Guarding Benefit Plans from Cyberattacks

Employees' health and retirement data—and account funds—are tempting targets for hackers

June 6, 2017
Guarding Benefit Plans from Cyberattacks

Cybersecurity is making headlines with an upsurge in ransomware attacks, where criminal hackers take over an organization's information systems and demand payment to restore them. Employee health and retirement plans "are big targets and particularly susceptible to cyberattacks," and employers should take steps to defend against these assaults, advised Neal Schelberg, a partner with law firm Proskauer Rose in New York City.

Schelberg, speaking last month at the International Foundation of Employee Benefit Plans' 2017 Washington Legislative Update in Washington, D.C., pointed to a few representative high-level attacks on benefit plans:

  • In June 2016, more than 90 deferred-compensation retirement accounts of Chicago municipal employees were breached. The hackers accessed secured personal information and withdrew loans from 58 accounts. Reports estimate that Chicago lost about $2.6 million. The city returned funds taken from participant accounts and offered credit monitoring services to account holders.

  • In July 2016, a cyberattack targeted a grocery workers union pension plan in St. Louis. Hackers took control of the United Food and Commercial Workers (UFCW) Local 655 pension plan's computer servers and demanded a ransom in digital currency (three bitcoins, or about $2,000). "At risk" data included employee names, birthdates, Social Security numbers and bank information. The union refused to pay the ransom and turned to its backup system. While there was no evidence that hackers accessed sensitive information, UFCW offered plan participants 12 months of credit monitoring and identity theft restoration services.

Cyberattacks can also result in penalties and fines.

  • In November 2016, the Department of Health and Human Services (HHS) announced a settlement with the University of Massachusetts Amherst for potential violations of the Health Insurance Portability and Accountability Act (HIPAA). Following a malware infection targeting the university's employee health care plan, UMass agreed to pay $650,000 in penalties and to comply with the requirements of a corrective action plan. The breach exposed the private health information of 1,500 people. An HHS investigation revealed that the university had failed to accurately assess the risk of malware infection and adopt procedures to secure its data.

Benefit plans "are particularly susceptible to cyber-risks because they store large amounts of sensitive employee information and share it with multiple third parties," Schelberg said. And while cyber-risks cannot be eliminated, "they can be managed."

Arguably, he added, it is within a plan trustee's fiduciary duties to:

  • Prepare for possibility of a cyberattack.

  • Ensure that any breach results in as little exposure (and cost) as possible.

It's unclear whether state privacy and cyber laws are pre-empted by the Employee Retirement Income Security Act (ERISA) when it comes to benefit plan data, Schelberg said, so benefit plan administrators should be mindful of state statutes and adjust their practices accordingly.

[SHRM members-only toolkit: Complying with Workplace Records and Reporting Requirements]

Steps to Safeguard Data

"Cyberthreats are—and will continue to be—a significant risk facing benefit plans," Schelberg warned. He advised plan sponsors to take the following protective actions:

  • Develop and implement a framework for addressing cybersecurity issues.

  • Address third-party vendor vulnerabilities that could add risk, especially with regard to the electronic transfer of sensitive data to third parties.

  • Back up sensitive data and store it off-network so that it is segregated.

  • Augment passwords with multifactor authentication to access data systems.

  • Increase investment in security software and systems, and get boards of directors more involved in security matters.

  • Consider purchasing cyberliability insurance.

Schelberg co-authored a recent article, "Cyberattacks on Benefit Plans: The Risks and Liabilities of Data Breaches," that provides additional advice.

Notification After a Data Breach

HIPAA's Breach Notification Rule requires HIPAA-covered entities and their business associates to notify people whose private health information may have been breached within 60 days, said Robert Projansky, a Proskauer partner in New York City.

Most employers that provide employees with self-funded health insurance benefits are covered entities and must comply with HIPAA privacy rules, even if a third-party administrator is used (although there is an exception for plans with fewer than 50 participants).

"While nothing is expressly required under ERISA regarding notification of employees following a data breach of personal information, ERISA does require the fiduciary of a benefit plan to act prudently in managing the plan's assets," Projansky said. Keeping this in mind, plan fiduciaries should:

  • Examine contracts with outside administrators concerning notification duties in the event of a security breach.

  • Look to state law notification requirements.

Kristen Mathews, also a partner in Proskauer's New York City office, explained that benefit plans are affected by the laws of states where health plan enrollees or retirement plan participants live, not only the state where the company resides or the plan is administered. Pension plans, for instance, could be affected by security laws in any state in which a retiree or beneficiary resides.

Many state requirements go beyond cybersecurity risks to address identity protection and fraud protection requirements more generally, Mathews said, such as:

  • Disposal laws that require businesses to take reasonable steps when disposing of sensitive personal information, such as by ensuring data is shredded or erased so it can't be deciphered.

  • Social Security number laws that prohibit businesses from publishing or making available individuals' Social Security numbers.

  • Protection of medical information statutes, such as California's Confidentiality of Medical Information Act, which requires that "each employer who receives medical information shall establish appropriate procedures to ensure the confidentiality and protection from unauthorized use and disclosure of that information."

Since former employees and their dependents could reside anywhere, Mathews advised conducting a comprehensive state law analysis to determine the plan's legal requirements after a data breach. However, she added, "some state data breach notification laws defer to HIPAA breach notification procedures and do not require additional action where HIPAA applies and is followed."

Related Resource:

Cyber Attack Quick-Response Checklist (for a HIPAA covered entity or its business associate), U.S. Department of Health and Human Services

Related SHRM Articles:

401(k) Plans: A Cybersecurity Afterthought, SHRM Online Employment Law, February 2018

How Companies Can Guard Against Ransomware, SHRM Online Global and Cultural Effectiveness, November 2016

HR Must Prepare for Increase in Ransomware Demands, SHRM Online HR Technology, March 2016



Hire the best HR talent or advance your own career.


HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.