How to Guard Benefits Plans from Cyberattacks

Employees' health and retirement data are tempting targets for hackers.

Stephen Miller, CEBS By Stephen Miller, CEBS August 25, 2017
How to Guard Benefits Plans from Cyberattacks

Cyberattacks—including incidents of ransomware, where criminals take over an organization’s information systems and demand payment to restore them—are making headlines almost daily. Because employee health and retirement plans are often top targets, HR professionals should take precautions to defend against these assaults, especially since breaches can also result in penalties and fines.

Benefits plans are particularly susceptible to cyber-risks because the plans “store large amounts of sensitive employee information and share it with multiple third parties,” says Neal Schelberg, a partner with law firm Proskauer Rose in New York City. 

Consider these high-profile incidents:

  • In February, The Boeing Co. notified 36,000 employees in California, Massachusetts, North Carolina and Washington state that personnel data had left the company’s control when a worker e-mailed a spreadsheet to his spouse so she could help format the document.
  • In January, natural gas and electric company UGI Utilities Inc. informed about 1,900 current and former employees that their personal information was exposed in a scam that involved an e-mail phishing scheme.
  • In July 2016, hackers targeted computer servers of a grocery workers union pension plan, demanding a ransom in digital currency. The data included employee names, birthdates, Social Security numbers and bank information. 
  • In June 2016, more than 90 deferred-compensation retirement accounts of Chicago municipal employees were breached when hackers accessed secured personnel information and withdrew loans from 58 accounts. The city of Chicago paid about $2.6 million to restore the funds and to offer credit monitoring services to affected account holders.
  • In March 2016, a data breach at video messaging company Snapchat exposed payroll information of roughly 700 current and former employees, including their names, Social Security numbers and wage data.

While employers can’t completely eliminate cybersecurity risks, Schelberg says, “they can be managed.”

Steps to Safeguard Data

Schelberg, who co-authored the recent article “Cyberattacks on Benefit Plans: The Risks and Liabilities of Data Breaches,” advises plan sponsors to: 

  • Develop and implement a framework for addressing cybersecurity issues.
  • Address third-party vendor vulnerabilities that could add risk, especially with regard to the electronic transfer of sensitive data.
  • Back up information and store it off-network.
  • Augment passwords with multifactor authentication to access data systems.
  • Increase investment in security software and systems, and get boards of directors more involved in security matterss.
  • Consider purchasing cyber-liability insurance.
Because it’s unclear whether state privacy and cybersecurity laws are pre-empted by the Employee Retirement Income Security (ERISA) when it comes to benefits plan data, make sure you’re aware of state statutes and adjust your practices accordingly, Schelberg advises. 

Notification After a Breach

Most businesses that provide employees with self-funded health insurance benefits must comply with Health Insurance Portability and Accountability Act (HIPAA) privacy rules, even if they use a third-party administrator (although there is an exception for plans with fewer than 50 participants).

HIPAA’s Breach Notification Rule requires entities covered by the act and their business associates to inform people whose private health information may have been compromised within 60 days, says Robert Projansky, a partner with Proskauer in New York City.

“While nothing is expressly required under ERISA regarding notification of employees following a data breach of personal information, ERISA does require the fiduciary of a benefit plan to act prudently in managing the plan’s assets,” Projansky says. Keeping this in mind, plan fiduciaries should:

  • Examine contracts with outside administrators concerning notification duties in the event of a security breach.
  • Look to state law notification requirements.
  • Benefits plans are affected by the laws of states where health plan enrollees or retirement plan participants live in addition to the state where the company is based or the plan is administered, experts say. Pension plans, for instance, could be impacted by security laws in any state in which a retiree or beneficiary resides.

State Regulations

Many state requirements go beyond minimizing cybersecurity risks to addressing identity and fraud protection more generally, such as:

  • Disposal laws that require businesses to take reasonable steps when disposing of sensitive personal information, such as by ensuring that the data is shredded or erased so it can’t be deciphered.
  • Social Security number legislation that prohibits businesses from publishing or making available individuals’ Social Security numbers.
  • Protection of medical information statutes, such as California’s Confidentiality of Medical Information Act, which requires that “each employer who receives medical information shall establish appropriate procedures to ensure the confidentiality and protection from unauthorized use and disclosure of that information.”
Since former employees and their dependents could reside anywhere, make sure to conduct a comprehensive state law analysis to determine a benefits plan’s legal requirements following a data breach, says Proskauer partner Kristen Mathews. 

However, “some state data breach notification laws defer to HIPAA breach notification procedures and do not require additional action where HIPAA applies and is followed,” she says. The best way to protect your organization from a cyberattack—and stay out of the headlines—is to accurately assess your enterprise’s risk and adopt procedures to secure its data.  

Stephen Miller, CEBS, is an online writer/editor for SHRM who focuses on compensation and benefits topics.

Illustration by Otto Steininger for HR Magazine.

Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter. 


Hire the best HR talent or advance your own career.


Find your peers in SHRM's online community.

Find your peers in SHRM's online community.

Join SHRM Connect


HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.