Addressing Cybersecurity in Service Contracts
A recent blog post provides tips and ideas for ensuring that plan and participant information is secure and protected from cyberattack.
“Addressing Cybersecurity in Your Retirement Plan TPA Contract,” by the law firm von Briesen & Roper, offers ideas on how to incorporate cybersecurity protections in service contracts between TPAs and their employer clients.
A TPA needs to remember that personal identifiable information (PII) is sensitive data, say von Briesen & Roper, and that its site needs to be secure. That need is heightened by the fact that participants perform transactions such as obtaining plan loans and making withdrawals and transfers through service providers’ websites.
Long-standing arrangements between employers and TPAs may have arisen and been formalized before cybersecurity became a bigger concern, and may merit review so they can incorporate such protections. The blog suggests that if that is the case, amendments to a contract could address:
- keeping PII secure and confidential;
- restricting access to, and the use of, PII;
- maintaining PII within the United States only;
- a description of the cybersecurity safeguards the TPA will implement and the standards it will follow to prevent unauthorized access to accounts and protect PII;
- using best practices regarding data storage;
- auditing data security practices and providing the results with the employer;
- the employer’s right to review the TPA’s security measures or periodically perform a data security audit;
- prompt notification of a data security breach and steps to mitigate losses a breach causes;
- maintaining “cyber insurance” to provide some assurance that the TPA can financially survive the costs (and protect the client’s interests in the event) of a data breach; and
- allocation of liability if a data breach occurs.