By Stephen Miller, CEBS, Society for Human Resources Management (SHRM)
Cyberattacks—including incidents of ransomware, where criminals take over an organization’s information systems and demand payment to restore them—are making headlines almost daily. Because employee health and retirement plans are often top targets, HR professionals should take precautions to defend against these assaults, especially since breaches can also result in penalties and fines.
Benefits plans are particularly susceptible to cyber-risks because the plans “store large amounts of sensitive employee information and share it with multiple third parties,” says Neal Schelberg, a partner with law firm Proskauer Rose in New York City.
Consider these high-profile incidents:
While employers can’t completely eliminate cybersecurity risks, Schelberg says, “they can be managed.”
Schelberg, who co-authored the recent article “Cyberattacks on Benefit Plans: The Risks and Liabilities of Data Breaches,” advises plan sponsors to:
Because it’s unclear whether state privacy and cybersecurity laws are pre-empted by theEmployee Retirement Income Security (ERISA) when it comes to benefits plan data, make sure you’re aware of state statutes and adjust your practices accordingly, Schelberg advises.
Most businesses that provide employees with self-funded health insurance benefits must comply with Health Insurance Portability and Accountability Act (HIPAA) privacy rules, even if they use a third-party administrator (although there is an exception for plans with fewer than 50 participants).
HIPAA’s Breach Notification Rule requires entities covered by the act and their business associates to inform people whose private health information may have been compromised within 60 days, says Robert Projansky, a partner with Proskauer in New York City.
“While nothing is expressly required under ERISA regarding notification of employees following a data breach of personal information, ERISA does require the fiduciary of a benefit plan to act prudently in managing the plan’s assets,” Projansky says. Keeping this in mind, plan fiduciaries should:
Many state requirements go beyond minimizing cybersecurity risks to addressing identity and fraud protection more generally, such as:
Since former employees and their dependents could reside anywhere, make sure to conduct a comprehensive state law analysis to determine a benefits plan’s legal requirements following a data breach, says Proskauer partner Kristen Mathews.
However, “some state data breach notification laws defer to HIPAA breach notification procedures and do not require additional action where HIPAA applies and is followed,” she says. The best way to protect your organization from a cyberattack—and stay out of the headlines—is to accurately assess your enterprise’s risk and adopt procedures to secure its data.