Employee benefit plans typically gather, use, and maintain confidential data about plan participants. Employers, plan sponsors, and fiduciaries must use cybersecurity best practices to protect this information. In this article, we will explore some cybersecurity techniques applicable to employee benefit plans.
At this time, the Employee Retirement Income Security Act of 1974, as amended (“ERISA”) provides no clear mandate regarding cybersecurity. Most benefit plans fall under ERISA. However, fiduciaries are always expected to act in the best interests of plan participants and beneficiaries. As such, fiduciaries should take special care in developing cybersecurity best practices for their employee benefit plans. A few examples of those practices follow.
Build the Right Team
Find experienced people from a variety of areas to develop cybersecurity policies. For instance, you may need people from IT, compliance and risk management, HR, and legal to provide their individual expertise to different components of your cybersecurity protocols.
Pinpoint Sensitive Data
As participants in an employee benefit plan, individuals divulge personally identifiable information (PII) about themselves and their beneficiaries. Full names, addresses, dates of birth, Social Security numbers, and more fall into the category of PII.
In addition, medical records containing protected health information (PHI) likely will be saved for health care benefit plans. The Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”) governs the use and protection of PHI, including by electronic transmission or saved through electronic means.
Any employee with access to PII or PHI – or who is tasked with protecting it – needs to be properly trained in cybersecurity best practices. These requirements should be incorporated into the company’s HIPAA Policies and Procedures and HIPAA annual training. It is important to engage ERISA counsel to develop a robust paradigm for HIPAA and cybersecurity compliance.
Don’t Forget Service Providers
Plan sponsors need to establish guidelines for any service providers with access to sensitive information.
Your cybersecurity team can assess how users interact with their benefit plans. Protocols that require additional authentication or require password resets at intervals may reduce the potential for cybersecurity breaches.
Assess Mobile Apps
Plan sponsors or third-party service providers may provide mobile apps for the convenience of plan participants. Don’t let ease of use get in the way of cybersecurity.