With recent advancements in plan administration technology, online enrollment and electronic access to account information, as well as benefit plan transaction processing, personally identifiable information (“PII”) and data has become increasingly more vulnerable to attack as it travels through employer and third party systems. Earlier this year, the attack on Anthem’s information technology system, which compromised the personal information of individuals under numerous health plans (including PII, bank account and income data, and Social Security numbers), raised questions of privacy and security under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), and there have been other similar attacks. These cases remind us that in today’s world, plan participant information, whether it be protected health information (PHI), PII, or retirement savings account information, is vulnerable to theft.
In 2011, the Advisory Council on Employee Welfare and Pension Benefit Plans (the “Council”) studied the importance of addressing privacy and security issues with respect to employee benefit plan administration. The Council examined concerns about potential breaches of the technological systems used in the employee benefit industry, the misuse of benefit data and PII and the impact on all parties who share, access, store, maintain and use PII, including, but not limited to, plan sponsors and fiduciaries, trustees, participants, plan administrators, third party administrators (TPAs), record keepers, investment advisors, and other service providers.
The Council recognized several potential areas of vulnerability, including (i) theft of personal identities and other PII, (ii) theft of money from bank accounts, investment funds, and retirement accounts, (iii) unsecured/unencrypted data, (iv) outdated and low security passwords, (v) hacking into plan administration, service provider, and broker systems, (vi) email hoaxes, and (vii) stolen laptops or data hacked from public computers where participants logged into accounts.
The Council recommended that the U.S. Department of Labor (the “DOL”) provide guidance on the obligation of plan fiduciaries to secure PII and develop educational materials. To date, the DOL has issued no such guidance.
What Should Benefit Plan Fiduciaries Do In the Absence of Clear Rules Regarding Protection of PII?
Recognizing that ERISA plan fiduciaries are charged with meeting a prudence standard when discharging their duties solely in the interest of plan participants and beneficiaries, fiduciaries must not only act prudently in responding to a breach of their plan participants’ PHI, but should also consider developing prudent policies and procedures with respect to the handling and transmission of all PII, participant data, and PHI, in the regular course, as well as notification and remediation measures for breaches of same.
Establishing an appropriate PII Privacy & Protection Policy is complicated because this area is evolving and questions regarding ERISA preemption and conflicts with state and federal data privacy laws are not yet definitively addressed. In addition, remediation of financial harm to a participant is difficult since the level of resulting financial injury may not be immediate or easily quantifiable. With federal cybersecurity legislation on the horizon, varying state laws on privacy and data breach notification requirements, scrutiny over financial institutions and their compliance with laws designed to protect PII, and the increasing importance on HIPAA and HITECH compliance in the wake of health plan data breaches, merely understanding the ambit of ERISA fiduciary obligations to protect against employee benefit plan participant data breaches presents a challenge.
As with other plan administration responsibilities, however, it is important for plan fiduciaries to establish and follow prudent practices and procedures for handling and securing PII, including when the handling and securing of such data is delegated to third parties. When it comes to prudent selection and monitoring of plan service providers that will handle PII, due diligence of the third party service provider’s systems, data storage, and encryption security are all critical. It is equally important to prudently delegate responsibilities to company personnel that will handle the PII. Plan sponsors and other fiduciaries are well advised to consider the following when preparing individualized PII Privacy and Protection Policies and to require third party service providers to demonstrate compliance with same:
• Keep only data that is needed and use effective processes to discard unnecessary data, including back-up paper and electronic copies. Reconcile procedure with record retention requirements.
• Know where PII is located in all of the organization’s systems, and understand the security levels of any cloud computing and remote data storage processes that are involved in plan administration, including how data is stored or protected.
• When protected health information is at issue, follow HIPAA/HITECH guidelines.
• Keep computer systems updated, including prompt installation of software patches, and stay current on electronic threats and effective responses.
• Follow National Institute of Security & Technology (NIST) guidelines on computer configuration use.
• Use full disk encryption on laptops and external data storage devices that might include PII or information on how to access it.
• Maintain complete log-in for the network, firewalls, routers and key software applications, and limit or define usage of portable devices.
Service Provider Management
• Address privacy and security factors when vetting and selecting service providers.
• Delegate duties responsibly and prudently monitor third parties and employees with access to plan data.
• Assess the service providers’ certifications in privacy and security and insurance coverages.
• Request information regarding service providers’ processes and systems for addressing cybersecurity threats and protection of PII, as well as past data breaches.
• Make sure third party provider subcontractors are held to same standards as the service provider.
• Develop a record of diligence efforts undertaken to document the level of security of third party service providers. Understand where data is stored and how it is secured and protected.
• Engage expertise of company IT professionals and your legal counsel to review service agreements and provisions regarding data security, data storage, websites, breach notification, and confidentiality, and develop parameters for compliance representations and indemnification in service agreements.
• Review a copy of each third party service provider’s Service Organization Control Reports (e.g. SOC 1, 2 and 3).
Special Concerns for Employees
• Educate employees about the importance of safe-guarding their data at all times and warn against email and phishing scams.
• Encourage use of regularly updated passwords with a high level of security.
• Advise participants and beneficiaries to monitor their accounts.
• Focus on security measures in place for plan distributions, loans and withdrawals.
• Prepare communications that remind participants and beneficiaries to safeguard their own benefit information, account balances, health information, passwords, and PINs, and advise against placing too much personal information on social networking sites and reviewing sensitive data on public computers or kiosks.
People & Training
• Perform background checks on all individuals with access to PII.
• Ensure all personnel who have access to PII are trained in properly safeguarding it. Include training in areas such as data retention/destruction, social networking, social engineering, and litigation holds.
• Designate an individual to be in charge of privacy and security of PII, and implement and test contingency plans for use in event of data breach.
• Train employees responsible for contract and vendor management regarding review of privacy and security issues in vendor arrangements.
• Keep records of any breach investigations and steps taken to remedy the breach.
• Review fiduciary liability insurance and consider potential interplay between cybersecurity insurance.
• Perform periodic risk assessments, maintain good controls, and be careful about who can over-ride them.
• Use a process to confirm compliance with the policy, and make sure the policy is clear and communicated to all appropriate parties.
In this ever changing landscape, these considerations are not definitive or finite. Development of best practices, including a PII Privacy and Protection Policy, will require thought and insight depending on the facts and circumstances. In the absence of formal guidance, it is imperative for plan sponsors and fiduciaries to address these issues and develop best practices and procedures that are suitable to prudently administer their plans in the Information/Innovation Age.
* I wish to thank my colleague August E. Huelle for his contributions to this article.