Developing a response plan for breach of employee benefits data.

“I’ve been charged with developing a response plan in the event of a breach of our employee benefits data. The technical aspects of data protection for our system are well-covered, so why is it so important to have such a plan, and what do I need to think about?”
– Tamara S., Asst. Benefits Manager


Rhonda MarcucciDear Tamara,
Even the most sophisticated data protection systems aren’t 100% full proof. And while a good system may deter most hackers, many data breaches stem from inadvertent actions. Having a well-thought out response plan ready is critical and can save much time and headache down the road.

The key question is: What and when do you tell to whom? If you wait until there’s a breach, it’s likely to be chaotic as things gets sorted out. Familiarize yourself with the HIPPA and HITECH regulatory guidance on notification: who needs to be notified (the employee, the media, Health & Human Services), when (without delay, no later than 60 days) and how (email, in writing, by phone). Depending on the type of data and number of individuals affected, the notification process can be complex and costly.

Speaking of cost, I recommend you contact your risk manager to find out if (and what kind of) insurance is in place. Many companies purchase insurance to lessen the financial impact of a data breach.

If you are using a third party service provider to manage your benefits data, talk to them about their responsibilities—legal, contractual and regulatory. A good provider will have their own plan, but it worth confirming this and also to understand the data protections they have in place.

Beyond the legal and regulatory aspects, the goal of any good plan is to avoid panic. A plan that lays out who convenes a response team, who’s on the team, and a clear outline of obligations to your employees will usually suffice. The plan should be specific, however. “Convene a response team” is not good enough. Spell out who’s on the team and their roles and responsibilities. You might want to consider a “first-response” team to deal with the regulatory/contractual issues, and a second team to handle media and PR issues. Again, the nature of the breach will determine the extent to which a response is needed.

...

If your company is planning to bring in a new service provider to manage your online benefit enrollment system, Rhonda Marcucci and her team of industry specialists are available to assist with any or all phases of the project—from needs assessment to product selection and implementation support. Contact Rhonda at Rhonda@gruppomarcucci-usa.com or call GruppoMarcucci at 1.312.690.2690.

T: 312-690-2690
Inquiries@GPM-USA.com

300 S. Riverside Plaza
Suite 1500
Chicago, Illinois 60606

Read Our Citation Policy

 

About Gruppo Marcucci

Gruppo Marcucci (GPM), a division of Gallagher Benefit Services, Inc., provides outsourcing intelligence and associated consulting to stakeholders in the Benefits and HR Technology & Outsourcing industry. Our in-depth understanding of the service provider market and our vast experience sourcing and implementing solutions is key to our clients achieving full operational success.

@GruppoMarcucci

February 13, 2019
Business relationships face similar challenges as married couples. And when communication breaks down, sometimes it's best to seek help from a marriage counselor. Read our blog about resolving conflict between employers and tech service providers. https://bit.ly/2GGLslN  #hrtechpic.twitter.com/WM0bNC2kXB

Business relationships face similar challenges as married couples. And when communication breaks down, sometimes it's best to seek help from a marriage counselor. Read our blog about resolving conflict between employers and tech service providers. https://bit.ly/2GGLslN 

January 29, 2019
Does anyone understand all the things their smartphone can do - and takes advantage of them? I certainly don't, and most of my clients feel the same way about their HR systems. Read my article about how to make the most of your HR technology. https://bit.ly/2G7Dylf  #hrtech #saaspic.twitter.com/TOyfZ5vIKc

Does anyone understand all the things their smartphone can do - and takes advantage of them? I certainly don't, and most of my clients feel the same way about their HR systems. Read my article about how to make the most of your HR technology. https://bit.ly/2G7Dylf 

December 4, 2018
Don't purchase new HR technology without first reading our latest blog post about what you're really buying! http://bit.ly/2rmyCQJ  #HRTech #hrtechnology #serviceproviders #benefitsadministration #benadminpic.twitter.com/BfwOVZl55U

Don't purchase new HR technology without first reading our latest blog post about what you're really buying! http://bit.ly/2rmyCQJ 

Gruppo Marcucci Transactions

We take data protection and security very serious, and hope that you will do the same with our reports. Please review the Terms & Conditions and Our Citation Policy, thank you in advance.

© Arthur J. Gallagher & Co. 2019 All rights reserved.