If some of the largest insurance companies in America struggle to keep sensitive data safe from hackers and other thieves, what is the trustee of a 3,000-life health plan supposed to do to protect plan participant information?

Wyatt J. Holliday, CEBS, and David J. Fournier, lawyers from Shumaker, Loop & Kendrick, LLP, pose that question in their article in the August Benefits Magazine, “What Fiduciaries Need to Ask Service Providers About Cybersecurity.

Their answers are especially timely in light of Department of Labor (DOL) concerns. How funds are protecting participants’ personal information has emerged as an issue of concern for the DOL, according to Ian Dingwall, chief accountant for DOL’s Employee Benefit Security Administration (EBSA).


Service provider agreements are among a number of cyberliability issues EBSA staffers are asking funds about, Dingwall said. Plan fiduciaries must know that their service providers are taking precautions, just as the plan is, to be sure systems are safe and secure, backed up and tested.

Holliday and Fournier note that a trustee doesn’t need to be an expert in electronic data security. But he or she does need to know to ask the right questions to determine how a service provider is:

  • Managing electronic data, both when it’s in flight (being manipulated or being moved from one system to another, such as in an e-mail) and at rest (sitting in storage, waiting to be summoned up from the server)
  • Securing the physical hardware storing the data, including the facility where data is stored, printers and portable hardware like laptops, tablets and smartphones
  • Managing the people who interact with data. They point out that “all the encryption and security protocols in the world cannot overcome the ‘human’ factor” and, unlike computers, people often do the opposite of what they’re told.

The authors suggest a series of questions in each of those areas—questions about encryption, HIPAA compliance, disaster recovery provisions, storage and disposal of printed data, security training of personnel and guidelines on passwords, among other things.

In what they call “a brave new world of potential potholes” for benefit plan fiduciaries, plan sponsors should make sure both their plans and their service providers are following best practices to protect sensitive information.

Chris Vogel, CEBS
Senior Editor—Publications at the International Foundation


Chris Vogel, CEBS

Senior Editor—Publications at the International Foundation

Favorite Foundation service/product: Benefits Magazine, of course—especially “What’s Working” articles

Benefits related topics she loves to cover: Behavioral science behind steering employees to best retirement and health care options; innovative health care and wellness plan designsFavorite Foundation conference/event moment: Every minute of the Employee Benefits SymposiumPersonal Insight: “Leisure time” for Chris is far from inactive. You might find her gardening, cooking up a storm of healthy foods, traveling to historic places, biking with her husband, reading 24/7 or knitting sweaters for her grandson. Whatever activity, she’ll be doing it with an inspiring enthusiasm.


Recommended Posts

Understanding ERISA Liability in the Context of Pharmacy Benefits

Anne Newhouse

Fiduciary responsibility has always been a concern for retirement plans governed by the Employee Retirement Income Security Act of 1974 (ERISA). The language on the Department of Labor (DOL) Fiduciary Responsibilities webpage explains, “The primary responsibility of fiduciaries is to run the […]