>>
Maintain complete log-in for the
network, firewalls, routers and key
software applications, and limit or
define usage of portable devices.
Service
>> Provider
Management
>> Review a copy of each third
>> Designate an individual to be in
Special Concerns
for Employees
>> Train employees responsible for
party service provider’s Service
Organization Control Reports (e.g.
SOC 1, 2 and 3).
>>
>> Educate
employees about the
importance of safe-guarding their
data at all times and warn against
email and phishing scams.
>> Address privacy and security factors
when vetting and selecting service
providers.
>> Encourage use of regularly updated
charge of privacy and security of PII,
and implement and test contingency
plans for use in event of data breach.
contract and vendor management
regarding review of privacy
and security issues in vendor
arrangements.
>> General
Tips
>> Keep records of any breach
passwords with a high level of security.
>> Delegate duties responsibly and
prudently monitor third parties and
employees with access to plan data.
Assess the service providers’
certifications in privacy and security
and insurance coverages.
>> Request
information
regarding
service providers’ processes and
systems for addressing cybersecurity
threats and protection of PII, as well
as past data breaches.
investigations and steps taken to
remedy the breach.
>> Advise participants and beneficiaries
>> Review fiduciary liability insurance
to monitor their accounts.
>> Focus on security measures in place
for plan distributions, loans and
withdrawals.
>> Prepare communications that remind
participants
and
beneficiaries
to safeguard their own benefit
information,
account
balances,
health information, passwords, and
PINs, and advise against placing
too much personal information on
social networking sites and reviewing
sensitive data on public computers or
kiosks.
>> Make sure third party provider
subcontractors are held to same
standards as the service provider.
>> Develop a record of diligence efforts
undertaken to document the level
of security of third party service
providers. Understand where data
is stored and how it is secured and
protected.
>> Engage expertise of company IT
professionals and your legal counsel
to review service agreements and
provisions regarding data security,
data storage, websites, breach
notification, and confidentiality, and
develop parameters for compliance
representations and indemnification
in service agreements.
10 | Summer 2015
>> People &
Training
>> Perform background checks on all
individuals with access to PII.
>>
Ensure all personnel who have
access to PII are trained in properly
safeguarding it. Include training
in areas such as data retention/
destruction, social networking, social
engineering, and litigation holds.
and consider potential interplay
between cybersecurity insurance.
>> Perform periodic risk assessments,
maintain good controls, and be
careful about who can over-ride
them.
>> Consider updating plan documents
to incorporate the PII Protection
and Privacy Policy.
>> Use a process to confirm compliance
with the policy, and make sure the
policy is clear and communicated to
all appropriate parties.
In this ever changing landscape, these
considerations are not definitive or
finite. Development of best practices,
including a PII Privacy and Protection
Policy, will require tho ՝