Cybersecurity Best Practices for Employee Benefit Plans

March 1, 2019
Hall Benefits Law, LLC

Employee benefit plans typically gather, use, and maintain confidential data about plan participants. Employers, plan sponsors, and fiduciaries must use cybersecurity best practices to protect this information. In this article, we will explore some cybersecurity techniques applicable to employee benefit plans.

At this time, the Employee Retirement Income Security Act of 1974, as amended (“ERISA”) provides no clear mandate regarding cybersecurity. Most benefit plans fall under ERISA. However, fiduciaries are always expected to act in the best interests of plan participants and beneficiaries. As such, fiduciaries should take special care in developing cybersecurity best practices for their employee benefit plans. A few examples of those practices follow.

Build the Right Team

Find experienced people from a variety of areas to develop cybersecurity policies. For instance, you may need people from IT, compliance and risk management, HR, and legal to provide their individual expertise to different components of your cybersecurity protocols.

Pinpoint Sensitive Data

As participants in an employee benefit plan, individuals divulge personally identifiable information (PII) about themselves and their beneficiaries. Full names, addresses, dates of birth, Social Security numbers, and more fall into the category of PII.

In addition, medical records containing protected health information (PHI) likely will be saved for health care benefit plans. The Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”) governs the use and protection of PHI, including by electronic transmission or saved through electronic means.

Provide Training

Any employee with access to PII or PHI – or who is tasked with protecting it – needs to be properly trained in cybersecurity best practices. These requirements should be incorporated into the company’s HIPAA Policies and Procedures and HIPAA annual training. It is important to engage ERISA counsel to develop a robust paradigm for HIPAA and cybersecurity compliance.

Don’t Forget Service Providers

Plan sponsors need to establish guidelines for any service providers with access to sensitive information.

Require authentication

Your cybersecurity team can assess how users interact with their benefit plans. Protocols that require additional authentication or require password resets at intervals may reduce the potential for cybersecurity breaches.

Assess Mobile Apps

Plan sponsors or third-party service providers may provide mobile apps for the convenience of plan participants. Don’t let ease of use get in the way of cybersecurity.

Learn More About Cybersecurity Best Practices and Your Employee Benefit Plans

At Hall Benefits Law, we work extensively with plan administrators and sponsors to develop and maintain employee benefit plans that comply with ERISA and benefits laws. Please call 678-439-6236 to discuss your concerns with an experienced attorney. Our website contains more information about our firm, a Contact Form, and free resources for your review. From our home office in Georgia, we assist clients throughout the United States, from New York to California.

The following two tabs change content below.

Hall Benefits Law, LLC

HBL offers employers comprehensive legal guidance on benefits in mergers and acquisitions, Employee Stock Ownership Plans (ESOPs), executive compensation, health and welfare benefits, healthcare reform, and retirement plans. We counsel a wide spectrum of clients including small, mid-sized, and large companies, 401(k) investment advisors, health insurance brokers, accountants, attorneys, and HR consultants, just to name a few. HBL is passionate about advising clients, and we are dedicated to our mission: to provide comprehensive, personalized, and practical ERISA and benefits legal solutions that exceed client expectations.

Latest posts by Hall Benefits Law, LLC (see all)