What to Know About a Data Breach

Characteristics of a Data Breach

A data breach is not a complicated notion.?A definition found in the tech world says it's "an incident where information is stolen or taken from a system without the knowledge or authorization of the system's owner."?Internal system malfunctions or human errors can cause those incidents, but cyber attacks account for most of them.

?The Identity Theft Resource Center reports that over 90% of data breaches are cyber attack-related.?Its report also revealed that the number of breach events in

Q1 2022 represents a double-digit increase over the same time last year.?It is another indicator that data compromises will continue to rise in 2022 after setting a new all-time high in 2021.

Employee Data are in the Bullseye

Bad actors in the digital world seek the personal information of participants in employee benefit plans as a priority.?By concentrating on pools of data held by vendors of services to retirement and health and welfare plans, using cyber attacks, they confiscate large quantities of valuable information such as social security numbers and credit card information.?Often it takes weeks or months for vendors to notify their clients of such intrusions.?By then, significant irreversible damage to employees can occur.?The managers legally responsible for overseeing such plans ("fiduciaries") are squarely in the middle.

Gateways for Data Breaches

Not-so-sophisticated techniques often breach employee benefit plan data and plan assets.?For example:

• Weak Account Credentials.?Far too many people rely on predictable phrases like 'Password1' and '123456', meaning cyber criminals don't even need to break a sweat to access sensitive information.?With the help of computer programs that run through millions of the most popular credentials, even moderately secure passwords are vulnerable.?Thinking hard to create something original when choosing a password is essential.
• Malware.?Malware is a perfect example of how simple cyber crime can be.?Crooks purchase a piece of malicious software, find a system that contains a known vulnerability, plant the Malware and scoop up the rewards.?Employees often unwittingly download on corporate and personal computers Malware attached to information they retrieve when browsing the Internet.
• Malicious insiders.?Many employees have access to personally identifiable information or personal health information housed on an enterprise's computer system or by a third-party vendor. There's always a chance that someone will try to misuse it.?Regrettably, the lure of financial gain from selling data on the dark web is too great for many.?Employees are also susceptible to using sensitive information maliciously if they are disgruntled at work or have left the organization under poor terms and still have access to its systems.

Why You Should Care

The U.S. Department of Labor ("DOL") added cybersecurity examinations to its audit program in 2021.?That development means all employee benefit plan fiduciaries face the possibility of a federal investigation of their data security policies and practices.?The Employee Benefits Security Administration is the DOL's enforcement arm and it developed cybersecurity guidance that forms the framework for the DOL's plan audits.

Furthermore, future plaintiffs may rely on the EBSA's guidance in arguing that there is a duty to safeguard plan assets against unauthorized distributions.??

Cybersecurity is a relatively new challenge for the retirement plan community. Retirement accounts, which hold an estimated $9.3 trillion in assets, are too attractive for cyber thieves to ignore.?The federal courts are responding by connecting ERISA and cybersecurity in their decisions involving cases that allege breaches of fiduciary duty.

What You Should Do

Conduct an annual risk assessment to identify, estimate, and prioritize employee benefit plan data security risks.?Cyber-enabled threats are constantly changing, so it's essential to design a manageable, effective risk assessment schedule.?Your organization should define the risk assessment's scope, methodology, and frequency.?Seek help from a qualified firm specializing in ERISA plan cybersecurity risk management.

Ask Roland|Criss.