Data privacy concerns continue to grow. For many businesses, employee benefits are a major source of sensitive data subject to growing risks. Here are some key privacy considerations from an employee benefits perspective.
Do you know where data is coming from and going to?
Knowing what benefits data your business has is a critical first step. Benefits information often includes names, personal contact information, beneficiary designations, Social Security Numbers, banking information, and information about spouses and dependents. This is why benefits information creates so many risks for businesses and opportunities for bad actors. Once you know what data you have, knowing who sends, receives, and accesses that data is critical to compliance and risk reduction.
Is there a plan in place to determine if a breach has occurred and how to respond?
Breaches happen increasingly often. Planning and having a process to follow is an essential part of a proper response. This includes processes to determine if a potential breach has occurred, and processes for responding to breach notifications from service providers.
Do you obtain appropriate information to access your risks?
The type and amount of data used by service providers will determine how carefully and frequently you should review their policies, procedures, and any past problems. This information can help you determine your risk and risk mitigation.
Are necessary agreements in place with service providers?
Privacy provisions should be added to service provider agreements. This language needs to be up-to-date and maintained for compliance purposes. Whether it is a Business Associate Agreement for HIPAA or a data privacy addendum for broader privacy compliance of language in the primary agreement, this language will be the starting point for setting expectations, assessing liability, and documenting compliance.
Is your privacy policy consistent?
It is important that the privacy policy you have provided to employees remains consistent with the actions you and your service providers take with employee benefits data. It is also important to ensure these privacy policies are in compliance with the applicable and regularly changing data privacy laws.
Do you know what laws, standards, and contractual obligations apply?
A wide array of state and federal laws provide privacy rules. Understanding which laws apply and what data they apply to is an important first step. For instance, the Department of Labor has shown an increasing focus on data privacy under ERISA, especially regarding ERISA’s fiduciary duties and personal liability.
Is your documentation sufficient?
Beyond agreements, your documentation should be sufficient to record compliance if there is an audit or investigation, provide instructions if there are concerns about a data privacy incident, and reduce liability through insurance coverage and other protection.
Does insurance cover your risks?
Breaches and penalties are often excluded from general insurance coverage. Even when you have a rider or policy specific to data privacy, there can be exclusions if you do not have sufficient processes and procedures in place. Work with trusted advisors to ensure you have the insurance coverage you want and expect, and on how to ensure that its coverage will apply to your circumstances.
Do you offer privacy benefits?
Providing data monitoring, alerts and similar services can be offered as a benefit in many circumstances. However, to maximize the benefit to employees, the benefit must follow several rules, which can differ depending on the specifics of your business.
It is never too early to address data privacy for employee benefits or otherwise. This advisory provides only a summary of some of the biggest aspects of privacy for benefits. If you have questions or need assistance, contact a member of our Employee Benefits and Executive Compensation or Data Privacy and Cybersecurity Teams.