M4:

Question 1

Information that is a subset of health information, including demographic information collected from an individual and:
1) is created or received by a health care provider, health plan, employer, or health care clearinghouse
2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; that
(i) identifies the individual or
(ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Answer 1

Protected Health Information (PHI)

Defined by HIPAA

Question 2

Using the same password for multiple clients

Answer 2

Data breach of a retirement plan

Question 3

1. Data management.
2. Technology management.
3. Service provider management.
4. People issues/training period

Answer 3

4 major areas for effective practices and policies identified by the 2011 Council

Question 4

The Advisory Council on Employee Welfare and Pension Benefit Plans

Answer 4

The ERISA Advisory Council

Question 5

Cybercriminals encrypt/seize entire hard drives & hold for high ransom

Answer 5

Ransomware

Question 6

Removing or retaining a service provider

Answer 6

A fiduciary act

Question 7

Information that can be used to distinguish/trace an individual’s identity, such as their name, SSN, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

Answer 7

PII

Defined by Office of Management and Budget (OMB)

Question 8

A service provider involved with plan administration

Answer 8

Third-Party Administrator (TPA)

Question 9

Where cyber criminals pretend to be senior executives asking employees to transfer funds.

Answer 9

Wire transfer e-mail fraud

Question 10

This office has set definitions for PII

Answer 10

Office of Management and Budget (OMB)

Question 11

Prescription disposals in a trash can

Answer 11

Data breach of a medical plan

Question 12

4 common cyber threats

Answer 12

Ransomware
phishing
wire transfer e-mail fraud
malware via external devices

Question 13

Where intrusive and harmful software is stored on an external drive that is inserted into and executed on a network computer.

Answer 13

Malware via external devices

Question 14

2015 Council focus

Answer 14

cyber security issues

Question 15

Law that controls the way private information of individuals is treated

Answer 15

Gramm-Leach-Bliley Act

Question 16

A section of ERISA that requires a fiduciary to discharge their duties

Answer 16

404(a)

Question 17

Failure to install security system updates

Answer 17

A form of data breach identified in retirement plans

Question 18

developing educational materials for plan sponsors, fiduciaries and their vendors; highlighting the need to focus on benefit plan cybersecurity in addition to enterprise cybersecurity.

Answer 18

2016 Council focus

Question 19

Lost documents with PHI

Answer 19

Data breach of a medical plan

Question 20

This agency requires personal data in benefit plans to be protected

Answer 20

Federal Trade Commission (FTC)

Question 21

Where fraudulent emails are sent with the objective of enticing the user to interact and inadvertently provide an avenue for cyber-criminals to infiltrate a computer network.

Answer 21

Phishing

Question 22

An individual’s name in combination with other data

Answer 22

Personal information

Question 23

This organization that developed the Cybersecurity Framework

Answer 23

National Institute of Standards and Technology (NIST)

Question 24

This case involved inadvertent exposure of personal medical information

Answer 24

GMR case

Question 25

It issued 3 pieces of sub-regulatory guidance addressing the cybersecurity practices of retirement plan sponsors, their service providers & plan participants

Answer 25

Department of Labor (DOL)

Question 26

1) Company and its owners are prohibited from misrepresenting the extent to which they maintain the privacy and security of consumers’ personal information.
2) They must establish a comprehensive information security program that will protect consumers’ sensitive personal information, including information the company provided to independent service providers.
3) Must have the program evaluated both initially and every 2 years by a certified third party.
4) As is typical of FTC enforcement actions, the settlement will remain in force for the next 20 years.

The settlement demonstrates that according to FTC, companies must be held to high standards with regard to third-party vendor management and oversight when it involves personal information.

Answer 26

Terms of the GMR settlement with FTC