Question: We always meant to automate our plan audit files, but somehow we didn’t get around to it. When the hit, we had to send the information via email, and it looks like we will have to do so again. What do we need to know to protect the information we send?
Answer: First, you are not alone. Before COVID-19, lots of companies were maintaining all of their plan audit records on paper, and thus faced a challenge when they had to send them off for review. And you’re right, data security is threatened when that transmission is not done properly. It’s a serious matter, because one of the duties of an Employee Retirement Income Security Act (ERISA) fiduciary is managing the plan appropriately and that includes keeping security in mind. As you prepare to send any plan records to a third party, there are two primary things to keep in mind: which information, and how to send it.
Understand that “personal protected information” may comprise more data than you think, so do your best to learn exactly what’s included. In general, email is not a secure means of sending sensitive information, even if your company has strict controls.
So the first thing to do is set and communicate guidance about what can and cannot be emailed. Then, contact anyone who may need sensitive information and find out if they have a secure portal you can use to transmit it. That way, the recipient will need to log in to view the information, reducing opportunities for data theft. If your provider does not have a secure portal for this purpose, you may want to find one that does. Click here to read more about protecting your plan audit (and other) data in this article.