Pension Breach Blamed on Third-Party Service Provider

Evaluate plan service providers' privacy and data-security risk procedures

By Joseph J. Lazzarotti © Jackson Lewis February 12, 2021
LIKE SAVE
Pension Breach Blamed on Third-Party Service Provider

One of the last things pension plan participants wanted to learn as they got ready to celebrate the holidays last December was that personal data from their pension accounts may have been compromised. This was the case, unfortunately, for approximately 30,000 Now:Pensions customers whose names, postal and e-mail addresses, birth dates and the equivalent of Social Security numbers were hacked and posted online. According to reports, the U.K. company, which helps to administer millions of workplace pensions, attributed the incident to a third-party service provider.

Of course, the challenge of managing the cybersecurity risk of third-party service providers does not exist solely across the pond. During a recent SPARK Cybersecurity Virtual Event, Tim Hauser, deputy assistant secretary for national office operations at U.S. Department of Labor's (DOL's) Employee Benefits Security Administration, observed:

When a plan fiduciary is hiring somebody who is going to be responsible for confidential, personal information, or who's going to be running systems to keep track of people's account balances and the like, there's a responsibility to make sure that you've hired that person prudently, that firm prudently…And if you think about plans and the universe I described, that's just shy of $11 trillion, and with personal health and pension data, there are a lot of tempting targets there and what we've seen in our own enforcement actions, especially in our criminal programs, vulnerabilities are taken advantage of.

According to Hauser, the DOL is developing guidance for plan sponsors in the U.S. that would cover cybersecurity issues and third-party service providers for retirement plans.

Just as so many other organizations affected by a breach experienced by one of their third-party service providers, Now:Pensions has provided notification to pension account holders and regulators. Reports indicate the breach occurred over a three-day period in mid-December and the compromised data had been obtained "by an unknown third party."

At this point, similarly situated organizations might be considering whether to move away from the service provider that caused the incident. Here are some reasons why that may not be the best course of action. However, one to-do item that should be a given following a breach like this is to revisit the procurement process for selecting service providers, update it as needed to make sure it appropriately addresses cybersecurity risks, and ensure it is prudently implemented.

ERISA Oversight Duties

When it comes to employee benefit plans subject to the Employee Retirement Income Security Act (ERISA), hiring a service provider is in and of itself a fiduciary function. When considering cybersecurity, there are a number of steps plan sponsors and administrators can take to prudently assess the data privacy and security capabilities of potential plan service providers. Some examples include:

  • Take the general threats and vulnerabilities of plan service providers into account when conducting the organization's enterprise data security risk assessment
  • Meet with the service provider's IT lead, but also others in the service provider's organization—legal, accounting, HR, sales, etc. This will give you a better sense of the culture of privacy and security at the service provider.
  • Require the service provider to complete a detailed list of pointed data privacy and security questions, the answers to which to be actively evaluated by your IT team, counsel, and/or consultant.
  • Ask about prior data security incidents and how they were handled.
  • Review the service provider's policies and procedures.
  • Require the service provider to submit to an independent data security audit/review, penetration test.
  • Ask the service provider about its data breach response plan, and how often it is practiced. Plan to include the service provider when you practice your own response plan and gauge their openness to that.

This is not an exhaustive list, and each step could be fleshed out more or less depending on the risk the service provider presents. In addition, it is appropriate to incorporate appropriate representations and additional protections concerning data privacy and security in the ultimate services agreement.

The point is that because of the critical role service providers play and the information they have access to (which may include not just personal information but also company proprietary data), the measures taken to evaluate plan service providers' privacy and data security risk should happen at the procurement stage and on an ongoing basis, not just when a breach happens.

Joseph J. Lazzarottiis an attorney with Jackson Lewis in Morristown, N.J. © 2021 Jackson Lewis P.C.. All rights reserved. Reposted with permission.


Related SHRM Articles:

Shore Up Benefits Cybersecurity During Open Enrollment, SHRM Online, September 2020

401(k) Plans: A Cybersecurity AfterthoughtSHRM Online, February 2018

Guarding Benefit Plans from CyberattacksSHRM Online Benefits, July 2017

[SHRM members-only HR Q&A: How can I ensure my company protects personal employee information?]

LIKE SAVE

SHRM HR JOBS

Hire the best HR talent or advance your own career.

SPONSOR OFFERS

HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.