4. Cybersecurity And Privacy Flashcards

1
Q

Discuss EB plans’ vulnerability to cyberattacks and other data breaches

A

EB plans are susceptible to forms of data malfeasance due to the broad range of personal, identifiable info involved in plan admin, and its potential market value. Healthcare systems & insurers appear to be at significant risk bc EHRs are valuable to criminals and the security measures protecting EHRs are often improperly implemented. Breaches are quite common. Significant costs are incurred when attacks succeed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What challenges do plan sponsors & fiduciaries confront in dealing with cyberattacks & other breaches?

A
  1. Limited resources
  2. Insufficient technical expertise
  3. Lack of clear standards.

More detail >
BP management folks rarely have cybersecurity expertise but are charged with protection of significant, sensitive individual data. Consulting experts can be prudent, but small firms might not have the resources/capacity to develop a customized, robust risk mgmt strategy, and may need to consider using cloud-based resources to offload security burdens to a cloud provider.

Alternatively, cyber insurance or other tools may be useful in designing a cost-effective program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The data elements that BPs typically maintain that are subject to regulatory oversight are classified as (2 options)

A
  1. PII = personally identifiable information
  2. PHI.= HIPAA-defined Protected Health Information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Define PII

A

Personally Identifiable Information can be used to distinguish or trace an individual’s identity, such as their name, SSN, biometric records, etc., both alone or when combined with other personal or identifying info that’s linked/likable to a specific individual - such as date and place of birth, mother’s maiden name, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define PHI

A

Protected Health Information is a term derived from HIPAA Privacy Rule standards, that address the use and disclosure of individuals’ health information. Defined as information that is a subset of health information, including demographic information collected from an individual, and:

  1. Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse, and
  2. Relates to the past/present/future physical/mental health or condition of an individual; the provision of healthcare to an individual; or the past/present/future payment for the provision of healthcare to an individual; and i) that identifies the individual OR ii) wrt which there is a reasonable basis to believe the info can be used to ID the individual
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What arrangements linked to EB plan admin are likely to increase privacy risks?

A

Plan sponsors assume greater privacy risks when providing sensitive personal data of participants to service providers for plan admin. This additional risk is unavoidable, sine admin’ing an EBP typically involves the assistance of service providers such as TPAs, outside payroll, benefits consultants, investment funds, investment advisors, and others. Service providers acting on behalf of EBPs collect & process large amounts of personal, medical, and financial info wrt participants & beneficiaries. Among the info are SSNs, email accounts, retirement assets & income figures. The collection and processing function is done thru automated systems that rely on the internet and thus call for close monitoring of the way service providers manage the info.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe the non-HIPAA compliance issues associated with the info accumulated by medical plans and their service providers

A

More than just HIPAA compliance is at stake with protecting the massive amount of info accumulated by med plans! A plan fiduciary cannot assume that service providers will handle all compliance obligations. Failure to identify & address privacy & security concerns with service providers may create exposure for ERISA fiduciaries.

Section 404a of ERISA requires a fiduciary to discharge their duties wrt a plan “solely in the interest of the participants and beneficiaries” and with “the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.” Hiring a service provider to provide services to an ERISA-covered EBP is itself a fiduciary act, bc it req discretionary control or authority over plan admin. Similarly, removing/retaining a service provider is a fiduciary act.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Describe an example of the cyber threat “Ransomware”

A

Cyber criminals encrypt and seize an entire hard drive and will only release it for a high ransom

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Describe an example of the cyber threat “phishing”

A

Fraudulent emails are sent with the objective of enticing the user to interact and inadvertently provide an avenue for a criminal to infiltrate a computer network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe an example of the cyber threat “wire transfer email fraud”

A

Criminals pretend to be senior executives asking EEs to transfer funds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Describe an example of the cyber threat “Malware via external devices”

A

Intrusive and harmful software is stored on an external drive that is inserted into and executed on a network computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Give 5 examples of data breaches that have occurred with retirement plans

A
  1. Failure to install security system updates
  2. Email hoax / phishing attack
  3. Downloads of plan info to a home computer
  4. SSNs mailed to wrong address
  5. Using the same paw for multiple clients
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Give 5 examples of data breaches that have occurred with medical plans (HIPAA-covered entities)

A
  1. Unencrypted info on laptops
  2. Failure to implement physical safeguards at workstations
  3. Return of photocopiers without erasing data contained on hard drives
  4. Lost documents with PHI
  5. Disposal of Rx in trash containers accessible to the public
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is meant by the cautionary statement, “You can outsource the work, but you cannot outsource the responsibility”?

