While data privacy has become a major concern for organizations with respect to their core business operations, benefit plans can fall outside their focus. The sensitive nature of information stored (SSNs, DOBs, financial and medical information, bank account details and beneficiary information), large amounts of money involved and prevalence of sharing data with third-party vendors makes benefit plan data particularly alluring to cyberhackers.

In a recent International Foundation member webcast, Managing Cybersecurity Risks in Benefit Plan Administration, Kristen Mathews and Robert Projansky of Proskauer Rose LLP shared a list of proactive actions employers and plans can take to manage risk and who should manage each. Spoiler alert—Placing all of the responsibility solely on your technology team was not recommended.

Benefit Plan Data Security—Whose Job Is It, Anyway?

Throughout the webcast, Projansky and Mathews shared tips and very compelling examples of “this could happen to you.” A common theme shined through—Cybersecurity is everyone’s responsibility. It’s important to have a plan and a well-trained team, both internally and with your vendors.

Internal Team—Who is responsible for each part of strategy implementation?

  • Staffing—Very clearly identify personnel responsible for strategy implementation.
  • Train staff and participants—Make sure everyone who is handling or has access to data is trained. Train participants, too. Make sure your SPD includes language about password security.
    • Have an incident response team and written plan, in advance and updated regularly.
    • Make sure your team is comprehensive, including IT, information security, legal, PR, HR, risk, compliance, etc.
  • Have a data breach response plan and team in place before you need to respond.
    • Create a response plan to act as a “playbook” during a breach response.
    • Retain incident response vendors in advance with negotiated terms and prices. You will likely need outside help in the event of a data breach.
    • Use simulation exercises to prepare and to find needed changes to your plan.

[Related: Data Breaches: Be Ready!—Benefit Bits Video]


Vendor Management—Your vendor’s risks are your risks. Do you know how your vendors are handling your data?

  • View every partner that has access to or receives data from your company as a potential gateway for hackers.
  • Negotiate contracts with data protection in mind.
  • Determine whether each vendor is adequately protecting your data using a vendor security assessment questionnaire and reviewing results of independent evaluations.
  • Ask the right questions—and ask a lot of them! Mathews offered the following list of factors to consider as you start to build your comprehensive list of questions:
    • Elements of cybersecurity program
    • Limitations on use of data
    • How is data maintained and protected?
    • How are physical assets protected?
    • Is data encrypted at rest, in transit, on devices?
    • What responsibility/liability/reporting will vendor agree to contractually?
    • Internal and external processes to assess cybersecurity
    • Insurance
    • Processes around subcontracting

[Related: How to Avoid Pharmacy Fraud]

Cybersecurity is an ongoing effort that must evolve along with rapidly changing laws in the area. From your internal teams to your vendors to your plan participants, it is critical to know each individual’s role in keeping benefits data protected. Having an understanding of the risk and advance planning can help to avoid challenging issues in the future.


Ann Godsell, CEBS
Director, Social Media and Content Marketing at the International Foundation

Staff

Director, Social Media and Content Marketing at the International Foundation

Favorite Foundation service/product: Face to face conferences.

Benefit topics that grab her: Benefit communication, preventive health, health care cost management, workflex

Favorite Foundation conference moments: Meeting Dr. Andrew Weil at the Annual Employee Benefits Conference was a cherished opportunity. She also loves the times when she and a member recognize each other at a conference because of interacting on Twitter!

Personal Insight: Known around the office as “appropriately paranoid,” Ann is usually prepared for a variety of potential outcomes in most every situation.

Recommended Posts

The Growing Importance of Cross-Cultural Competence

Eli Argueta
 

In the ever-expanding global marketplace, organizations are increasingly embracing the importance of understanding and respecting diverse cultures. Nowhere is this more crucial than in the realm of global benefits, where effective communication and collaboration across cultural boundaries can make all the difference. […]

Measuring and Addressing Burnout and Stress in the Workplace

Anne Patterson
 

According to the International Foundation’s Mental Health and Substance Use Disorder Benefits Survey Report, 96% of the workforce is stressed—either somewhat or very. With mostly every worker facing stress at some level, it’s important for plan sponsors/employers to know how to identify […]

Student Loan Repayment and Financial Wellness Benefits: What’s New?

Anne Newhouse
 

Student loan repayment has been more top-of-mind in recent weeks with President Biden’s announcement on February 21, 2024. The Department of Education emailed 153,000 borrowers that student loans were being discharged for those enrolled in the Saving on a Valuable Education (SAVE) […]

Paid Family and Medical Leave Legislative Developments

Jenny Gartman, CEBS
 

Proposals for paid family and medical leave at the federal level historically haven’t had enough support to become law. Many states have added paid leave mandates since 2017, creating a challenge for multistate employers seeking to deliver consistent benefits to their entire […]