Employers should coordinate with their third-party administrators (TPAs) so that the TPAs notify plan participants of the potential vulnerability of their 401(k) accounts, which cyberthieves might target following the Equifax data breach, according to one cybercrime expert.
Others note that because Equifax isn't the only entity with sensitive data, this is a reminder for employers to shore up their safeguards for employees' personal information, which may mean instituting employee training.
The cybersecurity incident at consumer credit reporting agency Equifax, announced Sept. 7, affected 143 million U.S. consumers, noted Edward McAndrew, an attorney with Ballard Spahr in Philadelphia and former cybercrime prosecutor for the Department of Justice. Compromised information included names, Social Security numbers, birth dates, addresses and in some instances driver's license numbers, among other information such as credit card numbers.
[SHRM members-only toolkit:
Record-Keeping Policy: Safeguarding Social Security Numbers]
The TPAs should notify employees to monitor their account statements for fraudulent activity and start using multifactor authentication to access their accounts, McAndrew said. HR shouldn't provide the notice itself or it will get inundated with questions from employees about Equifax's breach, he said.
Employers also should be wary of checking credit as a condition for employment, he said. If they do rely on credit checks, "that's a substantial concern going forward," he noted. The score might be low because a criminal stole a job applicant's identifying information, set up loans or credit card accounts using the applicant's identity, and then did not pay those loans or credit card bills.
Robert Siciliano, CSP, CEO of IDTheftSecurity.com in Boston, agreed that plan participants should monitor their 401(k) plans for fraudulent activity. He, too, said that multifactor access is a good idea, noting that it has been a practice recommended by the U.S. Federal Financial Institutions Examination Council since 2005.
But he said that "it's a leap" to assume 401(k) plans are now more vulnerable. The information hacked at Equifax wouldn't be enough on its own to access 401(k) plans, he said. Instead, employees would need to be conned into divulging more sensitive information, such as who the employee's financial analyst is or the answers to security questions, for the 401(k) plans to be accessed. Most of the time, scammers get such additional information by telephone or e-mail.
Siciliano said that new-account fraud, such as when a cyberthief gets a credit card or loan with stolen credit information, is the main risk of the data breach because this is "the low-hanging fruit."
Protecting Your Employees’ Personal Information
- Your third-party administrator for your 401(k) should notify employees to monitor their account statements for fraudulent activity and start using multifactor authentication to access their accounts.
- Be wary of checking credit as a condition for employment—the credit check might include fraudulent activity.
- Tell employees to keep an eye out for new account fraud, such as getting a credit card or a loan.
- Train employees on how to spot and avoid phishing attempts.
- Record the least amount of confidential information possible.
- Confirm that vendors have adequate information security.
- Share information about threats to your information systems with the federal government, which will alert other companies.
Employee Training
Like Equifax, employers have much personal information about their workers that may be vulnerable to being hacked, noted Amar Sarwal, vice president and chief legal strategist for the Association of Corporate Counsel in Washington, D.C., who recommended employee training as one way to beef up cybersecurity protections.
Employees sometimes click on links intended only for phishing, Sarwal said. They may download malware, unaware of its dangers. And employees may leave laptops or personal devices used for work in public places where they are open to hacking.
Social Security, driver's license or passport numbers may be on Forms I-9. Use of direct deposit means that employers have employees' bank account information. Plan sponsors may have protected health information.
To conduct background screening, employers will have information known as personal identifying information (PII). PII is requested from an applicant at various points in the job application process and may include some combination of the following: legal name, date of birth, Social Security number and driver's license number, noted Adam Temple, a spokesman for the National Association of Professional Background Screeners.
If employees do personal banking on an office computer, the employer has that account information in its system for hackers to potentially access.
Employees may be the cyberthieves themselves, a risk that may be the greatest
when employees leave organizations.
Employers "shouldn't think hacks happen only to credit bureaus," Sarwal noted. "There's a bond between employers and employees that [assumes] the employer will keep sensitive information confidential."
'Record the Least Amount of Confidential Information Possible'
"Hackers are always looking for evergreen information like Social Security numbers, health data, and any other personal or confidential information that has a long or no expiration date, as opposed to credit card numbers, which are worth very little after a month," assuming the credit card fraud is caught on monthly statements, said Stu Sjouwerman, founder and CEO of KnowBe4, a security company in Clearwater, Fla.
"Employers should record the least amount of confidential information possible, however improbable and counterintuitive that sounds," he said. "The drawback of losing large amounts of confidential personal data is massive class-action lawsuits."
Check with Vendors
Confirm that payroll and health insurance vendors have adequate information security, Sarwal cautioned. A vendor agreement also should include provisions related to security breach notification, including who pays for it.
Employers will want to make sure vendors abide by the best security standards out there, which he described as ISO 27001, an information security management system, and that they adhere to guidelines from the National Institute of Standards and Technology.
"These standards are only requiring certain security controls to be in place to make life difficult but not impossible for hackers," Sjouwerman said. "HR needs to work with IT and legal and create a detailed security questionnaire that [the] vendor needs to fill out before a purchase order gets approved. There are templates out there to make this not too much work."
Sharing Information with the Government
In the past, employers have feared that if they shared information about a data breach with the government, they would open themselves to liability. But now with the Cybersecurity Information Sharing Act of 2015, companies have more protection from liability when sharing information about threats to their systems with the federal government, which alerts other companies, Sarwal noted.
Employers need to keep up with the most recent data breaches, he said. "You can't get up to a certain level of security protection and call it quits. Hackers constantly are innovating, and employers have to innovate, too."
Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.