has; set or review data disposal and destruction policies; identify what type of data needs to be retained and what type of data needs to be destroyed on a regular basis; identify how data needs to be destroyed and the type of data destruction method needed; acquire a proven data destruction tool; implement a data destruction tool on every device; review the data destruction log on a regular basis to review the compliance level; and work with proven data destruction software companies in case there are any specific needs.
Q: In the future, how do you think institutions will approach data destruction?
Patil: These days, we hear news about data breaches very frequently. It is a known fact that, besides financial impacts, data breaches have a major negative impact on a brand. It is necessary for institutions to limit visibility to unwanted data by implementing a data destruction tool so that one of the risks regarding unwanted data is covered. As per Forrester Research, ‘Data disposal will gain attention and traction in the enterprise.’
It is important to protect an institution's data; hence, data destruction needs to be one of the security focus areas. As institutions have software to take care of network management, viruses, identity theft and other potential threats, there should be software implemented across institutions to ensure effective data destruction and disposal.
Q: Considering that a majority of mortgage lender and servicer data is now stored out in the cloud and not on the local network, do lenders and servicers need to be as concerned with destroying the data on their local computer hard drives? If so, please explain why.
Patil: Financial institutions, including mortgage lenders and mortgage servicers, have to comply with federal and state guidelines with respect to data disposal. Most often, data that is stored in the cloud is used through an application. However, while working with an application, documents are stored temporarily for viewing or verification purposes and are subsequently left on the local computer. This increases risk and it must be mitigated properly. Merely deleting those files is risky from a data exposure perspective, as deleted data can still be acquired. Financial institutions need to be mitigating this risk by having a plan to implement a secure data disposal tool at an enterprise level so that every device is compliant and secure.
Q: What's wrong with removing hard drives and smashing them with a hammer?
Patil: There is nothing wrong with removing hard drives and smashing them with a hammer. This can be done at the end of the life of an asset; but, what happens during the life of the asset? It is important that the device is protected all the time, including while it is in use and when usage is over. This way, data that resides on the hard drive will be protected.
Q: What about data that is held in solid state drives versus traditional hard drives? Can it also easily be wiped clean? Is it a different process?
Patil: Due to technology advancements, hard drives have been evolving, which ultimately poses a challenge for an institution looking to wipe existing data from various types of drives. Data can be easily wiped from a solid state drive as there are tools available that can wipe both types of storage. As long as an operating system and file system are installed on the device, thus identifying the storage device and allowing read/write, then it does not matter if it is a solid state drive or hard disk drive. Both types of drives can expose data, making it important to have the device wipe the data on a regular basis so that there is no data left on the storage media.
