With the recent spike in cybersecurity breaches rippling through all corners of the global business landscape, the surging interest in data protection has caused even the highest departments of state to take note and weigh in. In April 2021, the U.S. Department of Labor’s (DOL) Employee Benefits Security Administration issued a cybersecurity guidance to help employers protect “the retirement benefits of America’s workers.”
Here we take a closer look at the guidance and review suggested best practices for protecting your worker’s benefits data.
Goals, Scope of New Guidance
The new guidance falls neatly in line with preexisting laws and is intended to help address the dramatic uptick in cybersecurity problems involving personnel benefits and financial records as well as the Biden administration’s focus on infrastructure and improving U.S. data security. In terms of the need for legal compliance, the DOL points out the Employee Retirement and Income Security Act (ERISA) requires “plan fiduciaries [to] take appropriate precautions to mitigate . . . [cybersecurity] risk.”
The guidance doesn’t stray into technical requirements but instead reiterates some of the core principles of basic cybersecurity expectations. It contains sections on cybersecurity best practices as well as tips for hiring a service provider.
Best Practices
The best-practices document echoes several things already part of any Health Insurance Portability and Accountability Act (HIPAA) or standard cybersecurity compliance program including (1) a documented cybersecurity process and (2) annual risk assessments to determine whether it’s working. Notably, the majority of HIPAA cases involve a failure to have security guidelines and regular security assessments in place.
The guidance focuses on the common issues of identifying those at your company who are in charge of cybersecurity as well as training employees. Recommended actions include data mapping to fully understand the assets and the information used and to study how system access is acquired (to identify and mitigate the risks).
The DOL sets forth a list of 18 policies you should formalize in your organization ranging from access controls and identity management to encryption, and a full assessment of physical security and environmental controls. The guidance strongly suggests an annual third-party audit of security controls to help avoid “confirmation bias” in your programs (i.e., wishful thinking that everything is OK).
Hiring Service Provider
The DOL’s tips for hiring a service provider include asking about contract information security standards, audit results, and appropriate cybersecurity insurance policies for covering any losses. The guidance offers a clear directive that anyone contracting with third parties requires “ongoing compliance with cybersecurity and information security standards.” It further instructs you to avoid contracts that limit third-party liability for cybersecurity breaches.
Bottom Line for Employers
Even if you don’t manage ERISA-based benefits, you need to be cautious and thoughtful about your privacy and security measures. Implement well-thought-out plans, and provide industry-appropriate security, whether it’s adding encryption and multifactor authentication or simply improving your employee training program.
Jo Ellen Whitney is an attorney with Dentons Davis Brown in Des Moines, Iowa. You can reach her at joellen.whitney@dentons.com.