Cybersecurity Notice to Plan Participants
(Group Health Plan)
Summary
Use this template to notify participants of group health plans about the growing threat of breaches to plan cybersecurity and to advise them as to what steps they can take to mitigate the risk of cybertheft of their personally identifiable information. Educating participants about cybersecurity is an important defense against cybercrime. This template includes practical guidance and drafting notes. The ever-increasing amount and sophistication of internet crimes targeting employee benefit plan data and assets has led to increasing concerns among ERISA fiduciaries who anticipate the consequences raised by cybersecurity issues in the context of DOL audits of ERISA plans and litigation by employees and beneficiaries who have suffered damages from cybersecurity breaches. As a result, ERISA fiduciaries have had to quickly become more informed and proactive in the information technology space and to seek both legal guidance and additional protections for their plans. Data security addresses the measures, policies, and technological safeguards taken to protect the unauthorized access of data and, in the case of retirement plans, participants' plan assets, from theft or other improper usage. Cybersecurity is a subset of data security, but it also describes the way an organization protects its digital networks, programs, devices, systems, servers, and other online assets. In addition, cybersecurity and physical data security work in conjunction to ensure that plan assets and digital assets are sufficiently protected from internet crimes. Tools such as encryption, user authentication, and tokenization contribute to an organization's cybersecurity protections. Employee benefit plan that are health plans benefit from the protections provided under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. No. 104-191), and with respect to group health plans, these plans and their business associates must safeguard individuals receiving health services from covered entities from the unauthorized access or disclosure of their protected health information (PHI). See HIPAA Privacy, Security, Breach Notification, and Other Administrative Simplification Rules. But group health plans can also warn their participants to protecting the sensitive information that they have access to from unintentional release or theft. For a listing of protections provided under the Health Information see HIPAA Resource Kit. For more information about cybersecurity concerns and best practices for fiduciaries, see Cybersecurity Considerations for ERISA Plan Fiduciaries.