Module 4 Flashcards
Cybersecurity and Privacy Concerns
1.1 Discuss employee benefit plans’ vulnerability to cyberattacks and other data breaches. (Text, pp. 117-118)
Employee benefit plans are susceptible to cyberattacks, identity theft and other forms of data malfeasance. Electronic health records are particularly valuable to cybercriminals, and the security measures for these records are often lacking, making breaches common.
1.2 What challenges do plan sponsors and fiduciaries confront in dealing with cyberattacks and other data breaches? (Text, pp. 134 and 149-150)
Challenged by limited resources, insufficient technical expertise and lack of clear standards. Individuals responsible for benefit plans rarely have expertise in cybersecurity. Plan sponsors and fiduciaries may want to consider whether to consult with a cybersecurity expert when developing a cybersecurity strategy for their plans. Small firms do not have the resources or capacity to develop a customized, robust cybersecurity risk management strategy and may need to consider using cloud-based resources to offload cybersecurity burdens onto the cloud provider. Cyber insurance or other tools may be useful in designing a cost effective program.
1.3 The data elements that benefit plans typically maintain and that are subject to regulatory oversight have been classified as (a) personally identifiable information (PII) and (b) protected health information (PHI). Define the terms. (Text, pp. 135-136)
(a) PII - information that can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc., both alone or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
(b) PHI (defined by HIPAA) -information that is a subset of health information, including demographic information collected from an individual, and:
(1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
1.4 What arrangements linked to employee benefit plan administration are likely to increase privacy risks? (Text, p. 118)
Plan sponsors assume greater privacy risks when providing sensitive personal data of participants to service providers for plan administration. This additional risk is unavoidable since administrators rely on (TPAs), outside payroll providers, benefits consultants, investment funds, investment advisors and others. Service providers collect and process large amounts of personal, medical and financial information with respect to participants and beneficiaries. Information stored includes Social Security numbers, email accounts, retirement assets and income figures. The collection and processing function is done through automated systems that rely upon the internet and thus call for close monitoring of the way service providers will manage this information.
1.5 Describe the non-HIPAA compliance issues associated with the information accumulated by medical plans and their service providers. (Text, p. 118)
More than just HIPAA compliance is at stake with protecting the massive amount of information accumulated by medical plans. A plan fiduciary cannot assume that service providers will handle all compliance obligations. Failure to identify and address privacy and security considerations with service providers may create exposure for Employee Retirement Income Security Act (ERISA) fiduciaries.
Section 404(a) of ERISA generally requires a fiduciary to discharge their duties with respect to a plan “solely in the interest of the participants and beneficiaries” and with “the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.”
Hiring a service provider to provide services to an ERISA-covered employee benefit plan is itself a fiduciary act, because it requires discretionary control or authority over plan administration. Similarly, removing or retaining a service provider is a fiduciary act.
2.1 Provide examples of common cyberthreats in the environment where benefit plans operate. (Text, p. 133)
(a) Ransomware
Cybercriminals encrypt and seize an entire hard drive and will only release it for a high ransom
(b) Phishing
Fraudulent emails are sent with the objective of enticing the user to interact and inadvertently provide an avenue for a cybercriminal to infiltrate a computer network
(c) Wire transfer email fraud
Cybercriminals pretend to be senior executives asking employees to transfer funds
(d) Malware via external devices
Intrusive and harmful software is stored on an external drive that is inserted into and executed on a network computer.
2.2 List data breaches that have occurred with retirement plans. (Text, p. 119)
Data breaches that a government agency identified as having occurred with retirement plans are:
(a) Failure to install security system updates
(b) Email hoax (phishing attack)
(c) Downloads of plan information to a home computer
(d) Social Security numbers mailed to wrong addresses
(e) Using the same password for multiple clients.
2.3 List data breaches that have occurred with medical plans. (Text, p. 119)
Data breaches that a government agency identified as having occurred with medical plans as part of an audit of HIPAA-covered entities are:
(a) Unencrypted information on laptops
(b) Failure to implement physical safeguards at workstations
(c) Return of photocopiers without erasing data contained on hard drives
(d) Lost documents with PHI
(e) Disposal of prescriptions in trash containers accessible to the public.
