Module 4 Flashcards

Cybersecurity and Privacy Concerns

1
Q

1.1 Discuss employee benefit plans’ vulnerability to cyberattacks and other data breaches. (Text, pp. 117-118)

A

Employee benefit plans are susceptible to cyberattacks, identity theft and other forms of data malfeasance. Electronic health records are particularly valuable to cybercriminals, and the security measures for these records are often lacking, making breaches common.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

1.2 What challenges do plan sponsors and fiduciaries confront in dealing with cyberattacks and other data breaches? (Text, pp. 134 and 149-150)

A

Challenged by limited resources, insufficient technical expertise and lack of clear standards. Individuals responsible for benefit plans rarely have expertise in cybersecurity. Plan sponsors and fiduciaries may want to consider whether to consult with a cybersecurity expert when developing a cybersecurity strategy for their plans. Small firms do not have the resources or capacity to develop a customized, robust cybersecurity risk management strategy and may need to consider using cloud-based resources to offload cybersecurity burdens onto the cloud provider. Cyber insurance or other tools may be useful in designing a cost effective program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

1.3 The data elements that benefit plans typically maintain and that are subject to regulatory oversight have been classified as (a) personally identifiable information (PII) and (b) protected health information (PHI). Define the terms. (Text, pp. 135-136)

A

(a) PII - information that can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc., both alone or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

(b) PHI (defined by HIPAA) -information that is a subset of health information, including demographic information collected from an individual, and:

(1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

1.4 What arrangements linked to employee benefit plan administration are likely to increase privacy risks? (Text, p. 118)

A

Plan sponsors assume greater privacy risks when providing sensitive personal data of participants to service providers for plan administration. This additional risk is unavoidable since administrators rely on (TPAs), outside payroll providers, benefits consultants, investment funds, investment advisors and others. Service providers collect and process large amounts of personal, medical and financial information with respect to participants and beneficiaries. Information stored includes Social Security numbers, email accounts, retirement assets and income figures. The collection and processing function is done through automated systems that rely upon the internet and thus call for close monitoring of the way service providers will manage this information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

1.5 Describe the non-HIPAA compliance issues associated with the information accumulated by medical plans and their service providers. (Text, p. 118)

A

More than just HIPAA compliance is at stake with protecting the massive amount of information accumulated by medical plans. A plan fiduciary cannot assume that service providers will handle all compliance obligations. Failure to identify and address privacy and security considerations with service providers may create exposure for Employee Retirement Income Security Act (ERISA) fiduciaries.

Section 404(a) of ERISA generally requires a fiduciary to discharge their duties with respect to a plan “solely in the interest of the participants and beneficiaries” and with “the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.”

Hiring a service provider to provide services to an ERISA-covered employee benefit plan is itself a fiduciary act, because it requires discretionary control or authority over plan administration. Similarly, removing or retaining a service provider is a fiduciary act.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

2.1 Provide examples of common cyberthreats in the environment where benefit plans operate. (Text, p. 133)

A

(a) Ransomware
Cybercriminals encrypt and seize an entire hard drive and will only release it for a high ransom

(b) Phishing
Fraudulent emails are sent with the objective of enticing the user to interact and inadvertently provide an avenue for a cybercriminal to infiltrate a computer network

(c) Wire transfer email fraud
Cybercriminals pretend to be senior executives asking employees to transfer funds

(d) Malware via external devices
Intrusive and harmful software is stored on an external drive that is inserted into and executed on a network computer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

2.2 List data breaches that have occurred with retirement plans. (Text, p. 119)

A

Data breaches that a government agency identified as having occurred with retirement plans are:

(a) Failure to install security system updates

(b) Email hoax (phishing attack)

(c) Downloads of plan information to a home computer

(d) Social Security numbers mailed to wrong addresses

(e) Using the same password for multiple clients.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

2.3 List data breaches that have occurred with medical plans. (Text, p. 119)

A

Data breaches that a government agency identified as having occurred with medical plans as part of an audit of HIPAA-covered entities are:

(a) Unencrypted information on laptops

(b) Failure to implement physical safeguards at workstations

(c) Return of photocopiers without erasing data contained on hard drives

(d) Lost documents with PHI

(e) Disposal of prescriptions in trash containers accessible to the public.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

2.4 What is meant by the cautionary statement “You can outsource the work, but you cannot outsource the responsibility”? (Text, p. 120)

A

It is a fiduciary responsibility to select responsible providers. These service provider relationships should be subject to substantially similar risk management, security, privacy and other protection policies that would be expected if the plan fiduciary were conducting the activities directly.