A

The message is to be prudent in selecting service providers capable of protecting sensitive participant/Ben info, and to obligate providers by written contract to protect the info. It’s essential to get verification that the provider implements appropriate privacy/security systems, and that all groups with access to the plan’s sensitive personal info are obligated to protect that info. These relationships should be subject to substantially similar risk mgmt, security, privacy, and other policies that would be expected if the fiduciary were conducting the activities directly.

Following a data breach, regulators often review & evaluate the role of the service provider, the due diligence that was performed before the provider’s selection, and the contract provisions wrt privacy and data security obligations and responsibilities. Plan fiduciaries that fail to address these issues rigorously can be vulnerable on many fronts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are key governing laws, enforcement actions, and industry standards requiring service provider management of regulated personal info? (5)

A
  1. HIPAA and its business associate reqs
  2. Federal Trade Commission (FTC) data security enforcement actions against company failures to oversee service providers with access to personal info
  3. State info sec laws requiring oversight of data-related service providers
  4. The Gramm-Leach-Bliley Act controlling the ways financial institutions deal with private information of individuals
  5. Payment Card Industry Data Security Standards
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How does HIPAA provide oversight?

A

HIPAA requires health plan sponsors to manage their plans in accordance with its data privacy and security rules.

In addition, HIPAA specifies rules for BAAs that plan sponsors enter into with TPAs and other service providers. BAAs establish each party’s obligations under HIPAA in connection with the plan’s HIPAA-protected info.

17
Q

According to the FTC website, its mission is to prevent biz practices that are anticompetitive, or deceptive/unfair to consumers, to enhance informed consumer choice and public understanding of the competitive process, and to accomplish this without unduly burdening legitimate biz activity.

How have FTC enforcement actions demonstrated what is expected from an employer that shares personal data with external service providers?

A

In a number of enforcement actions the FTC has critiqued companies for inadequate third party management. The FTC is now requiring companies to:
1. Exercise due diligence before hiring data-related service providers
2. Have appropriate protections of personal info in their contracts with data-related service providers
3. Take steps to verify and monitor that the data-related service providers are adequately protecting information

18
Q

Discuss the issues in the FTC service provider case against the provider of medical transcription services GMR Transcription Services, Inc.

A

The GMR case involved the inadvertent exposure of personal medical data maintained by GMR. FTC concluded that GMR’s failure to adequately choose, contract with, ad oversee a data service provider constituted an unfair and deceptive trade practice in violation of Ss.5 of the FTC Act. According to the FTC complaint, GMR failed to adequately verify that its data service provider implemented reasonable and appropriate security measures to protect the personal info stored on the provider’s network & computers. Moreover, FTC faulted GMR for failures in contracting with its data service provider:
1. Require the provider by contract to adopt and implement appropriate security measures to protect personal info
2. Take adequate measures to monitor and assess whether the provider employed measures to appropriately protect personal info under the circumstances.

FTC additionally found GMR to be deficient in conducting due diligence before hiring its data service provider.

19
Q

What were the term of the GMR settlement with FTC?

A

GMR and its owners are prohibited from misrepresenting the extent to which they maintain the privacy & security of consumers’ personal info.

They must establish a comprehensive infosec program that will protect consumers’ sensitive personal info, including info the company provided to independent service providers.

The company must have the program evaluated both initially and every 2y by a certified third party.

Settlement lasts 20y.

Demonstrates that according to FTC, companies must be held to high standards with regards to TP vendor mgmt and oversight when it comes to personal info.

20
Q

What role have state AGs exercised in the sphere of privacy protection?

A

Have required companies to incorporate vendor management programs in settlement agreements for violations under state consumer protection statutes.

In one case, 6 state AGs collectively entered into an agreement with one company to resolve the states’ investigation into whether the co had engaged in unlawful/deceptive trade practices in violation of statutes. As part of its settlement, and for the protection of its consumer info, co was required to implement a privacy program that included taking reasonable steps to select & use only certain third-party service providers. Providers must either agree to imply with th company’s privacy policies & data sec protocols, or be subject to policies & protocols that are at least equivalent to the company’s.

Also, a number of states require that all companies that process personal info of a resident of that state, regardless of the industry, to implement safeguards designed to protect such info. Under these state infosec laws, the term “personal information” generally is defined to include an individual’s name in combination with some other piece of data that could be used to commit fraud or ID theft, such as a payment card number, financial acct number, SSN, or other gov’t-issued identifier.

21
Q

What are the (5) steps that a plan fiduciary should consider when selecting and contracting with service providers? (Cybersecurity perspective)

A
  1. Define security obligations
  2. Identify reporting & monitoring responsibilities
  3. Conduct periodic risk assessments (ongoing monitoring, reviewing & updating of agreed-upon practices)
  4. Establish due diligence standards for vetting and towering providers based on the sensitivity of data being shared
  5. Consider whether the service provider has a cybersecurity program, how data is encrypted, liability for breaches, etc.
22
Q

During the due diligence process, the focus should be on what (8) main subject areas?

