Cybersecurity and Data Privacy for Benefit Plans

With a new year comes an increasing call for action for benefit plans and their administrators to ensure the privacy and security of plan and participant information. Data privacy and security are important for many reasons, especially for health and retirement plans. There is a rise in the number of data breaches and inappropriate uses of data, and benefit plans are no exception to this trend. Keeping sensitive benefit plan information secure is very important, especially because of the types of data involved in benefit plan administration. For example, benefit plans often have names, contact information, bank account information, investment information, health and health insurance data, Social Security numbers, and more. Some information may also be available for spouses and dependents. The availability of these types of data drives up the interest of bad actors. Recently the U.S. Department of Labor issued guidance identifying the importance of benefit plan privacy and security, and which was also designed to assess and help benefit plan administrators increase the protection of benefit plan data. Failing to adequately address data privacy and security will likely result in breach of fiduciary duty claims. Knowing there is sensitive data at risk, what should employers, plan administrators and their plans do? Below are some helpful starting points. For more information tailored to your specific circumstances, please contact a member of the benefits team.

• Ask all plan vendors and service providers for written information about what they are doing to protect data and what steps can be taken to enhance the current level of protection.
• Review agreements with vendors and service providers to ensure there is proper language about (a) data privacy and security, (b) breach notification requirements, and (c) indemnification, insurance, and limitation of liability.
• Assess what data you are obtaining and how. This will allow you to minimize the amount you receive and will help you to know if and when there is a problem.
• Provide training to those with access to the plan information to ensure they know what can and cannot be done with it, where to report concerns, and how to address common questions.
• Update or draft policies covering how data will be collected, stored, disposed of, and used. This need not be overly burdensome, but guidelines and policies are among the best ways of ensuring ongoing compliance.
• Review existing breach response policies and disaster recovery processes to ensure they address employee benefit plans. Where these documents do not address plan benefits, they should be revised to do so or new documents should be created.
• Ensure existing or new technological and administrative control used to secure data are applied to benefit plans.
• Remember that HIPAA may apply to benefit plans and even when the plan receives a limited amount of information subject to HIPAA, there can still be risks businesses and plans can avoid by reviewing, maintaining, and documenting their compliance.
• Review insurance policies to ensure they will cover benefit plans for common costs, risks, and occurrences.