In the U.S. and Canada, the first Monday of September is dedicated to Labor Day, a public holiday established to honor the social and economic achievements of hard working Americans throughout history. According to the U.S. Department of Labor (DOL), the event recognizes how the average employee has directly contributed to the current strength and prosperity of the country. But while the nation is busy waving flags and touting the value of laborers, cybercriminals are waiting in the wings to target those same workers by exploiting their online benefit plans and service providers.
Cybersecurity threats to employee data are on the rise, as third-party administrators, trustees, and record keepers are continually targeted by hackers looking for valuable caches of information. Although only a small number of such attacks have actually occurred to date, the successful ones have resulted in the loss of millions of dollars. These schemes are designed to steal the data of participants who have signed up for employee benefits, such as vision and dental plans, medical insurance, prescription services, and retirement accounts, to name just a few. By setting up fraudulent transfers, phony loans, and ransomeware attacks, these cybercriminals have been able to steal sensitive participant data and scurry off with money reserved for the well-being of hardworking citizens.
The Duty of Data Protection
Since the recent creation of the General Data Protection Regulation (GDPR) by the European Union, the notion of protecting customer details on the internet has become less optional and more mandatory. Wonderful as that may be, this wise and responsible step only represents one small facet of the online world, as there are still plenty of organizations who have yet to acknowledge this responsibility. And while it’s only a matter of time before they are forced to do so, the reality is some critical ones—like the Employee Retirement Income Security Act of 1974 (ERISA)—do not currently require plan sponsors to safeguard the personally identifiable information of their participants. In practical terms, this means government giants like the DOL are not actually on the hook for securing the benefits of the employees they claim to value.
Despite its lack of a specific requirements or statutes for such data protection, ERISA Section 404 does still require sponsors of benefits plans and other fiduciaries to use “care, skill, prudence, and diligence” when guarding the rights and privacy of participants. And while this language suggests some degree of protection for online assets, it is far from guaranteed.
For several years now, the Advisory Council for ERISA has communicated directly with the DOL about the growing risk of cyberattack on employee benefit plans and tried to prepare them for future realities. Consequently, a 2016 report was drafted to educate the organization on these critical issues:
- What kind of data is prone to attack.
- How to respond to a successful cyberattack.
- The best ways to recover from a digital breach.
The Advisory Council went on to highlight how service providers can be properly vetted and contract provisions negotiated to lessen the change of attack-related expenditures. They encouraged the DOL to assess and restructure their business insurance to address the possibility of financial fallout in the future. But more importantly, ERISA has made it their business to help the DOL understand how service providers store and protect the customer data they handle. This obligation includes notifying participants, governmental agencies, and anyone else with a vested interest about digital incidents or data theft. All benefit providers should have clear agreements in place for employers and plan sponsors to clarify their position on data security and their ability to respond to possible incidents.
When, Not If
The need for data protection is not a matter of if something happens—it’s a matter of when. With cyber threats growing constantly in scope and sophistication, those providing benefits to workers should have a well-established response plan in place. Of course, this covers collaborating with service provides to effectively communicate with workers whose active plan information may have been exposed to attack. Participants caught up in a breach will likely feel anxious and concerned about the state of their private data, which means it is imperative for providers to offer them accurate and intelligent feedback about the issue.
What happened? How is it being handled? What type of information was exposed? What, if anything, should workers do to protect themselves as a result? How is this situation being avoided in the future? These are all questions that will need answers from those entrusted with the safety of consumer data. And these responses should not be conjured up in the heat of the moment, but rather well considered before an event occurs and established in writing as future communication systems. This step not only emphasizes an organization’s professionalism, but it also lets participants, industry figures, and potential hackers know these providers are fully prepared for digital transformation.
Plan sponsors must remember that when it comes to cybersecurity, one size does not fit all. This type of digital approach should be tailored to the unique circumstances of the organization providing the benefits and the needs of everyone involved. In some cases, adopting an entirely new security protocol may not be necessary, as it is possible to expand existing security policies to cover these exposed areas of data. But given the country’s evolving regard for data protection, not to mention the value it places on American workers, there is little alternative. Honoring laborers with a national holiday is certainly meaningful, but without real security in place to protect them, it’s a hollow gesture.