If some of the largest insurance companies in America struggle to keep sensitive data safe from hackers and other thieves, what is the trustee of a 3,000-life health plan supposed to do to protect plan participant information?
Wyatt J. Holliday, CEBS, and David J. Fournier, lawyers from Shumaker, Loop & Kendrick, LLP, pose that question in their article in the August Benefits Magazine, “What Fiduciaries Need to Ask Service Providers About Cybersecurity.“
Their answers are especially timely in light of Department of Labor (DOL) concerns. How funds are protecting participants’ personal information has emerged as an issue of concern for the DOL, according to Ian Dingwall, chief accountant for DOL’s Employee Benefit Security Administration (EBSA).
Service provider agreements are among a number of cyberliability issues EBSA staffers are asking funds about, Dingwall said. Plan fiduciaries must know that their service providers are taking precautions, just as the plan is, to be sure systems are safe and secure, backed up and tested.
Holliday and Fournier note that a trustee doesn’t need to be an expert in electronic data security. But he or she does need to know to ask the right questions to determine how a service provider is:
- Managing electronic data, both when it’s in flight (being manipulated or being moved from one system to another, such as in an e-mail) and at rest (sitting in storage, waiting to be summoned up from the server)
- Securing the physical hardware storing the data, including the facility where data is stored, printers and portable hardware like laptops, tablets and smartphones
- Managing the people who interact with data. They point out that “all the encryption and security protocols in the world cannot overcome the ‘human’ factor” and, unlike computers, people often do the opposite of what they’re told.
The authors suggest a series of questions in each of those areas—questions about encryption, HIPAA compliance, disaster recovery provisions, storage and disposal of printed data, security training of personnel and guidelines on passwords, among other things.
In what they call “a brave new world of potential potholes” for benefit plan fiduciaries, plan sponsors should make sure both their plans and their service providers are following best practices to protect sensitive information.
Chris Vogel, CEBS
Senior Editor—Publications at the International Foundation