2.4 What is meant by the cautionary statement “You can outsource the work, but you cannot outsource the responsibility”? (Text, p. 120)
It is a fiduciary responsibility to select responsible providers. These service provider relationships should be subject to substantially similar risk management, security, privacy and other protection policies that would be expected if the plan fiduciary were conducting the activities directly.
Following a data breach, regulators often review and evaluate the role of the service provider, the due diligence that was performed before selecting the service provider, and the contract provisions with respect to privacy and data security obligations and responsibilities. Plan fiduciaries that fail to address these issues in a rigorous manner can be vulnerable on many fronts.
3.1. What are key governing laws, enforcement actions and industry standards requiring service provider management of regulated personal information? (Text, p. 121)
(a) HIPAA and its business associate requirements
(b) Federal Trade Commission (FTC) data security enforcement actions against company failures to oversee service providers with access to personal information
(c) State information security laws requiring oversight of data-related service providers
(d) The Gramm-Leach-Bliley Act controlling the ways financial institutions deal with private information of individuals
(e) Payment Card Industry Data Security Standards.
3.2 How does HIPAA provide oversight? (Text, p. 136)
HIPAA requires health plan sponsors to manage their plans in accordance with its data privacy and security rules. In addition, HIPAA specifies rules for business associate agreements that plan sponsors enter with TPAs and other service providers. Business associate agreements establish each party’s obligations under HIPAA in connection with the plan’s HIPAA-protected information.
3.3 According to the FTC website, its mission is to prevent business practices that are anticompetitive or are deceptive or unfair to consumers, to enhance informed consumer choice and public understanding of the competitive process and to accomplish this without unduly burdening legitimate business activity. How have FTC enforcement actions demonstrated what is expected from an employer that shares personal data with external service providers? (Text, p. 121)
(a) Exercise due diligence before hiring data-related service providers
(b) Have appropriate protections of personal information in their contracts with data-related service providers
(c) Take steps to verify and monitor that the data-related service providers are adequately protecting the information.
3.4 Discuss the issues in the FTC service provider case against the provider of medical transcription services GMR Transcription Services, Inc. (Text, p. 121-122)
The GMR case involved the inadvertent exposure of personal medical data maintained by GMR. FTC concluded that GMR’s failure to adequately choose, contract with and oversee a data service provider constituted an unfair and deceptive trade practice in violation of Section 5 of the Federal Trade Commission Act. According to the FTC complaint, GMR failed to adequately verify that its data service provider implemented reasonable and appropriate security measures to protect the personal information stored on the provider’s network and computers. Moreover, FTC faulted GMR for failures in contracting with its data service provider. FTC alleged that GMR failed to:
(a) Require the provider by contract to adopt and implement appropriate security measures to protect personal information
(b) Take adequate measures to monitor and assess whether the provider employed measures to appropriately protect personal information under the circumstances.
FTC additionally found GMR to be deficient in conducting due diligence before hiring its data service provider.
3.5 What were the terms of the GMR settlement with FTC? (Text, p. 122)
GMR and its owners are prohibited from misrepresenting the extent to which they maintain the privacy and security of consumers’ personal information. Must establish a comprehensive information security program that will protect consumers’ sensitive personal information, including information the company provided to independent service providers. The program must be evaluated both initially and every two years by a certified third party. As is typical of FTC enforcement actions, the settlement will remain in force for the next 20 years.
3.6 What role have state attorneys general exercised in the sphere of privacy protection? (Text, p. 122)
State attorneys general have required companies to incorporate vendor management programs in settlement agreements for violations under state consumer protection statutes. In one case, six state attorneys general collectively entered into an agreement with one company to resolve the states’ investigation into whether the company had engaged in any unlawful or deceptive trade practices in violation of the state consumer protection statutes. As part of its settlement agreement and for the protection of its consumer information, the company was required to implement a privacy program that included taking reasonable steps to select and use only certain third-party service providers. Those providers must either agree to comply with the company’s privacy policies and data security protocols or be subject to policies and protocols that are at least equivalent to those of the company.
Also, a number of states require all companies that process personal information of a resident of that state—regardless of industry—to implement safeguards designed to protect such information. Under these state information security laws, the term personal information generally is defined to include an individual’s name in combination with some other piece of data that could be used to commit fraud or identity theft, such as a payment card number, financial account number, Social Security number or any other government-issued identifier.