Cybersecurity and Data Privacy for Benefit Plans
With a new year comes an increasing call for action for benefit plans and their administrators to ensure the privacy and security of plan and participant information. Data privacy and security are important for many reasons, especially for health and retirement plans. There is a rise in the number of data breaches and inappropriate uses of data, and benefit plans are no exception to this trend. Keeping sensitive benefit plan information secure is very important, especially because of the types of data involved in benefit plan administration. For example, benefit plans often have names, contact information, bank account information, investment information, health and health insurance data, Social Security numbers, and more. Some information may also be available for spouses and dependents. The availability of these types of data drives up the interest of bad actors. Recently the U.S. Department of Labor issued guidance identifying the importance of benefit plan privacy and security, and which was also designed to assess and help benefit plan administrators increase the protection of benefit plan data. Failing to adequately address data privacy and security will likely result in breach of fiduciary duty claims. Knowing there is sensitive data at risk, what should employers, plan administrators and their plans do? Below are some helpful starting points. For more information tailored to your specific circumstances, please contact a member of the benefits team.
- Ask all plan vendors and service providers for written information about what they are doing to protect data and what steps can be taken to enhance the current level of protection.
- Review agreements with vendors and service providers to ensure there is proper language about (a) data privacy and security, (b) breach notification requirements, and (c) indemnification, insurance, and limitation of liability.
- Assess what data you are obtaining and how. This will allow you to minimize the amount you receive and will help you to know if and when there is a problem.
- Provide training to those with access to the plan information to ensure they know what can and cannot be done with it, where to report concerns, and how to address common questions.
- Update or draft policies covering how data will be collected, stored, disposed of, and used. This need not be overly burdensome, but guidelines and policies are among the best ways of ensuring ongoing compliance.
- Review existing breach response policies and disaster recovery processes to ensure they address employee benefit plans. Where these documents do not address plan benefits, they should be revised to do so or new documents should be created.
- Ensure existing or new technological and administrative control used to secure data are applied to benefit plans.
- Remember that HIPAA may apply to benefit plans and even when the plan receives a limited amount of information subject to HIPAA, there can still be risks businesses and plans can avoid by reviewing, maintaining, and documenting their compliance.
- Review insurance policies to ensure they will cover benefit plans for common costs, risks, and occurrences.
WEBINAR: The Race to 2024: Politics and Social Media in the Workplace and Employer Rights.
Over the last several years, employers have seen and continue to see increased political activities from their employees at work and on social media platforms, including on business-related social media platforms, like LinkedIn. Managing employee expression causes unique challenges for employers and HR professionals, and in a General Election year, these challenges are likely to increase as the Presidential race, and other races, heat up.
Webinar: A Cookieless Future and Promise of PETs: A Primer on Privacy Enhancing Technologies
This webinar will explore PETs – we will define what they are, what problems PETs exist to address, and emerging PET standards including the National Institute of Standards and Technology (NIST) draft guidance on how to evaluate PET effectiveness. We will provide specific PET use cases and discuss how PETs may be utilized to address the phase out of third party cookies by certain browsers for purposes of targeted advertising.
WEBINAR: Cybersecurity Resilience in Law Firms
This webinar focuses on law firms seeking useful information about robust cybersecurity strategies to protect their clients, maintain ethical and legal compliance, and fortify their digital infrastructure.