Developing a response plan for breach of employee benefits data.
“I’ve been charged with developing a response plan in the event of a breach of our employee benefits data. The technical aspects of data protection for our system are well-covered, so why is it so important to have such a plan, and what do I need to think about?”
– Tamara S., Asst. Benefits Manager
Even the most sophisticated data protection systems aren’t 100% full proof. And while a good system may deter most hackers, many data breaches stem from inadvertent actions. Having a well-thought out response plan ready is critical and can save much time and headache down the road.
The key question is: What and when do you tell to whom? If you wait until there’s a breach, it’s likely to be chaotic as things gets sorted out. Familiarize yourself with the HIPPA and HITECH regulatory guidance on notification: who needs to be notified (the employee, the media, Health & Human Services), when (without delay, no later than 60 days) and how (email, in writing, by phone). Depending on the type of data and number of individuals affected, the notification process can be complex and costly.
Speaking of cost, I recommend you contact your risk manager to find out if (and what kind of) insurance is in place. Many companies purchase insurance to lessen the financial impact of a data breach.
If you are using a third party service provider to manage your benefits data, talk to them about their responsibilities—legal, contractual and regulatory. A good provider will have their own plan, but it worth confirming this and also to understand the data protections they have in place.
Beyond the legal and regulatory aspects, the goal of any good plan is to avoid panic. A plan that lays out who convenes a response team, who’s on the team, and a clear outline of obligations to your employees will usually suffice. The plan should be specific, however. “Convene a response team” is not good enough. Spell out who’s on the team and their roles and responsibilities. You might want to consider a “first-response” team to deal with the regulatory/contractual issues, and a second team to handle media and PR issues. Again, the nature of the breach will determine the extent to which a response is needed.
If your company is planning to bring in a new service provider to manage your online benefit enrollment system, Rhonda Marcucci and her team of industry specialists are available to assist with any or all phases of the project—from needs assessment to product selection and implementation support. Contact Rhonda at Rhonda@gruppomarcucci-usa.com or call GruppoMarcucci at 1.312.690.2690.
Gruppo Marcucci (GPM), a division of Gallagher Benefit Services, Inc., provides outsourcing intelligence and associated consulting to stakeholders in the Benefits and HR Technology & Outsourcing industry. Our in-depth understanding of the service provider market and our vast experience sourcing and implementing solutions is key to our clients achieving full operational success.
Business relationships face similar challenges as married couples. And when communication breaks down, sometimes it's best to seek help from a marriage counselor. Read our blog about resolving conflict between employers and tech service providers. https://bit.ly/2GGLslN #hrtechpic.twitter.com/WM0bNC2kXB