If some of the largest insurance companies in America struggle to keep sensitive data safe from hackers and other thieves, what is the trustee of a 3,000-life health plan supposed to do to protect plan participant information?

Wyatt J. Holliday, CEBS, and David J. Fournier, lawyers from Shumaker, Loop & Kendrick, LLP, pose that question in their article in the August Benefits Magazine, “What Fiduciaries Need to Ask Service Providers About Cybersecurity.

Their answers are especially timely in light of Department of Labor (DOL) concerns. How funds are protecting participants’ personal information has emerged as an issue of concern for the DOL, according to Ian Dingwall, chief accountant for DOL’s Employee Benefit Security Administration (EBSA).

9-17_dol-worries-benefit-plans-cybersecurity

Service provider agreements are among a number of cyberliability issues EBSA staffers are asking funds about, Dingwall said. Plan fiduciaries must know that their service providers are taking precautions, just as the plan is, to be sure systems are safe and secure, backed up and tested.

Holliday and Fournier note that a trustee doesn’t need to be an expert in electronic data security. But he or she does need to know to ask the right questions to determine how a service provider is:

  • Managing electronic data, both when it’s in flight (being manipulated or being moved from one system to another, such as in an e-mail) and at rest (sitting in storage, waiting to be summoned up from the server)
  • Securing the physical hardware storing the data, including the facility where data is stored, printers and portable hardware like laptops, tablets and smartphones
  • Managing the people who interact with data. They point out that “all the encryption and security protocols in the world cannot overcome the ‘human’ factor” and, unlike computers, people often do the opposite of what they’re told.

The authors suggest a series of questions in each of those areas—questions about encryption, HIPAA compliance, disaster recovery provisions, storage and disposal of printed data, security training of personnel and guidelines on passwords, among other things.

In what they call “a brave new world of potential potholes” for benefit plan fiduciaries, plan sponsors should make sure both their plans and their service providers are following best practices to protect sensitive information.


Chris Vogel, CEBS
Senior Editor—Publications at the International Foundation

 

Chris Vogel, CEBS

Senior Editor—Publications at the International Foundation

Favorite Foundation service/product: Benefits Magazine, of course—especially “What’s Working” articles

Benefits related topics she loves to cover: Behavioral science behind steering employees to best retirement and health care options; innovative health care and wellness plan designsFavorite Foundation conference/event moment: Every minute of the Employee Benefits SymposiumPersonal Insight: “Leisure time” for Chris is far from inactive. You might find her gardening, cooking up a storm of healthy foods, traveling to historic places, biking with her husband, reading 24/7 or knitting sweaters for her grandson. Whatever activity, she’ll be doing it with an inspiring enthusiasm.

 

Recommended Posts

Mental Health Parity: What Plan Sponsors Need to Know During Period of Nonenforcement of 2024 Final Rule

Kathy Bergstrom, CEBS
 

Following the announcement last month that the Departments of Labor (DOL), Health and Human Services (HHS), and the Treasury will put a hold on enforcing the 2024 final rule on the Mental Health Parity and Addiction Equity Act (MHPAEA), health plan sponsors […]

The New Look of Virtual Care: What’s Right for Employers and Plan Sponsors?

Guest Contributor
 

Benefits Magazine Extras articles provide you with bonus content on a mix of benefits topics as well as deep dives and analyses on the latest benefit trends and compliance issues. Visit ifebp.org/benefitsmagazine to see the latest Benefits Magazine Extras as well as the bimonthly print […]

Ontario’s New Long-Term Illness Leave Takes Effect Soon: What Employers Need to Know

Amanda Wilke, CEBS
 

On December 19, 2024, Ontario’s Working for Workers Six Act, 2024 (Bill 229) received Royal Assent. Amongst the changes in the bill amending the Employment Standards Act, 2000 (ESA), was the introduction of unpaid long-term illness leave, effective June 19, 2025. While the law […]