Module 4 Cybersecurity and Privacy Concerns

Question 1

How are employee benefit plans vulnerable to cyberattacks?

Answer 1

broad range of personal, identifiable information involved in plan administration and its potential market value

Question 2

What challenges do plan sponsors and fiduciaries confront in dealing with cyberattacks and other data breaches?

Answer 2

limited resources, insufficient technical expertise, and lack of clear standards

Question 3

What is the definition of personally identifiable information (PII)?

Answer 3

information that can be used to distinguish or trace an individual’s identity such as their name, social, biometric records, date of birth, place of birth, mother’s maiden name, etc.

Question 4

What is the definition of protected health information (PHI)?

Answer 4

information that is a subset of health information, including demographic information collected from an individual and is created/received by a health care provider, health plan, employer, or health care clearinghouse and related to the past, present, or future physical or mental health or condition of an individual that identifies the individual

Question 5

When is there an increase in privacy risks when administering benefit plans?

Answer 5

when providing sensitive personal data of participants to service providers for plan administration

Question 6

What are the non-HIPAA compliance issues associated with the information accumulated by medical plans and their service providers?

Answer 6

hiring a service provider to provide services to an ERISA-covered employee benefit plan is itself a fiduciary act, because it requires discretionary control or authority over plan administration

Question 7

What are some examples of common cyberthreats in the environment where benefit plans operate?

Answer 7

1) ransomware
2) phishing
3) wire transfer email fraud
4) malware via external devices

Question 8

What data breaches have occurred with retirement plans?

Answer 8

1) failure to install security system updates
2) email hoax (phishing attack)
3) downloads of plan information to a home computer
4) social security numbers mailed to wrong addresses
5) using the same password for multiple clients

Question 9

What data breaches have occurred with medical plans?

Answer 9

1) unencrypted information on laptops
2) failure to implement physical safeguards at workstations
3) return of photocopiers without erasing data contained on hard drives
4) lost documents with PHI
5) disposal of prescriptions in trash containers accessible to the public

Question 10

What does ‘you can outsource the work, but you cannot outsource the responsibility’ mean?

Answer 10

be prudent in selecting service providers capable of protecting sensitive participant and beneficiary information and to obligate the providers, by written contract, to protect the information

Question 11

What are key governing laws, enforcement actions and industry standards requirement service provider management of regulated personal information?

Answer 11

1) HIPAA and its business associate requirements
2) Federal Trade Commission (FTC) data security enforcement actions against company failures to oversee service providers with access to personal information
3) state information security laws requiring oversight of data-related service providers
4) the Gramm-Leach-Bliley Act controlling the ways financial institutions deal with private information of individuals
5) Payment Card Industry Data Security Standards

Question 12

How does HIPAA provide oversight?

Answer 12

HIPAA requires health plan sponsors to manage their plans in accordance with its data privacy and security rules

Question 13

How have FTC enforcement actions demonstrated what is expected from an employer that shares personal data with external service providers?

Answer 13

The FTC is now requiring companies to:

1) exercise due diligence before hiring data-related service providers
2) have appropriate protections of personal information in their contracts with data related service providers
3) take steps to verify and monitor that the data-related service providers are adequately protecting the information

Question 14

What are the issues in the FTC service provider case against the provider of medical transcription services GMR Transcription Service, Inc.?

Answer 14

GMR failed to adequately verify that its data service provider implemented reasonable and appropriate security measures to protect the personal information stored on the provider’s network and computers
GMR failed to
1) require the provider by contract to adopt and implement appropriate security measures to protect personal information
2) take adequate measures to monitor and assess whether the provider employed measures to appropriately protect personal information under the circumstances

Question 15

What were the terms of the GMR settlement with FTC?

Answer 15

1) GMR and its owners are prohibited from misrepresenting the extent to which they maintain the privacy and security of consumers’ personal information
2) they must establish a comprehensive information security program that will protect consumers’ sensitive personal information, including information the company provided to independent service providers
3) the company must have the program evaluated both initially and every two years by a certified third party
4) the settlement will remain in force for the next 20 years

Question 16

What role have state attorneys general exercised in the sphere of privacy protection?

Answer 16

they have required companies to incorporate vendor management programs in settlement agreements for violations under state consumer protection statutes

Question 17

What are the steps that a plan fiduciary should consider when selecting and contracting with service providers?

Answer 17

1) define security obligations
2) identify reporting and monitoring responsibilities
3) conduct periodic risk assessments
4) establish due diligence standards for vetting and tiering providers based on the sensitivity of data being shared
5) consider whether the service provider has a cybersecurity program, how data is encrypted, liability for breaches, etc.

Question 18

During the due diligence process, the focus should be on what main subject areas?

Answer 18

1) What is the track record of the service provider? What are its resources?
2) How will the service provider use the personal information?
3) Where will the personal information be stored and processed?
4) Does the service provider itself intend to use subcontractors, including its affiliates, and where are they located?
5) What security does the service provider apply to personal information?
6) Will the service provider utilize the security that the plan fiduciary requires based on its own obligations?
7) What reporting does the service provider supply?
8) What auditing is done?

Question 19

What are some examples of noncommercial contracting issues that a service provider contract should address related to privacy and data security?

Answer 19

1) Privacy and data security obligations should be separate from confidentiality obligations
2) The service provider should agree to cooperate with the plan fiduciary to enable the plan fiduciary to meet its regulatory and legal obligations
3) the service provider’s use of personal information must be limited as necessary to the delivery of the services
4) as between service provider and the plan fiduciary, the plan fiduciary is the owner of the personal information
5) the service provider’s use of subcontractors should be subject to the plan fiduciary’s consent and subject to the service provider’s obligation to flow0down privacy and data security obligations
6) security obligations should be detailed and added to the minimum security requirements as dictated by law
7) the service provider’s reporting obligations should be specified with respect to any compromise of personal data or compromise of any system(s) containing personal data
8) the service provider should be required to reimburse the plan fiduciary for expenses, costs, and the like associated with any data breach occurring under its control
9) the service provider’s auditing requirements must be specified
10) the service provider’s obligations for data retention, disposal and destruction should be consistent with the plan fiduciary’s regulatory obligations

Question 20

What risk allocation provisions should be scrutinized in any contract between a plan sponsor and a service provider?

Answer 20

risk allocation provisions related to privacy, data security, and confidentiality ought to be carefully scrutinized

Question 21

What items should be considered when customizing a strategy to meet the challenges of employee benefit plans confronting cyberthreats?

Answer 21

1) identify the data
2) consider frameworks
3) establish process considerations
4) customize a strategy
5) strike the right balance based on size, complexity, and overall risk exposure of the organization
6) consider applicable state and federal laws