By: Alison J. Cohen
It is a growing club that no one wants to join: the club of companies who became victims of cyberterrorism. Whether the release of credit card data from the infamous Target inside job, the gas pipeline shutdown at Colonial Pipeline, or the more recent CNA Financial ransom attack, it is often not a question of ‘if’ a company will be attacked, but ‘when.’ Recently, a major software provider (“Provider”) to third party administrators (“TPAs”) joined this horrible club. The question that we are receiving from TPAs is “What should we do about this?”
Step One: Review Your Own TPA Service Agreement (the service agreement between you and your clients) – If you are a TPA, you should know the contents of your service agreement. But, assuming you have more interesting things to read, it has probably been a while since the Confidentiality/Cybersecurity section has been reviewed. Regardless of whether you are impacted by this latest breach, now is the time. This policy, if you have one, should also be reviewed to ensure any response to this or any future breach is consistent with guidance from the U.S. Department of Labor. If you don’t have cybersecurity language in your service agreement, add it now. If Ferenczy Benefits Law Center prepared your agreement in recent years, you should have this language. However, if it has been a number of years since your service agreement was prepared, it is most likely time for a comprehensive review and an update.
If you are a Plan Sponsor, the U.S. Department of Labor’s 2021 guidance suggests that you should be asking service providers for a copy of their cybersecurity program.
Step Two: Review the Provider’s Contract – You should have a copy of the Provider’s contract in your files, along with its published cybersecurity policy. It is important to review language in the agreement regarding how the Provider is going to indemnify the TPA and its clients in the event of such an attack. It should also be clear who is going to coordinate the communication to the affected participants, and how it will be done. These should be reviewed immediately upon notification of the event.
Step Three: Notify your Insurance Carrier – Even though it was not the TPA’s system that was compromised, a TPA may be held responsible by its clients and their participants. TPAs should carry appropriate levels of cybersecurity insurance, in addition to the standard Errors & Omissions coverage. Immediately upon notification of the event, you should discuss the incident with your insurance carrier, and determine whether the coverage extends to such an incident with an outside Provider’s system. It is important to do this before any communication is sent your clients. Any outside communication prior to timely insurance notification could invalidate your coverage.
Step Four: Prepare Client Communication – Your clients should be made aware of the incident as soon as possible. The communication should relay the facts of the incident, and not conjecture, and a clear statement of the next steps that you will be taking. One of the main complications for any cybersecurity incident is that the Federal government has not created any uniform guidelines or laws for required responses by the cyber victims, other than banks and financial institutions. As a result, many states’ Attorneys General have created separate rules and regulations. This means that, after an incident, there could be 50 different response requirements. This complication slows response time down and often makes a bad situation worse. California has the most aggressive response requirements in the country, so to be conservative, you can use this as your standard for responses. In the current incident, you likely do not know enough facts about what is going on, so all you can do is share the information you have and let your clients know that you will keep them informed as you learn more.
Step Five: Prepare Participant Communication – The participants will need to be made aware of the fact that their confidential information has been compromised. Again, no communication should include conjecture and the tone shouldn’t trigger panic. When preparing the participant communication, include copies of any communication that you received from the Provider and instruct the participants to take steps to protect themselves. In some instances of data exposure, the responsible party will offer the affected participants the option of engaging a credit monitoring service. Your insurer may want to offer this under the terms of your policy as a conservative approach.
Step Six: Continuously Update Everyone – As you learn more information about the extent of the data that has been compromised, and steps that are being taken to mitigate the breach, you should update both the plan sponsors and participants. Communications that are shared by the affected Provider may be attached or forwarded. It is important to work with your legal counsel and/or insurer to make sure that messaging is consistent with all legal requirements.
Lastly: For You – It is important for each one of us, as individuals, to take steps to protect ourselves. It’s only a matter of time before one of our providers (bank, credit card, online account, etc.) is compromised. It is incredibly easy to put a credit freeze on your information at all three credit monitoring institutions. It takes around 5 minutes each and less when you need to unfreeze. With this in place, your information can’t be used to open fake credit cards or bank accounts. Nearly all financial institutions have enabled multi-factor authentication (“MFA”) for all login attempts. This also takes just minutes to enable. Most financial institutions allow you to elect to be notified of transactions made without a card being present or amounts over a certain dollar limit. All of these preventive measures make it harder for a thief to get away with your money. Please take some time to take action.
Although you may not currently be using this Provider’s software, if you previously used it, you may still be affected. It is important to know what the record retention policy is for any Provider that you use. Similarly, as a service provider yourself, consider what your record retention policy is and whether you need to purge data from terminated clients to decrease the possible affected group should your own system be compromised.
We are always here to provide guidance during these difficult times. If you would like our assistance with your cybersecurity response or with updating your service agreement, please reach out to us. If you are currently a service agreement client of ours, we will provide updated confidentiality/cybersecurity language free of charge. However, if your agreement is more than five years old, we recommend a more thorough review to ensure you have the most up-to-date language throughout your service agreement. Protect yourself, and remember – We are your ERISA Solution.
2635 Century Parkway, Suite 200, Atlanta, GA 30345
T: 404.320.1100 | F: 404.320.1105 | www.ferenczylaw.com
- Posted by Ferenczy Benefits Law Center
- On January 16, 2023