A group benefit plan can be a great addition to any employee’s total compensation package. But, there are additional things that should be considered for companies that are offering group benefit plans to their employees. For instance, group benefit plans can be at a greater risk for cyber attacks and may need to have greater cybersecurity. This is especially true because many group benefit plans contain sensitive personal information regarding participants and beneficiaries.
The following factors contribute to the increasing risk to benefit plans:
- The information is almost always stored electronically
- They are generally not considered by employers when they create their cybersecurity policy
- They are only lightly regulated for cybersecurity
What information is at risk because of a cyber attack?
Group benefit plans are especially at risk of cyber attacks due to the type of information they contain. Employers and third-party service providers hold specific electronic information that is very valuable for cyber attacks, including:
- Personally identifiable information like Social identification numbers, birth dates and email addresses
- Participant account balances, direct deposit information, compensation and other financial information
- Electronic health information. It can be used to get prescription drugs, falsify insurance claims, open credit accounts or get fraudulent government documents
Let’s take a closer look at what can happen in the aftermath of a cyber attack.
What are the consequences of a cyber attack?
A cyber attack can damage your business’ reputation and erode the trust your customers have for you. But beyond that, a cybersecurity breach can also damage your finances. There are many accompanying financial damages associated with a cyber attack that you may not be aware of, including:
- Expenses related to the breach investigation and recovery
- Costs resulting from losses to your employees and your benefit plans
- Fees from potential lawsuits for breach of fiduciary duty
- Fines and sanctions from government agencies
As a plan sponsor, you have some special responsibilities in regards to group benefit plans.
What responsibilities do plan sponsors have?
Plan sponsors and certain third-party service providers have fiduciary obligations to each of the benefit plans they manage. They must administer the plan with the care, skill, prudence and diligence under the circumstances that a prudent person would use. Canada’s privacy law regulations provide the framework and the specific requirements for the protection and confidentiality of personal information.
To safeguard the confidentiality of all plan participants, employers should:
- Establish procedures on how to communicate with plan participants. They need to know what is being done to protect their personal information
- Create a process to correct a cyber breach if it occurs and outline what remedies are available to those affected
- Document steps taken when responding to a breach
- Vet service providers and negotiate contractual provisions to lower the risks and costs of a cyber attack on their plan
- Review and understand the limitations of their business insurance and cyber insurance coverage and address any gaps in coverage
In additional to internal processes, there are also legal requirements regarding a breach.
The Personal Information Protection and Electronic Documents Act (PIPEDA)
As of November 1, 2018, organizations subject to The Personal Information Protection and Electronic Documents Act (PIPEDA) should:
- Report breaches involving personal information that pose a real risk of significant harm to individuals to the Privacy Commissioner of Canada
- Notify all affected individuals about the breach, and
- Keep records of these breaches.
Organizations in Canada should stay up-to-date on the mandatory breach reporting requirements. These requirements came into force under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) on November 1, 2018. Under PIPEDA, you must not only must you keep a record of a breach, but the record should contain any information that enables the Commissioner to verify compliance with the reporting requirements.
Employers should be proactive and try to stop a cybersecurity breach before it happens. A cybersecurity policy can be a great first step towards implementing preventative measures.
Employers should focus on four areas when formulating their cybersecurity policies. They are:
- Data management – Have specific plans and regular updates for how you will control and protect data
- Technology management – Make sure your technology is up-to-date
- Service provider management – Regularly perform due diligence on the data security practices of your service providers
- People management – Regularly train all your employees that handle personal information
Cyber attacks are an ever-present risk for businesses, yet benefit plan cybersecurity is an overlooked risk for many organizations.
Many organizations already have a cybersecurity plan in place. If you organization does, it may be a matter of using the suggestions above and adding them to your plan. You can lower the risk of a benefit plan breach by testing and updating policies, monitoring service providers, and regularly training your employees.