How safe is your employee benefits data?

The data collected, stored and transferred by employers related to employee benefits is a desirable target for hackers, and the new realities of work related to COVID-19 have exacerbated the vulnerability of that data.

According to the 2021 Allianz Risk Barometer, cyber incidents are the third most important global risk for the coming year, behind business interruption and pandemic outbreak.

And while breaches could be on the rise, the cost of those breaches is skyrocketing as well. The United States has the highest average cost of a data breach at about $8.64 million, according to IBM’s 2020 Cost of A Data Breach Report.

Employee benefit plan information is especially susceptible to cyber attacks because of the sensitive nature of the data shared with multiple third parties, which includes outsourced service organizations that also maintain and electronically share this information, said Margaux Weinraub, cyber practice leader at Graham Company, an insurance broker and employee benefits consultant.

From a benefits perspective, the types of data that need to be protected include personally identifiable information such as names, addresses and social security numbers, as well as protected health information (PIH) or identifiable details about an individual’s health, including diagnoses, treatment information, medical test results, prescription information and biometric identifiers.

“The reality of cyber risk is that organizations are not only impacted by their own exposure, but also the exposure of any outside vendors they contract with for technology and services, which serve as an information holder,” said Weinraub. “Companies should assess the cyber hygiene of human resources and benefits vendors they work with to ensure the vendors also have appropriate security measures in place.”

Employee benefits data is compromised typically in two different ways, said Weinraub. The first is through internal incidents when an employee or vendor maliciously steals data or accidentally exposes data through loss of a laptop, phone or device that is set up to easily access benefits data. Data can also be exposed through a vendor incident. Employee benefits data is also vulnerable via external incidents perpetrated by individual bad actors, organized criminals, ‘hacktivists,’ and even nation states using email compromise scams, ransomware schemes and intrusive malware transmitted through social engineering and phishing techniques.

These types of attacks are becoming more sophisticated and are causing increasing operational disruption that can be financially devastating and damaging to the organization’s reputation, not to mention putting customers, clients and employees at risk.

The pandemic has exacerbated the vulnerability of data in many industries, including the employee benefits space, by creating new opportunities for cybercriminals to seize on widespread uncertainty, said Weinraub.

This has resulted in phishing attacks that can lead to ransomware infections, business email compromise or compromise of information that may be protected under state, federal and international privacy laws, said Weinraub.

Those laws include the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act, both of which require that PIH be protected. If a breach occurs, notifications must be made and fines could be levied. A breach of 500 or more records requires notification to the Department of Health & Human Services as well as to local media, Weinraub said. Employers also need to be aware of state laws, which vary widely and apply where the affected individual resides, not where the company is headquartered or where the breach originated.

“As remote employees adapted their workflows in 2020 to stay connected through video conferencing and messaging tools, these platforms received heightened scrutiny related to their privacy and security policies,” said Weinraub. “Business and IT leaders must perform their due diligence and continuously audit the security measures of platforms they are considering purchasing. Before making a commitment, companies must understand how communications through a platform are encrypted, how data could be shared with third parties and other key details for protecting the privacy of individual users and the organization as a whole.”

How can employers protect their employees and themselves? Weinraub said employers must make cybersecurity a top priority, regardless of their size or industry. If cybersecurity measures aren’t already in place, they should work with urgency to implement protocols and secure necessary coverage to protect the organization. For companies that already have cybersecurity measures in place, protocols and protections should be continually reevaluated to protect against new and emerging threats.

Additional measures, including ongoing employee education, password management, infrastructure vulnerability scanning and testing for current incident response, can help a company prepare for or prevent potential incursions. In addition, companies should consider cyber insurance policies that incorporate ancillary and complementary loss mitigation services that help organizations prepare for and prevent cyber incidents, said Weinraub.

“When a cyber incident occurs, it is critical to have a comprehensive cyber insurance program in place,” said Weinraub. “This helps cover both first- and third-party expenses, such as forensic investigation and data recovery services to restore networks, legal representation for compliance with notification laws, public relations services, regulatory fines or penalties, defense expenses associated with a lawsuit and more. Cyber policies also include business interruption coverage covering loss of income and operating expenses caused by an interruption of service of one’s own organization or a third-party service provider.”

Kristen Beckman is a freelance writer based in Colorado. She previously was a writer and editor for ALM’s Retirement Advisor magazine and LifeHealthPro online channel. She also was a reporter for Business Insurance magazine covering workers compensation topics.