This Month Only! >> $20 off and a FREE SHRM tote with your membership and code TOTE2018!
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Employees' health and retirement data—and account funds—are tempting targets for hackers
Cybersecurity is making headlines with an
upsurge in ransomware attacks, where criminal hackers take over an organization's information systems and demand payment to restore them. Employee health and retirement plans "are big targets and particularly susceptible to cyberattacks," and employers should take steps to defend against these assaults, advised Neal Schelberg, a partner with law firm Proskauer Rose in New York City.
Schelberg, speaking last month at the International Foundation of Employee Benefit Plans' 2017 Washington Legislative Update in Washington, D.C., pointed to a few representative high-level attacks on benefit plans:
Cyberattacks can also result in penalties and fines.
Benefit plans "are particularly susceptible to cyber-risks because they store large amounts of sensitive employee information and share it with multiple third parties," Schelberg said. And while cyber-risks cannot be eliminated, "they can be managed."
Arguably, he added, it is within a plan trustee's fiduciary duties to:
It's unclear whether state privacy and cyber laws are pre-empted by the Employee Retirement Income Security Act (ERISA) when it comes to benefit plan data, Schelberg said, so benefit plan administrators should be mindful of state statutes and adjust their practices accordingly.
[SHRM members-only toolkit:
Complying with Workplace Records and Reporting Requirements]
Steps to Safeguard Data
"Cyberthreats are—and will continue to be—a significant risk facing benefit plans," Schelberg warned. He advised plan sponsors to take the following protective actions:
Schelberg co-authored a recent article, "Cyberattacks on Benefit Plans: The Risks and Liabilities of Data Breaches," that provides additional advice.
Notification After a Data Breach
HIPAA's Breach Notification Rule requires HIPAA-covered entities and their business associates to notify people whose private health information may have been breached within 60 days, said Robert Projansky, a Proskauer partner in New York City.
Most employers that provide employees with self-funded health insurance benefits
are covered entities and must comply with HIPAA privacy rules, even if a third-party administrator is used (although there is an exception for plans with fewer than 50 participants).
"While nothing is expressly required under ERISA regarding notification of employees following a data breach of personal information, ERISA does require the fiduciary of a benefit plan to act prudently in managing the plan's assets," Projansky said. Keeping this in mind, plan fiduciaries should:
Kristen Mathews, also a partner in Proskauer's New York City office, explained that benefit plans are affected by the laws of states where health plan enrollees or retirement plan participants live, not only the state where the company resides or the plan is administered. Pension plans, for instance, could be affected by security laws in any state in which a retiree or beneficiary resides.
Many state requirements go beyond cybersecurity risks to address identity protection and fraud protection requirements more generally, Mathews said, such as:
Since former employees and their dependents could reside anywhere, Mathews advised conducting a comprehensive state law analysis to determine the plan's legal requirements after a data breach. However, she added, "some state data breach notification laws defer to HIPAA breach notification procedures and do not require additional action where HIPAA applies and is followed."
Cyber Attack Quick-Response Checklist (for a HIPAA covered entity or its business associate), U.S. Department of Health and Human Services
Related SHRM Articles:
401(k) Plans: A Cybersecurity Afterthought, SHRM Online Employment Law, February 2018
How Companies Can Guard Against Ransomware,
SHRM Online Global and Cultural Effectiveness, November 2016
HR Must Prepare for Increase in Ransomware Demands,
SHRM Online HR Technology, March 2016
Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more.
Join/Renew Now and let SHRM help you work smarter.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Become a SHRM Member
SHRM’s HR Vendor Directory contains over 10,000 companies