A
  1. What is the track record of the service provider? What are its resources?
  2. How will the service provider use the personal information?
  3. Where will the personal information be stored and processed?
  4. Does the service provider itself intend to use subcontractors, including its affiliates, and where are they located?
  5. What security does the service provider apply to personal information?
  6. Will the service provider utilize the security that the plan fiduciary requires based on its own obligations?
  7. What reporting does the service provider supply?
  8. What auditing is done (i.e., SOC 1 & SOC 2 reports)?

Robust documentation of due diligence may provide plan fiduciaries with a defensible record should a data breach occur and its service provider practices be challenged.

23
Q

Provide (10) examples of non commercial contracting issues that a service provider contract should address, related to privacy & data security

A
  1. Privacy & DS obligations should be separate from confidentiality obligations
  2. The service provider should agree to cooperate with the plan fiduciary to enable the plan fiduciary to meet its regulatory & legal obligations
  3. The service provider’s use of personal information must be limited as necessary to the delivery of the services
  4. As between service provider & plan fiduciary the plan fiduciary is the owner of the personal information
  5. The service provider’s use of subs should be subject to the plan fiduciary consent and subject to the provider’s obligation to flow-down privacy and data security obligations
  6. Security obligations should be detailed and added to the minimum security requirements as dictated by law
  7. The service provider’s reporting obligations should be specified wrt any compromise of personal data or compromise of any systems containing personal data
  8. The service provider should be required to reimburse the plan fiduciary for expenses, costs, and the like associated with any data breach occurring under its control
  9. The service provider’s auditing reqs must be specified
  10. The service provider’s obligations for data retention, disposal, and destruction should be consistent with the plan fiduciary’s regulatory obligations
24
Q

Describe risk allocation provisions that should be scrutinized in any contract bt a plan sponsor & service provider

A

Provisions related to privacy, DS, and confidentiality ought to be carefully scrutinized. They aren’t regulatory, issues; they’re commercial issues indicative of the leverage & relationship bt the parties. 2 key issues:

  1. Whether damages for violations of confidentiality, privacy, and DS obligations are unlimited, or capped by a limitation of liability or by a special limitation of liability devoted to these issues (i.e., a “super cap”)
  2. Whether the recommended service provider’s full hold-harmless indemnity for 3rd party claims based on privacy/DS violations is unlimited or capped by a limitation of liability or a super cap.
25
Q

What (6) items should be considered when customizing a strategy to meet the challenges of EBP confronting cyber threats?

A
  1. Identify the data: how it is accessed, shared, stored, controlled, transmitted, secured, maintained
  2. Consider frameworks [a set of standards, guidelines, and practices arising from a combo of gov’t actions, gov’t-industry collab, and industry-based initiatives] as a basis for evaluating and developing a robust cybersecurity strategy
  3. Establish process considerations: protocols and policies covering testing, updating, reporting, training, data retention, 3rd-party risks, etc.
  4. Customize a strategy (resources, integration, cost, cyber insurance, etc.)
  5. Strike the right balance based on size, complexity, and overall risk exposure of the org
  6. Consider applicable state and federal laws
26
Q

Has the DOL issued any guidance re: cybersecurity for plan sponsors, EBP service providers, or plan participants/bens?

A

Yes, 3, subreg guidance addressing the cybersecurity practices of (1) retirement plan sponsors, (2) their service providers, and (3) plan participants.

While this subregulatory guidance doesn’t have the deferential authority of a reg subject to notice & comment - or arguably even the persuasive authority of an Advisory Opinion, the guidance provides a window into DOL expectations of what the ERISA prudence standards require wrt cybersecurity matters.

27
Q

Describe how the 3 pieces of subreg guidance issued by the DOL generally apply to different audiences.

A
  1. “Tips for Hiring a Service Provider with Strong Cybersecurity Practices” -> provides guidance for plan fiduciaries when hiring a provider e.g. record keeper, trustee, or other provider that has access to a plan’s non public info.
  2. “Cybersecurity Program Best Practices” -> a collection of best practices for record keepers & other service providers, and may be viewed as a reference for plan fiduciaries when evaluating service providers’ practices
  3. “Online Security Tips” -> Advice for plan participants & bens
28
Q

According to the subreg guidance issued by the DOL, what sort of (7) steps should a plan fiduciary take in order to prudently hire an EBP service provider?

A

Think: 3ask / 2agreement / 1analysis

Factors for biz owners & fiduciaries to consider when selecting RP service providers; further provides that plan fiduciaries should hire services provides with strong data sec practices.

