Confero Summer 2015: Issue 11 | Page 12

>> Maintain complete log-in for the network, firewalls, routers and key software applications, and limit or define usage of portable devices. Service >> Provider Management >> Review a copy of each third >> Designate an individual to be in Special Concerns for Employees >> Train employees responsible for party service provider’s Service Organization Control Reports (e.g. SOC 1, 2 and 3). >> >> Educate employees about the importance of safe-guarding their data at all times and warn against email and phishing scams. >> Address privacy and security factors when vetting and selecting service providers. >> Encourage use of regularly updated charge of privacy and security of PII, and implement and test contingency plans for use in event of data breach. contract and vendor management regarding review of privacy and security issues in vendor arrangements. >> General Tips >> Keep records of any breach passwords with a high level of security. >> Delegate duties responsibly and prudently monitor third parties and employees with access to plan data. Assess the service providers’ certifications in privacy and security and insurance coverages. >> Request information regarding service providers’ processes and systems for addressing cybersecurity threats and protection of PII, as well as past data breaches. investigations and steps taken to remedy the breach. >> Advise participants and beneficiaries >> Review fiduciary liability insurance to monitor their accounts. >> Focus on security measures in place for plan distributions, loans and withdrawals. >> Prepare communications that remind participants and beneficiaries to safeguard their own benefit information, account balances, health information, passwords, and PINs, and advise against placing too much personal information on social networking sites and reviewing sensitive data on public computers or kiosks. >> Make sure third party provider subcontractors are held to same standards as the service provider. >> Develop a record of diligence efforts undertaken to document the level of security of third party service providers. Understand where data is stored and how it is secured and protected. >> Engage expertise of company IT professionals and your legal counsel to review service agreements and provisions regarding data security, data storage, websites, breach notification, and confidentiality, and develop parameters for compliance representations and indemnification in service agreements. 10 | Summer 2015 >> People & Training >> Perform background checks on all individuals with access to PII. >> Ensure all personnel who have access to PII are trained in properly safeguarding it. Include training in areas such as data retention/ destruction, social networking, social engineering, and litigation holds. and consider potential interplay between cybersecurity insurance. >> Perform periodic risk assessments, maintain good controls, and be careful about who can over-ride them. >> Consider updating plan documents to incorporate the PII Protection and Privacy Policy. >> Use a process to confirm compliance with the policy, and make sure the policy is clear and communicated to all appropriate parties. In this ever changing landscape, these considerations are not definitive or finite. Development of best practices, including a PII Privacy and Protection Policy, will require tho ՝