If some of the largest insurance companies in America struggle to keep sensitive data safe from hackers and other thieves, what is the trustee of a 3,000-life health plan supposed to do to protect plan participant information?

Wyatt J. Holliday, CEBS, and David J. Fournier, lawyers from Shumaker, Loop & Kendrick, LLP, pose that question in their article in the August Benefits Magazine, “What Fiduciaries Need to Ask Service Providers About Cybersecurity.

Their answers are especially timely in light of Department of Labor (DOL) concerns. How funds are protecting participants’ personal information has emerged as an issue of concern for the DOL, according to Ian Dingwall, chief accountant for DOL’s Employee Benefit Security Administration (EBSA).

9-17_dol-worries-benefit-plans-cybersecurity

Service provider agreements are among a number of cyberliability issues EBSA staffers are asking funds about, Dingwall said. Plan fiduciaries must know that their service providers are taking precautions, just as the plan is, to be sure systems are safe and secure, backed up and tested.

Holliday and Fournier note that a trustee doesn’t need to be an expert in electronic data security. But he or she does need to know to ask the right questions to determine how a service provider is:

  • Managing electronic data, both when it’s in flight (being manipulated or being moved from one system to another, such as in an e-mail) and at rest (sitting in storage, waiting to be summoned up from the server)
  • Securing the physical hardware storing the data, including the facility where data is stored, printers and portable hardware like laptops, tablets and smartphones
  • Managing the people who interact with data. They point out that “all the encryption and security protocols in the world cannot overcome the ‘human’ factor” and, unlike computers, people often do the opposite of what they’re told.

The authors suggest a series of questions in each of those areas—questions about encryption, HIPAA compliance, disaster recovery provisions, storage and disposal of printed data, security training of personnel and guidelines on passwords, among other things.

In what they call “a brave new world of potential potholes” for benefit plan fiduciaries, plan sponsors should make sure both their plans and their service providers are following best practices to protect sensitive information.


Chris Vogel, CEBS
Senior Editor—Publications at the International Foundation

 

Chris Vogel, CEBS

Senior Editor—Publications at the International Foundation

Favorite Foundation service/product: Benefits Magazine, of course—especially “What’s Working” articles

Benefits related topics she loves to cover: Behavioral science behind steering employees to best retirement and health care options; innovative health care and wellness plan designsFavorite Foundation conference/event moment: Every minute of the Employee Benefits SymposiumPersonal Insight: “Leisure time” for Chris is far from inactive. You might find her gardening, cooking up a storm of healthy foods, traveling to historic places, biking with her husband, reading 24/7 or knitting sweaters for her grandson. Whatever activity, she’ll be doing it with an inspiring enthusiasm.

 

Recommended Posts

Empowering Women by Supporting Their Well-Being at Work

Ashton DeMoss
 

While much work has been done to break down systemic barriers and biases for women both personally and professionally, these issues still exist. In fact, research collected by the World Economic Forum highlights that, at the current rate of progress, it will take until […]

Building Employee Engagement in Today’s Multigenerational Workplace

Amanda Wilke, CEBS
 

Amid reports of declining employee engagement in both the United States and Canada, employers may want to consider adapting their benefits and workplace strategies to help stop the decline. Finding ways to meet the expectations of employees from multiple generations is one […]

Navigating a Crisis: Essential Post-Disaster Strategies to Protect Organizations and Employees

Tim Hennessy
 

Turning crises into opportunities has long been a guiding principle in preparing for future needs—whether related to health care, education, retirement or other financial goals. But what if uncertainty crept into your life today instead of tomorrow? When the unexpected occurs, organizations […]