Among the many employer duties involved in sponsoring employee benefits is the duty to keep employee data secure from cybercrime.
It is common knowledge that cyber criminals work hard to get their hands on other people’s money, wherever they can. In addition to hacking into accounts to steal funds, cyber criminals may go after personal identifying information (PII) such as social security numbers and medical records, for use in other identity fraud schemes.
Retirement plans are a rich target, and health plans contain valuable PII. Under ERISA, the legal duty to maintain security of plan data lies mostly with the employer. What can an employer do to prevent a breach?
The best practice is to learn and understand the cybersecurity practices of its service providers, such as the third-party administrator (TPA), registered investment adviser (RIA), and retirement plan trust fund custodian. Most service providers carefully maintain and continuously upgrade their cybersecurity practices and technology, but employers cannot afford to take this for granted. It must be on the employer’s checklist to regularly seek satisfactory documentation, from all outside vendors, that plan data is secured as much as possible.
Don’t overlook the employer’s own in-house computer practices. Obviously, any company’s IT system must be secure and kept up to date to prevent access by the sophisticated and ever-changing nature of cybercrime. Additionally, the staff using the system should be trained regularly in techniques to spot and avoid email phishing scams, and other similar tools used by cybercriminals to access data.
The Department of Labor has prepared a number of resources with guidance and tips for employers in cybercrime prevention and compliance standards:
- Tips for Hiring a Service Provider is a helpful guide for plan fiduciaries to oversee service providers.
- Online Security Tips is directed at participants and beneficiaries, but the information is important for plan fiduciaries as well.
- Cybersecurity Best Practices provides the most useful insight into what the DOL is expecting plan fiduciaries and service providers to do. Specifically, the DOL expects that there be:
Read our article in the KLB Benefits Law Group Fall 2023 Newsletter.