One of the last things pension plan participants would want to learn as they get ready to celebrate the Christmas holiday is that personal data from their pension accounts may have been compromised. This is the case, unfortunately, for approximately 30,000 Now:Pensions customers whose names, postal and email addresses, birth dates and the equivalent of Social Security numbers were hacked and posted on line. According to reports, the UK company, which helps to administer millions of workplace pensions, attributed the incident to a third-party service provider.

Of course, the challenge of managing the cybersecurity risk of third-party service providers does not exist solely across the pond. During a recent SPARK Cybersecurity Virtual Event, Tim Hauser, Deputy Assistant Secretary for National Office Operations at DOL’s Employee Benefts Security Administration (EBSA), observed

When a plan fiduciary is hiring somebody who is going to be responsible for confidential, personal information, or who’s going to be running systems to keep track of people’s account balances and the like, there’s a responsibility to make sure that you’ve hired that person prudently, that firm prudently…And if you think about plans and the universe I described, that’s just shy of $11 trillion, and with personal health and pension data, there are a lot of tempting targets there and what we’ve seen in our own enforcement actions, especially in our criminal programs, vulnerabilities are taken advantage of.

According to Hauser, the U.S. Department of Labor is developing guidance for plan sponsors in the U.S. that would cover cybersecurity issues and third-party service providers for retirement plans.

Just as so many other organizations affected by a breach experienced by one of their third-party service providers, Now:Pensions has provided notification to pension account holders and regulators. Reports indicate the breach occurred over a three-day period in mid-December and the compromised data had been obtained “by an unknown third party.”

At this point, similarly-situated organizations might be considering whether to move away from the service provider that caused the incident. Here are some reasons why that may not be the best course of action. However, one to-do list item that should be a given following a breach like this is to revisit the procurement process for selecting service providers, update it as needed to make sure it appropriately addresses cybersecurity risks, and ensure it is prudently implemented.

When it comes to ERISA employee benefit plans, hiring a service provider is in and of itself a fiduciary function. When considering a plan service provider’s level of cybersecurity, there are a number of steps plan sponsors and administrators can take to prudently assess the data privacy and security capabilities of potential plan service providers. Some examples include:

  • Take the general threats and vulnerabilities of plan service providers into account when conducting the organization’s enterprise data security risk assessment.
  • Meet with the service provider’s IT lead, but also others in the service provider’s organization – legal, accounting, HR, sales, etc. This will give you a better sense of the culture of privacy and security at the service provider.
  • Require the service provider to complete a detailed list of pointed data privacy and security questions, the answers to which to be actively evaluated by your IT team, counsel, and/or consultant.
  • Ask about prior data security incidents and how they were handled.
  • Review the service provider’s policies and procedures.
  • Require the service provider to submit to an independent data security audit/review, penetration test.
  • Ask the service provider about its data breach response plan, and how often it is practiced. Plan to include the service provider when you practice your own response plan, and gauge their openness to that.

This is not an exhaustive list, and each step could be fleshed out more or less depending on the risk the service provider presents. In addition, it is appropriate to incorporate appropriate representations and additional protections concerning data privacy and security in the ultimate services agreement. The point is that because of the critical role service providers play, and the information they have access to (which may include not just personal information but also company proprietary data), the measures taken to evaluate plan service providers privacy and data security risk should happen at the procurement stage and on an ongoing basis, not just when a breach happens.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.