Following a data breach, regulators often review and evaluate the role of the service provider, the due diligence that was performed before selecting the service provider, and the contract provisions with respect to privacy and data security obligations and responsibilities. Plan fiduciaries that fail to address these issues in a rigorous manner can be vulnerable on many fronts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

3.1. What are key governing laws, enforcement actions and industry standards requiring service provider management of regulated personal information? (Text, p. 121)

A

(a) HIPAA and its business associate requirements

(b) Federal Trade Commission (FTC) data security enforcement actions against company failures to oversee service providers with access to personal information

(c) State information security laws requiring oversight of data-related service providers

(d) The Gramm-Leach-Bliley Act controlling the ways financial institutions deal with private information of individuals

(e) Payment Card Industry Data Security Standards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

3.2 How does HIPAA provide oversight? (Text, p. 136)

A

HIPAA requires health plan sponsors to manage their plans in accordance with its data privacy and security rules. In addition, HIPAA specifies rules for business associate agreements that plan sponsors enter with TPAs and other service providers. Business associate agreements establish each party’s obligations under HIPAA in connection with the plan’s HIPAA-protected information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

3.3 According to the FTC website, its mission is to prevent business practices that are anticompetitive or are deceptive or unfair to consumers, to enhance informed consumer choice and public understanding of the competitive process and to accomplish this without unduly burdening legitimate business activity. How have FTC enforcement actions demonstrated what is expected from an employer that shares personal data with external service providers? (Text, p. 121)

A

(a) Exercise due diligence before hiring data-related service providers

(b) Have appropriate protections of personal information in their contracts with data-related service providers

(c) Take steps to verify and monitor that the data-related service providers are adequately protecting the information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

3.4 Discuss the issues in the FTC service provider case against the provider of medical transcription services GMR Transcription Services, Inc. (Text, p. 121-122)

A

The GMR case involved the inadvertent exposure of personal medical data maintained by GMR. FTC concluded that GMR’s failure to adequately choose, contract with and oversee a data service provider constituted an unfair and deceptive trade practice in violation of Section 5 of the Federal Trade Commission Act. According to the FTC complaint, GMR failed to adequately verify that its data service provider implemented reasonable and appropriate security measures to protect the personal information stored on the provider’s network and computers. Moreover, FTC faulted GMR for failures in contracting with its data service provider. FTC alleged that GMR failed to:

(a) Require the provider by contract to adopt and implement appropriate security measures to protect personal information

(b) Take adequate measures to monitor and assess whether the provider employed measures to appropriately protect personal information under the circumstances.

FTC additionally found GMR to be deficient in conducting due diligence before hiring its data service provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

3.5 What were the terms of the GMR settlement with FTC? (Text, p. 122)

A

GMR and its owners are prohibited from misrepresenting the extent to which they maintain the privacy and security of consumers’ personal information. Must establish a comprehensive information security program that will protect consumers’ sensitive personal information, including information the company provided to independent service providers. The program must be evaluated both initially and every two years by a certified third party. As is typical of FTC enforcement actions, the settlement will remain in force for the next 20 years.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

3.6 What role have state attorneys general exercised in the sphere of privacy protection? (Text, p. 122)

A

State attorneys general have required companies to incorporate vendor management programs in settlement agreements for violations under state consumer protection statutes. In one case, six state attorneys general collectively entered into an agreement with one company to resolve the states’ investigation into whether the company had engaged in any unlawful or deceptive trade practices in violation of the state consumer protection statutes. As part of its settlement agreement and for the protection of its consumer information, the company was required to implement a privacy program that included taking reasonable steps to select and use only certain third-party service providers. Those providers must either agree to comply with the company’s privacy policies and data security protocols or be subject to policies and protocols that are at least equivalent to those of the company.