  1. Ask about the provider’s DS standard, practices, policies, and audit results. Benchmark vs. industry standards
  2. Analyze the provider’s sec standard and sec validation practices
  3. Confirm that the agreement with the provider permits the fiduciary to review cybersecurity compliance audit results
  4. Evaluate the provider’s track record in the industry (e.g. security incidents, litigation, etc.)
  5. Ask about past security events and responses
  6. Confirm that the service provider has adequate insurance covering losses relating to cybersecurity and ID theft events, including losses covered by internal threats (e.g., the provider’s EEs) and external threats (e.g., third-party fraudulent access of participant accounts)
  7. Ensure that the services agreement bt the plan fiduciary & service provider includes provisions requiring ongoing compliance with cybersecurity standards.
29
Q

The DOL directs 12 best practices that plan service providers should implement to mitigate exposure to cybersecurity risks in “Cybersecurity best practices.”

Fiduciaries should be aware of these, so they can make prudent decisions when hiring a provider.

Summarize the 12 practices.

A
  1. Have a formal program
  2. Assess risk annually
  3. Engage a 3rd party auditor annually to review controls
  4. Define and appropriately assign infosec roles at the organization
  5. Establish strong access control procedures (“need-to-access” principle)
  6. Subject cloud/3rd-party managed storage systems used by the provider to proper, independent security assessment
  7. Conduct periodic internal cybersecurity awareness training for all personnel, within your comprehensive program
  8. Implement SDLC program
  9. Build effective business resiliency program
  10. Implement prudent standards for encryption of sensitive non public info both while at rest and in transit
  11. Implement IT security control best practices (i.e., software/firmware/hardware updates, network segregation, routine data backup)
  12. Respond appropriately to cybersecurity incidents including: notify law enforcement, insurer, investigating, appropriate info sharing with participants, and fixing issues
30
Q

Summarize the DOL guidance entitled “Online Security Tips”

A
  • Informs plan participants & bens how to keep online info/account info safe
  • 9 recommended security tips, including MFA, current contact info, how to avoid phishing
  • Can be used by fiduciaries in edu outreach and to teach participants of their responsibility for precautions
31
Q

According to the subregulatory guidance issued by the DOL, how can plan fiduciaries enhance cybersecurity through the contractual terms they enter into with their service providers?

Contract stipulations is a means by which plan sponsors fulfill their fiduciary oversight responsibilities!

Specifically, negotiate regarding the use and sharing of confidential info:

A

Plan sponsors should specifically restrict their vendors from unauthorized use of information. Vendors should be obligated to keep private information secure and prevent any unauthorized access, disclosure, modification, or misuse of plan info.

32
Q

According to the subregulatory guidance issued by the DOL, how can plan fiduciaries enhance cybersecurity through the contractual terms they enter into with their service providers?

Contract stipulations is a means by which plan sponsors fulfill their fiduciary oversight responsibilities!

Specifically, negotiate regarding immediate notification of any and all cybersecurity breaches:

A

Vendors should be required to immediately report a cybersecurity incident or data breach or the plan sponsor. Furthermore they should be req’d to cooperate in the investigation of such occurrences and be bound to remediate any determinable causes of such a breach.

33
Q

According to the subregulatory guidance issued by the DOL, how can plan fiduciaries enhance cybersecurity through the contractual terms they enter into with their service providers?

Contract stipulations is a means by which plan sponsors fulfill their fiduciary oversight responsibilities!

Specifically, negotiate regarding ongoing infosec reporting:

A

Besides reactive response to data breaches, there should be a proactive and ongoing attempt to monitor and improve security measures. This should entail at the very least an annual, 3rd-party audit of biz practices to ensure compliance with infosec procedures & policies. The results of such audits should be completely transparent and accessible to plan sponsors.

34
Q

According to the subregulatory guidance issued by the DOL, how can plan fiduciaries enhance cybersecurity through the contractual terms they enter into with their service providers?

Contract stipulations is a means by which plan sponsors fulfill their fiduciary oversight responsibilities!

Specifically, negotiate regarding abiding by all laws & policies regarding infosec, privacy, and records retention/destruction:

A

Several laws have passed at the federal, state, and local levels re: infosec and personal privacy. Plan sponsors should include in their contractual provisions the req that 3rd-party vendors comply with all such laws, reg’s, directives, or other gov’t reqs.

35
Q

According to the subregulatory guidance issued by the DOL, how can plan fiduciaries enhance cybersecurity through the contractual terms they enter into with their service providers?

Contract stipulations is a means by which plan sponsors fulfill their fiduciary oversight responsibilities!

Specifically, negotiate regarding insurance:

A

Plan sponsors can require their vendors to procure specific insurance coverages, including cyber liability and privacy breach insurance.