Updated with editor's note below. Think only credit card data and bank accounts are the targets of cyberattacks? Think again—because employee benefits data is in the hackers’ crosshairs.
That’s according to a report by the Society for Human Resource Management, which says that attacks on benefit plans can result in more than just loss of data for employers who fail to safeguard the information.
The report quotes Neal Schelberg, a partner with law firm Proskauer Rose in New York City, saying at the International Foundation of Employee Benefit Plans’ 2017 Washington Legislative Update in Washington, D.C. that employee health and retirement plans “are big targets and particularly susceptible to cyberattacks,” and warning employers to defend their plans against hacking attempts.
Schelberg pointed to some major incidents, including a June 2016 hit on more than 90 deferred-compensation retirement accounts of Chicago municipal employees. Hackers not only got personal information, but managed to pull money from 58 accounts, with the city losing $2.6 million that had to be replaced in participant accounts and also providing credit monitoring services to account holders.
Editor's note: A spokesperson for Nationwide says that the breach is in fact not being investigated as a cyber attack but as a case of fraud. According to a report in the Chicago Tribune last year, "The theft was apparently undertaken by a person or group who accessed personal information and apparently created a web profile to take out a loan from the retirement account, officials said."
Another big hit targeted a grocery workers union pension plan in St. Louis, with hackers demanding a three-bitcoin (about $2,000) digital currency ransom to return control of the United Food and Commercial Workers (UFCW) Local 655 pension plan’s computer servers.
Among the data at risk were employee names, birthdates, Social Security numbers and bank information. While the union refused to knuckle under and pay ransom (it had a backup system), it did end up footing the bill for a year of credit monitoring and theft restoration services.
But in another case, the University of Massachusetts Amherst was on the hook for a $650,000 penalty and had to follow a corrective action plan after a malware infection targeting the university's employee health care plan exposed the sensitive health information of 1,500 people in a potential violation of the Health Insurance Portability and Accountability Act (HIPAA).
Why so much? The Department of Health and Human Services found that the university had failed to accurately assess the risk of malware infection and adopt procedures to secure its data.
According to Schelberg, benefit plans “are particularly susceptible to cyber-risks because they store large amounts of sensitive employee information and share it with multiple third parties.” And even though security measures may not be foolproof, cyber-risks “can be managed.”
It could be argued, he said, that it’s actually within a plan trustee's fiduciary duties not only to prepare for a possible cyberattack but also to ensure that any breach results in as little exposure, and cost, as possible.
Some actions he suggested sponsors take to protect plan data include the following:
Developing and implementing a framework to address cybersecurity issues
Addressing third-party vendor vulnerabilities that could add risk, especially for electronic transfer of sensitive data to third parties
Backing up sensitive data, then storing it off network where it is not accessible to hackers
Boosting passwords, including adding multifactor authentication for accessing data systems
Increasing investment in security software and systems
Involving boards of directors more directly in security matters
Considering the purchase of cyberliability insurance
Sponsors must also be current on the HIPAA requirements for notification of people whose health information may have been breached, even if a third party is involved, as well as for ERISA requirements for notification and for other actions in the event of a security breach.
And in the case of ERISA, the process could be far more complicated than sponsors believe.
In the report, Kristen Mathews, another partner in Proskauers New York City office, was cited saying that benefit plans are affected by the laws of states where health plan enrollees or retirement plan participants live—not just the state where the company is headquartered or where the plan is administered.
She pointed out that pension plans could be affected by security laws in any state in which a retiree or beneficiary resides.