Also, a number of states require all companies that process personal information of a resident of that state—regardless of industry—to implement safeguards designed to protect such information. Under these state information security laws, the term personal information generally is defined to include an individual’s name in combination with some other piece of data that could be used to commit fraud or identity theft, such as a payment card number, financial account number, Social Security number or any other government-issued identifier.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

4.1 What are the steps that a plan fiduciary should consider when selecting and contracting with service providers? (Text, pp. 122-125)

A

(a) Define security obligations.

(b) Identify reporting and monitoring responsibilities.

(c) Conduct periodic risk assessments (ongoing monitoring, reviewing and updating of agreed-upon practices).

(d) Establish due diligence standards for vetting and tiering providers based on the sensitivity of data being shared.

(e) Consider whether the service provider has a cybersecurity program, how data is encrypted, liability for breaches, etc.

17
Q

4.2 During the due diligence process, the focus should be on what main subject areas? (Text, p. 123-124)

A

(a) What is the track record of the service provider? What are its resources?

(b) How will the service provider use the personal information?

(c) Where will the personal information be stored and processed?

(d) Does the service provider itself intend to use subcontractors, including its affiliates, and where are they located?

(e) What security does the service provider apply to personal information?

(f) Will the service provider utilize the security that the plan fiduciary requires based on its own obligations?

(g) What reporting does the service provider supply?

(h) What auditing is done (i.e., Service Organization Controls (SOC) 1 and SOC 2 reports)?

Robust documentation of due diligence may provide plan fiduciaries with a defensible record should a data breach occur and its service provider practices be challenged.

18
Q

4.3 Provide examples of noncommercial contracting issues that a service provider contract should address related to privacy and data security. (Text, p. 124)

A

(a) Privacy and data security obligations should be separate from confidentiality obligations.

(b) The service provider should agree to cooperate with the plan fiduciary to enable the plan fiduciary to meet its regulatory and legal obligations.

(c) The service provider’s use of personal information must be limited as necessary to the delivery of the services.

(d) As between service provider and the plan fiduciary, the plan fiduciary is the owner of the personal information.

(e) The service provider’s use of subcontractors should be subject to the plan fiduciary’s consent and subject to the service provider’s obligation to flow-down privacy and data security obligations.

(f) Security obligations should be detailed and added to the minimum security requirements as dictated by law.

(g) The service provider’s reporting obligations should be specified with respect to any compromise of personal data or compromise of any system(s) containing personal data.

(h) The service provider should be required to reimburse the plan fiduciary for expenses, costs and the like associated with any data breach occurring under its control.

(i) The service provider’s auditing requirements must be specified.

(j) The service provider’s obligations for data retention, disposal and destruction should be consistent with the plan fiduciary’s regulatory obligations.

19
Q

4.4 Describe risk allocation provisions that should be scrutinized in any contract between a plan sponsor and a service provider. (Text, p. 125)

A

These are not regulatory issues; rather, they are commercial issues indicative of the leverage and relationship between the parties. Among these issues are:

(1) Whether damages for violations of confidentiality, privacy and data security obligations are unlimited or capped by a limitation of liability or by a special limitation of liability devoted to these issues (i.e., a super cap)

(2) Whether the recommended service provider’s full hold-harmless indemnity for third-party claims based on privacy and data security violations is unlimited or capped by a limitation of liability or by a super cap.

20
Q

4.5 What items should be considered when customizing a strategy to meet the challenges of employee benefit plans confronting cyberthreats? (Text, pp. 145-149)

A

(a) Identify the data (how it is accessed, shared, stored, controlled, transmitted, secured and maintained).

(b) Consider frameworks (a set of standards, guidelines and practices arising from a combination of government actions, government-industry collaboration and industry-based initiatives) as a basis for evaluating and developing a robust cybersecurity strategy.

(c) Establish process considerations (protocols and policies covering testing, updating, reporting, training, data retention, third-party risks, etc.).

(d) Customize a strategy (resources, integration, cost, cyberinsurance, etc.).

(e) Strike the right balance based on size, complexity and overall risk exposure of the organization.

(f) Consider applicable state and federal laws.

