DOL Announces New Cybersecurity Guidelines

The DOL has remained silent on cybersecurity until last week, when the DOL posted:

• Tips for Hiring a Service Provider with Strong Cybersecurity Practices;
• Cybersecurity Program Best Practices; and
• Online Security Tips for Participants and Beneficiaries.

While these are targeted towards ERISA-covered plans, employers should be taking notice.

Now more than ever employers need to be concerned with data security. The last few years have demonstrated a marked increase in the insecurity of consumer and personnel data, especially electronic data.

Even if you do not operate an ERISA-covered plan, a comprehensive data security program may be required by your state or may be highly encouraged in order to lessen the risk of data breaches.

What’s New About these Best Practices?

The Employee Benefits Security Administration has published these best practices that mirror many of the concepts from generally-recognized cybersecurity best practices and recommendations. If your Company has a cybersecurity program in place, the best practices will be similar to your current policies and procedures. The highlights of the best practices include:

1. Have a formal, well documented cybersecurity program.
2. Conduct prudent annual risk assessments.
3. Have a reliable annual third-party audit of security controls.
4. Clearly define and assign information security roles and responsibilities.
5. Have strong access control procedures.
6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
7. Conduct periodic cybersecurity awareness training.
8. Implement and manage a secure system development life cycle (SDLC) program.
9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
10. Encrypt sensitive data, stored and in transit.
11. Implement strong technical controls in accordance with best security practices.
12. Appropriately respond to any past cybersecurity incidents.

Should I have a Data Security Program?

Even when not explicitly required by law, a Written Information Security Program may provide benefits to the Company, including:

• Engaging business to proactively assess risk and implement measures to protect personal and sensitive information.
• Educating stakeholders and employees about necessary actions to protect that information.
• Communicate data security expectations and practices to leadership, regulators, and customers.
• Establishing that the organization takes reasonable steps to protect personal information, especially in the event of a future security risk.

Our fixed-fee Protecting Personal Information Compliance Toolkit can assist Companies in navigating the requirements for data security regulations and in developing a comprehensive Written Information Security Plan.

I’m a Massachusetts Employer – Do I Need to Worry?

Since 2010, any Massachusetts business that stores, licenses, uses, or owns any personal information must have a Written Information Security Program in place. The standards for WISP compliance are for the most part in line with the new EBSA best practices, such as:

• Designate one or more persons to maintain the program. This person (or persons) will be your Data Security Coordinator (or Coordinators).
• Identify risks and evaluate safeguards.
• Develop security policies for employees who work out of the office.
• Impose disciplinary measures for program violations.
• Prevent terminated employees from accessing personal information.
• Make sure that third party service providers have an information security program that is compliant with the law.
• Limit the amount of personal information collected, the time it is retained and access to it.
• Identify all systems used to store personal information.
• Restrict physical access to records containing personal information.
• Monitor the program regularly.
• Review the scope of security measures at least annually or whenever there is a change in business practices.
• Document actions taken in a security breach incident.

In 2019, the concern for compliance increased when Massachusetts enacted sweeping revisions to its comprehensive data breach notification law – this change has presented employers with new responsibilities under Massachusetts law. In addition to notifying individuals about breach of their personal information, the Massachusetts Attorney General and the Massachusetts Director of Consumer Affairs and Business Regulation now requires organizations to expressly state whether their organization has implemented a Written Information Security Program and after a security breach, if their Written Information Security Program was updated.

Questions about implementing a WISP in your workplace? Contact us!