The Equifax hack has shown not just how easy it can be for the bad guys to get hold of personal information from major repositories like the Equifax database, but also highlights the need for employers to be aware that such hacks put employees’ personal data at risk.
In particular, 401(k)s could be targeted by those who managed to snatch the information, according to the Society for Human Resource Management.
It points out in a report that Equifax is by far not the only holder of sensitive information that could be used and abused by cybercriminals. In fact, last year the Chicago Tribune reported that the retirement accounts of 91 municipal employees had been breached.
The cybersecurity incident at consumer credit reporting agency Equifax, announced September 7, affected 143 million U.S. consumers, according to Edward McAndrew, an attorney with Ballard Spahr in Philadelphia and former cybercrime prosecutor for the Department of Justice.
The information accessed and now compromised includes names, Social Security numbers, birth dates, addresses and in some instances driver's license numbers, as well as other information such as credit card numbers.
However, while accounts need to be monitored going forward (they should be anyway), employees needn’t assume that just because of the Equifax hack 401(k)s are more vulnerable than before.
That’s according to Robert Siciliano, CSP, CEO of IDTheftSecurity.com in Boston, who says in the report that “it’s a leap” to think that way. He says that using multifactor authentication -- that is, requiring the user to present several pieces of evidence to prove their identity -- to access a retirement plan account is a good idea, noting that it has been a practice recommended by the U.S. Federal Financial Institutions Examination Council since 2005.
However, employees could be conned into providing even more sensitive information, such as who the employee's financial analyst is or the answers to security questions, so that 401(k) plans could indeed be accessed. Most of the time, Siciliano says, scammers get such additional information by telephone or e-mail.
Employers on top of the problem can take several actions to help protect their employees’ data despite the hack, as noted below. Here are 8 actions to take:
8. If your business has been the target of an attack, report it.
Share information about threats to your information systems with the federal government, which will alert other companies.
When companies fail to share information about attempted breaches to their systems, it makes it easier for the bad guys to move on to the next target without consequences.
You might be concerned about sharing information about a data breach with the government opening up the company to liability—but under the Cybersecurity Information Sharing Act of 2015, companies have more protection from liability when sharing information about threats to their systems with the federal government, which can then warn other companies about the threat.
7. Confirm that vendors have adequate information security.
While you’re at it, you should check farther down the line and request information from your third-party vendors on the security measures they require from their outside vendors.
Sometimes that’s the link in the chain that fails and allows unauthorized access to data systems.
You need to be sure that payroll and health insurance vendors have adequate information security, as well as having in place a vendor agreement that includes provisions related to security breach notification, including who pays for it.
Employers should look for vendor adherence to ISO 27001 security standards, as well as to guidelines from the National Institute of Standards and Technology.
6. Record the least amount of confidential information possible.
If you don’t have the information, it can’t be stolen—and why load your systems up with data that you don’t really require?
Instead, you might even want to consider reviewing the types of information that you do collect, and if it’s not all necessary, pare it back.
According to Amar Sarwal, vice president and chief legal strategist for the Association of Corporate Counsel in Washington, D.C., companies may have Social Security, driver’s license or passport numbers on Forms I-9, while use of direct deposit means that employers have employees’ bank account information. Plan sponsors may have protected health information, he adds in the report.
And Adam Temple, a spokesman for the National Association of Professional Background Screeners, points out in the report that to conduct background screening, employers will have information known as personally identifiable information (PII).
PII, he explains, is requested from an applicant at various points in the job application process and may include some combination of legal name, date of birth, Social Security number and driver’s license number
5. Train employees on how to spot and avoid phishing attempts.
Employees can’t be blamed for what they don’t know; if they haven’t encountered such tactics before, they’re all too likely to fall prey to a hacker’s efforts to reel them in and steal their information.
And since phishing can not only open the door to hacked accounts but also confidential company information, educated employees can help to protect not just their own information but also that of the company they work for.
4. Warn employees to watch out for new-account fraud, such as a credit card or loan that the employee did not apply for.
Siciliano says in the report that new-account fraud, when a cyberthief successfully applies for a new credit card or loan with credit information stolen from a hack, is the main risk of the data breach because this is “the low-hanging fruit.”
Not only that, but employees shouldn’t stop at checking just a single account. They should check each one for signs of unauthorized access, lest thieves use data they’ve stolen from one place to gain access to another.
If they see unfamiliar transactions, they should check directly with the financial institution. They also shouldn’t let their guard down—sometimes hackers sit on stolen data for a while, till the furor quiets down, and then they move.
And last but far from least, they should request credit reports to make sure no new accounts or loans are floating around that they haven’t yet discovered; any suspicious activity should be met by filing a dispute.
3. Don’t rely on credit checks when you’re deciding whether to hire a new employee.
Be wary of checking credit as a condition for employment, the report warns.
You might find that the credit check includes fraudulent activity, and relying on that information can potentially cost you a good employee.
2. Boost safeguards for employees’ personal information.
This could mean setting up employee training on keeping their personal information private, as well as additional authentication measures or stronger security.
1. Coordinate with third-party administrators to suggest that employees monitor their accounts for fraudulent activity—and switch to multifactor authentication.
Make sure that that TPAs notify plan participants of the potential vulnerability of their 401(k) accounts, so they can keep an eye on their assets and account activity.
If there are options to use more than one form of authentication to access an account, suggest they use it; if there aren’t, look into the possibility of incorporating additional security factors.