21
Q

5.1 Has the Department of Labor (DOL) issued any guidance regarding cybersecurity for plan sponsors, employee benefit plan service providers, or plan participants and beneficiaries? (Text, p. 165)

A

The DOL issued three pieces of subregulatory guidance addressing the cybersecurity practices of retirement plan sponsors, their service providers and plan participants, respectively. While this subregulatory guidance does not have the deferential authority of a regulation subject to notice and comment—or arguably even the persuasive authority of an Advisory Opinion—the guidance provides a window into DOL expectations of what the ERISA prudence standards require with respect to cybersecurity matters.

22
Q

5.2 Describe how the three pieces of subregulatory guidance issued by the DOL generally apply to different audiences. (Text, p. 166)

A

Each of the three new pieces of guidance generally addresses a different audience.

  1. Tips for Hiring a Service Provider with Strong Cybersecurity Practices, provides guidance for plan fiduciaries when hiring a service provider such as a recordkeeper, trustee or other provider that has access to a plan’s nonpublic information.
  2. Cybersecurity Program Best Practices, is, as the name indicates, a collection of best practices for recordkeepers and other service providers and may be viewed as a reference for plan fiduciaries when evaluating service providers’ cybersecurity practices.
  3. Online Security Tips, contains online security advice for plan participants and beneficiaries.
23
Q

5.3 According to the subregulatory guidance issued by the DOL, what sort of steps should a plan fiduciary take in order to prudently hire an employee benefit plan service provider? (Text, pp. 166-167)

A

According to the subregulatory guidance issued by the DOL, plan sponsors should take certain steps to prudently hire an employee benefit plan service provider. Tips for Hiring a Service Provider outlines factors for business owners and fiduciaries to consider when selecting retirement plan service providers and further provides that plan fiduciaries should hire service providers with strong data security practices. More specifically, this guidance recommends the following steps that a plan fiduciary should take when hiring a service provider:

(a) Ask about the service provider’s data security standards, practices, policies and audit results, and benchmark those against industry standards.

(b) Analyze the service provider’s security standards and security validation practices.

(c) Confirm that the agreement with the service provider permits the plan fiduciary to review cybersecurity compliance audit results.

(d) Evaluate the service provider’s track record in the industry (e.g., security incidents, litigation, etc.).

(e) Ask about past security events and responses.

(f) Confirm that the service provider has adequate insurance covering losses relating to cybersecurity and identity theft events, including losses caused by internal threats (e.g., the service provider’s employees) and external threats (e.g., third-party fraudulent access of participant accounts).

(g) Ensure that the services agreement between the plan fiduciary and the service provider includes provisions requiring ongoing compliance with cybersecurity standards.

24
Q

5.4 Specifically what does the DOL recommend as (12) best practices that plan service providers should implement to mitigate exposure to cybersecurity risks? (Text, pp. 167-170)

A

The second piece of DOL guidance, Cybersecurity Best Practices, was directed at ERISA plan recordkeepers and other service providers. The guidance summarizes 12 best practices that plan service providers should implement to mitigate exposure to cybersecurity risks. The DOL points out that plan fiduciaries should be aware of these best practices to enable them to make prudent decisions when hiring a service provider. The 12 best practices described in this guidance indicate that service providers should:

(1) Have a formal, well-documented cybersecurity program that consists of policies and procedures designed to protect the infrastructure, information systems and data from unauthorized access and other malicious acts by enabling the service provider to (1) identify the risks, (2) protect the assets, (3) detect and respond to cybersecurity events, (4) recover from cybersecurity events, (5) appropriately disclose the event and (6) restore normal operations.

(2) Design and codify annual risk assessments that help identify, estimate and prioritize risks to the information systems.

(3) Have a third-party auditor assess the service provider’s security controls on an annual basis. The DOL indicated that as part of its review of an effective audit program, the DOL would expect to see, among other things, audit reports and audit files prepared and conducted in accordance with appropriate standards, penetration test reports, and documented correction of any weaknesses.

(4) Clearly define and assign information security roles and responsibilities, with management of the cybersecurity program at the senior executive level and execution of the cybersecurity program by qualified personnel who have sufficient experience and certifications, undergo background checks, receive regular updates and training on current cybersecurity risks, and have current knowledge of changing threats and countermeasures.

