Addressing Retirement Plan Data Security

Retirement plan sponsors have an additional responsibility to protect participant data.

An emerging area of compliance concern for retirement plan sponsors is the protection of plan data, notes Marcia Wagner, the president and founder of Wagner Law Group.

She recently queried whether breaches of retirement plan participant data should fall under the guidance of the Employee Retirement Income Security Act (ERISA) or state law. 

Adam Pozek, a partner at DWC ERISA Consultants, tells PLANSPONSOR, “It should be a pretty significant area of focus for all data that plan sponsors house.” From Social Security numbers to home addresses and even direct access to payroll, in some cases, the data transcends just the benefit plan, Pozek cautions.

Most of the plan data given to service providers is data the plan sponsor already has in its possession, creating an information chain, Pozek points out. “If a plan sponsor has security measures in place but the service provider is lax, their data can still be at risk. Talking about service providers leads naturally to a discussion of data security,” he says, admitting it’s a bit of a cliche, but the chain is only as strong as its weakest link. Data security must be part of any vetting process, whether for payroll or a benefits plan.

A critical goal is to make sure the providers plan sponsors work with have equally impassable systems in place, says Gary Sutherland, chief executive of North American Professional Liability Insurance Agency. “They will want to protect sensitive or confidential employee data that’s shared or used by the recordkeeper or TPA (third-party administrator) handling their plan,” Sutherland tells PLANSPONSOR. “They need to make sure it’s a part of their due diligence that these providers have a cyber-insurance policy in place.”

NEXT: Evaluating data security in the RFP.

"When plan sponsors engage us for a vendor search, we address cybersecurity risks early on in the selection process,” Marcy Supovitz, principal at Boulay Donnelly & Supovitz Consulting Group tells PLANSPONSOR. In the request for proposal (RFP) process, Supovitz evaluates the data security procedures of every vendor.

Critical points to compare include how the vendor seals off access to confidential information from intruders and how they monitor cybersecurity procedures on an on-going basis, notes Supovitz. Plan sponsors can engage the services of an expert to help vet providers, or turn to someone internally on their own IT staff.

Sutherland says plan sponsor due diligence on all providers includes asking questions about the provider’s own history of data loss, whether they have insurance to cover a breach and what steps they will take to protect the identity of the plan sponsor as well as the plan sponsor’s employees.

Beyond looking into a provider’s actual data systems, Sutherland recommends that a vendor conduct background checks on new hires and change passwords frequently so they cannot be saved (every 60 days is recommended).

“Plan sponsors will want the TPA and recordkeeper to back up systems at least weekly,” Sutherland advises. Daily backing up is preferable, with redundant systems available. “Typically, if a TPA’s system is hacked into, the provider can move into another system in the Cloud so they can be up and running within hours, not days.”

Pozek says he would ask whether the provider has a specific data security policy for the way its own employees handle data, a question that can generate several more lines of inquiry. “If an employee accesses data through a smartphone, mobile device or laptop, are those devices encrypted or password protected?” Pozek asks. “What type of security is in place? What steps does the organization take to make sure its employees understand the importance of protecting sensitive data? For example, do they understand that many states have restrictions against emailing Social Security over the Internet without password protection or encryption?”

NEXT: The costs of a data breach. 

Again, Pozek warns, a security policy hinges on everyone using it effectively. For example, he points out Microsoft Outlook can automatically encrypt email with a key word when using Microsoft Exchange on the server side—but the feature is only effective if people know about it and how to use it… and actually do use it.

A data breach can generate different costs, Sutherland points out, such as the first-party costs incurred by the recordkeeper and TPA to notify people of a breach or compromise. “The recordkeeper or TPA might need to bring in a lawyer to handle the notification process in some cases, or public relations people or IT forensics,” he says. “Third-party costs appear when the data they hold is one of their clients that suffers damages as a result of the data breach. If the plan sponsor gets a letter saying all their employee data was breached, costs could also include new credit monitoring as well as any potential damages to the employees.”

The typical cost to manage someone whose data has been breached is about $150 per person. “At 800 employees, for example,” Sutherland says, “that $150 for each can add up pretty quickly.”

While ERISA has no specific jurisdiction over plan data, in Pozek’s opinion, all businesses should have a written policy on data security. “It goes into the prudent process selection,” he says. “They have to evaluate on different criteria.” Plan sponsors that don’t feel comfortable reviewing procedures and vendors should seek outside help from their own IT department, an attorney or investment adviser: “Anyone qualified to look at the response and provide guidance.”

The need to pay attention to data security transcends any benefit plan or company size, Pozek says, noting that most breaches are done by robots trained to look for holes they can take advantage of. “Anyone who would use the data for nefarious purposes doesn’t care how big or small you are,” he says.