• Consider purchasing cyber-liability
Because it’s unclear whether state
privacy and cybersecurity laws are preempted by the Employee Retirement
Income Security Act (ERISA) when it
comes to benefits plan data, make sure
you’re aware of state statutes and adjust
your practices accordingly, Schelberg
Notification After a Breach
Most businesses that provide employees
with self-funded health insurance benefits must comply with Health Insurance Portability and Accountability Act
(HIPAA) privacy rules, even if they use
a third-party administrator (although
there is an exception for plans with fewer
than 50 participants).
HIPAA’s Breach Notification Rule
requires entities covered by the act and
their business associates to inform people whose private health information
may have been compromised within 60
days, says Robert Projansky, a partner
with Proskauer in New York City.
“While nothing is expressly required
under ERISA regarding notification
of employees following a data breach
of personal information, ERISA does
require the fiduciary of a benefit plan
to act prudently in managing the plan’s
assets,” Projansky says. Keeping this in
mind, plan fiduciaries should:
• Examine contracts with outside
administrators concerning notification
duties in the event of a security breach.
• Look to state law notification
Benefits plans are affected by the laws
of states where health plan enrollees or
retirement plan participants live in addition to the state where the company is
based or the plan is administered, experts
say. Pension plans, for instance, could be
impacted by security laws in any state in
which a retiree or beneficiary resides.
Many state requirements go beyond
minimizing cybersecurity risks to
addressing identity and fraud protection
more generally, such as:
• Disposal laws that require businesses to take reasonable steps when
disposing of sensitive personal information, such as by ensuring that the
data is shredded or erased so it can’t be
• Social Security number legislation that prohibits businesses from publishing or making available individuals’
Social Security numbers.
• Protection of medical information
statutes, such as California’s Confidenti-
ality of Medical Information Act, which
requires that “each employer who receives
medical information shall establish appro-
priate procedures to ensure the confiden-
tiality and protection from unauthorized
use and disclosure of that information.”
Since former employees and their
dependents could reside anywhere, make
sure to conduct a comprehensive state law
analysis to determine a benefits plan’s legal
requirements following a data breach, says
Proskauer partner Kristen Mathews.
However, “some state data breach
notification laws defer to HIPAA breach
notification procedures and do not
require additional action where HIPAA
applies and is followed,” she says.
The best way to protect your organization from a cyberattack—and stay out
of the headlines—is to accurately assess
your enterprise’s risk and adopt procedures to secure its data.
Stephen Miller, CEBS, is an online
writer/editor for SHRM who focuses on
compensation and benefits topics.
Cyberattack Response Checklist
What should you do if your organization experiences a cyberattack? Here’s a
checklist from the U.S. Department of Health and Human Services’ Office for Civil
Rights (OCR) that briefly explains the steps that a Health Insurance Portability and
Accountability Act (HIPAA)-covered entity or its business associates should take. In
the event of a cyberattack or similar emergency, an entity must:
■ Execute its response and mitigation procedures and contingency plans. For
example, immediately fix any technical or other problems to stop the incident and
take steps to mitigate any impermissible disclosure of protected health information,
which may be done by your organization’s own information technology staff or an
outside entity brought in to help.
■ Report the crime to law enforcement agencies, which may include state or local
authorities, the FBI, and/or the Secret Service. Any such communication should
not include protected health information, unless otherwise permitted by the HIPAA
■ Notify OCR as soon as possible, but no later than 60 days after discovering a
breach affecting 500 or more individuals, and notify affected individuals and the
media unless a law enforcement official has requested a delay in the reporting.
OCR presumes all security incidents where protected health information was
accessed, acquired, used or disclosed are reportable unless the information was
encrypted or the entity determines, through a written risk assessment, that there
was not much chance that the information was compromised. If a breach impacts
fewer than 500 individuals, the entity must inform individuals without unreasonable
delay, but no later than 60 days after discovery, and must inform OCR within 60
days after the end of the calendar year in which the incident was discovered.
Source: U. S. Department of Health and Human Services.