Developing a response plan for breach of employee benefits data.

“I’ve been charged with developing a response plan in the event of a breach of our employee benefits data. The technical aspects of data protection for our system are well-covered, so why is it so important to have such a plan, and what do I need to think about?”
– Tamara S., Asst. Benefits Manager


Rhonda MarcucciDear Tamara,
Even the most sophisticated data protection systems aren’t 100% full proof. And while a good system may deter most hackers, many data breaches stem from inadvertent actions. Having a well-thought out response plan ready is critical and can save much time and headache down the road.

The key question is: What and when do you tell to whom? If you wait until there’s a breach, it’s likely to be chaotic as things gets sorted out. Familiarize yourself with the HIPPA and HITECH regulatory guidance on notification: who needs to be notified (the employee, the media, Health & Human Services), when (without delay, no later than 60 days) and how (email, in writing, by phone). Depending on the type of data and number of individuals affected, the notification process can be complex and costly.

Speaking of cost, I recommend you contact your risk manager to find out if (and what kind of) insurance is in place. Many companies purchase insurance to lessen the financial impact of a data breach.

If you are using a third party service provider to manage your benefits data, talk to them about their responsibilities—legal, contractual and regulatory. A good provider will have their own plan, but it worth confirming this and also to understand the data protections they have in place.

Beyond the legal and regulatory aspects, the goal of any good plan is to avoid panic. A plan that lays out who convenes a response team, who’s on the team, and a clear outline of obligations to your employees will usually suffice. The plan should be specific, however. “Convene a response team” is not good enough. Spell out who’s on the team and their roles and responsibilities. You might want to consider a “first-response” team to deal with the regulatory/contractual issues, and a second team to handle media and PR issues. Again, the nature of the breach will determine the extent to which a response is needed.

...

If your company is planning to bring in a new service provider to manage your online benefit enrollment system, Rhonda Marcucci and her team of industry specialists are available to assist with any or all phases of the project—from needs assessment to product selection and implementation support. Contact Rhonda at Rhonda@gruppomarcucci-usa.com or call GruppoMarcucci at 1.312.690.2690.

T: 312-690-2690
Inquiries@GPM-USA.com

300 S. Riverside Plaza
Suite 1500
Chicago, Illinois 60606

Read Our Citation Policy

 

About Gruppo Marcucci

Gruppo Marcucci (GPM), a division of Gallagher Benefit Services, Inc., provides outsourcing intelligence and associated consulting to stakeholders in the Benefits and HR Technology & Outsourcing industry. Our in-depth understanding of the service provider market and our vast experience sourcing and implementing solutions is key to our clients achieving full operational success.

@GruppoMarcucci

April 17, 2019
Agent Smith, HAL 9000, Skynet -- artificial intelligence gone rogue is a core theme of sci-fi but talk of AI in HR technology is very real. But what's real and what's just hype? Read our article to help you understand what you’re really buying. https://bit.ly/2KLKfNS  #ai #hrtechpic.twitter.com/YKGMZmr7Gq

Agent Smith, HAL 9000, Skynet -- artificial intelligence gone rogue is a core theme of sci-fi but talk of AI in HR technology is very real. But what's real and what's just hype? Read our article to help you understand what you’re really buying. https://bit.ly/2KLKfNS 

March 12, 2019
Are APIs the cure for the HR technology integration illness? Check out our new article on the good news and not-so-good news about the current state of APIs and integration. https://bit.ly/2J6watz  #api #hcm #hrtech #integrationpic.twitter.com/A5fWO2ZL7c

Are APIs the cure for the HR technology integration illness? Check out our new article on the good news and not-so-good news about the current state of APIs and integration. https://bit.ly/2J6watz 

March 11, 2019
How do you tell a good story? Assess business context, identify future needs, develop solutions, monitor & evaluate @Human_Capital #HCIevents #PAWP2019

How do you tell a good story? Assess business context, identify future needs, develop solutions, monitor & evaluate

Gruppo Marcucci Transactions

We take data protection and security very serious, and hope that you will do the same with our reports. Please review the Terms & Conditions and Our Citation Policy, thank you in advance.

© Arthur J. Gallagher & Co. 2019 All rights reserved.