If some of the largest insurance companies in America struggle to keep sensitive data safe from hackers and other thieves, what is the trustee of a 3,000-life health plan supposed to do to protect plan participant information?

Wyatt J. Holliday, CEBS, and David J. Fournier, lawyers from Shumaker, Loop & Kendrick, LLP, pose that question in their article in the August Benefits Magazine, “What Fiduciaries Need to Ask Service Providers About Cybersecurity.

Their answers are especially timely in light of Department of Labor (DOL) concerns. How funds are protecting participants’ personal information has emerged as an issue of concern for the DOL, according to Ian Dingwall, chief accountant for DOL’s Employee Benefit Security Administration (EBSA).

9-17_dol-worries-benefit-plans-cybersecurity

Service provider agreements are among a number of cyberliability issues EBSA staffers are asking funds about, Dingwall said. Plan fiduciaries must know that their service providers are taking precautions, just as the plan is, to be sure systems are safe and secure, backed up and tested.

Holliday and Fournier note that a trustee doesn’t need to be an expert in electronic data security. But he or she does need to know to ask the right questions to determine how a service provider is:

  • Managing electronic data, both when it’s in flight (being manipulated or being moved from one system to another, such as in an e-mail) and at rest (sitting in storage, waiting to be summoned up from the server)
  • Securing the physical hardware storing the data, including the facility where data is stored, printers and portable hardware like laptops, tablets and smartphones
  • Managing the people who interact with data. They point out that “all the encryption and security protocols in the world cannot overcome the ‘human’ factor” and, unlike computers, people often do the opposite of what they’re told.

The authors suggest a series of questions in each of those areas—questions about encryption, HIPAA compliance, disaster recovery provisions, storage and disposal of printed data, security training of personnel and guidelines on passwords, among other things.

In what they call “a brave new world of potential potholes” for benefit plan fiduciaries, plan sponsors should make sure both their plans and their service providers are following best practices to protect sensitive information.


Chris Vogel, CEBS
Senior Editor—Publications at the International Foundation

 

Chris Vogel, CEBS

Senior Editor—Publications at the International Foundation

Favorite Foundation service/product: Benefits Magazine, of course—especially “What’s Working” articles

Benefits related topics she loves to cover: Behavioral science behind steering employees to best retirement and health care options; innovative health care and wellness plan designsFavorite Foundation conference/event moment: Every minute of the Employee Benefits SymposiumPersonal Insight: “Leisure time” for Chris is far from inactive. You might find her gardening, cooking up a storm of healthy foods, traveling to historic places, biking with her husband, reading 24/7 or knitting sweaters for her grandson. Whatever activity, she’ll be doing it with an inspiring enthusiasm.

 

Recommended Posts

Open pharmacy pill containers on a pile of 20 dollar bills.

What the Executive Order Increasing PBM Fee Transparency Means for Employers

Amanda Wilke, CEBS
 

On April 15, 2025, President Trump signed the executive order (EO) “Lowering Drug Prices by Once Again Putting Americans First,” which includes specific actions to be taken by federal agencies to reduce prescription drug costs, improve transparency and increase competition in the […]

GLP-1 Drug Coverage Continues to Rise in Canada 

Rebecca Plier
 

New Survey Data Reveals Prior Authorization or Other Utilization Management Strategies, Eligibility Requirements, Annual Maximum as Leading Cost Control Methods  A new survey report from the International Foundation of Employee Benefit Plans reveals updated Canadian employer coverage and cost-control mechanisms surrounding glucagon-like […]

GLP-1 Drugs Responsible for Over Ten Percent of Annual Claims 

Rebecca Plier
 

New Survey Data Reveals Rise of GLP-1 Drug Claims, With Utilization Management and Eligibility Requirements as Leading Cost-Control Mechanisms   A new survey report from the International Foundation of Employee Benefit Plans reveals updated U.S. employer coverage and claims representation surrounding glucagon-like peptide-1 […]