(5) Have strong access control procedures, including limiting access to authorized users; limiting access privileges based on role and the “need-to-access” principle; establishing a policy to review access privileges every three months; requiring unique, complex passwords; using multifactor authentication wherever possible; establishing policies, procedures and controls to monitor authorized users and detect unauthorized access; establishing procedures to ensure that participant or beneficiary sensitive information in the service provider’s records matches the plan’s information; and confirming the identity of authorized fund recipients.

(6) Ensure that any cloud or third-party managed storage system used by the service provider to service the plan is subject to proper security reviews and independent security assessments.

(7) Conduct periodic cybersecurity awareness training for all personnel pursuant to a comprehensive program that sets clear cybersecurity expectations and educates everyone to recognize sources of attack, help prevent incidents and respond to threats. The DOL notably emphasized identity theft—individuals posing as plan officials, fiduciaries, participants or beneficiaries—as a leading cause of fraudulent distributions that should be considered a key topic of training.

(8) Implement and manage a secure system development life cycle (SDLC) program addressing both in-house developed applications and externally developed applications and that includes activities such as penetration testing, code review and architecture analysis.

(9) Have an effective business resiliency program that addresses business continuity, disaster recovery and incident response and allows for the organization to maintain continuous operations and safeguard people, assets and data during periods of disruption.

(10) Implement current, prudent standards for the encryption of sensitive nonpublic information both while it is at rest and while in transit.

(11) Implement technical security controls consistent with best security practices, including hardware, software and firmware that is kept up to date; firewalls and intrusion detection and prevention tools; current and updated antivirus software; routine patch management (preferably automated); network segregation; system hardening; and routine data backup (preferably automated).

(12) Respond appropriately to cybersecurity incidents that have occurred, including notifying law enforcement, notifying the appropriate insurer, investigating the incident, giving affected plans and participants information to prevent or mitigate harm, honoring contractual or legal obligations, and fixing any problems that would prevent recurrence.

25
Q

5.5 Summarize the third piece of DOL guidance titled Online Security Tips. (Text, pp. 170-171)

A

The third piece of DOL guidance, Online Security Tips, informs plan participants and beneficiaries of ways to keep their online information and account information safe. It contains nine recommended security tips including the use of multifactor authentication, keeping contact information current and avoiding phishing attacks. These tips can be used by plan fiduciaries in educational and outreach efforts to convey to plan participants and beneficiaries that they also bear responsibility for ensuring they are taking precautions to secure their plan benefits from external threats.

26
Q

5.6 According to the subregulatory guidance issued by the DOL, how can plan fiduciaries enhance cybersecurity through the contractual terms they enter into with their service providers? (Text, p. 174)

A

A key point of emphasis within the guidance dealing with third-party vendors is the critical role that contractual provisions play in ensuring cybersecurity best practices. Stipulating requirements through contractual obligation is a means by which plan sponsors fulfill their fiduciary oversight responsibilities. Among the areas where plan sponsors can negotiate terms in their vendor contracts are the following:

  1. Details restricting the use and sharing of confidential information.

Plan sponsors should specifically restrict their vendors from unauthorized use of information. Vendors should be obligated to keep private information secure and to prevent any unauthorized access, disclosure, modification or misuse of plan information.

  1. Immediate notification of any and all cybersecurity breaches.

Vendors should be required to immediately report a cybersecurity incident or data breach to the plan sponsor. Furthermore, they should be required to cooperate in the investigation of such occurrences and be bound to remediate any determinable causes of such a breach.

  1. Ongoing information security reporting.

Besides reactive response to data breaches, there should be a proactive and ongoing attempt to monitor and improve security measures. This should entail at the very least an annual, third-party audit of business practices to ensure compliance with information security procedures and policies. The results of such audits should be completely transparent and accessible to plan sponsors.
Abiding by all laws and policies regarding information security, privacy, and records retention and destruction.

  1. Abiding by all laws and policies regarding information security, privacy, and records retention and destruction.

Several laws have passed at the federal, state and local levels regarding information security and personal privacy. Plan sponsors should include in their contractual provisions the requirement that third-party vendors comply with all such laws, regulations, directives or other governmental requirements.

  1. Insurance.

Plan sponsors can require their vendors to procure specific insurance coverages, including cyberliability and privacy breach insurance.