It’s getting to be that time of year again. Yes, the holidays are coming, but, as a TPA you know that shortly 92% of all plans that file with the DOL will transmit highly sensitive data to an administrative or actuarial service organization. According to the 5500 filings from 2015, the information that continuously changes hands in the next few months will represent the personally identifiable information, or PII, in approximately 300 million data records. Does this represent a significant opportunity for a data breach? YES. Can you trust your employees with the secure handling of PII? The answer is unfortunately NO. No matter how great or reliable your employees are at performing their jobs, they need help when it comes to protecting your client’s data.
You may have not had to report a data breach like Equifax, but is that due to documented and enforced security measures or dumb luck? If luck was the answer, please read on. If you think this article doesn’t relate to you because you still maintain all files on paper, please read on. Technology has made data security more sophisticated, but it has always been a business issue for firms that handle PII, like banks, investment companies, and your TPA firm.
Securing data means keeping it safe and away from unauthorized access; whether in transmission or at rest, whether on paper or electronically stored. Earlier in my career, I can remember bringing files home with me on weekends when I needed to get work done (I can assure you, they were not locked in a safe while at my home). I can also recall a colleague going to a client’s office having brought the gusset file crammed with years of historical data to the meeting. After finishing the meeting, he placed it on the roof of his car, got in and drove away – leaving a trail of PII behind him as he left the client’s office. How about a flooded office (like in Houston) or building fire that destroys those paper files? For firms still storing personal client information on paper, is this security plan sounding secure now?
Technology has made sweeping changes to the way we look at, exchange, and store data. What we think are secure ways of transmitting data, are not necessarily so. In the TPA industry, there is still widespread use of exchanging password protected files through email. Inevitably, the email with the file attached is followed up by… you guessed it, another email with the word password in the subject line or body of the email. You might as well put out a sign that says, “Hackers welcome here!” I recently spoke to someone who works for a large investment firm who told me their email security software automatically strips off any password protected files from incoming and outgoing email. They are obviously demonstrating that they do not want the liability for this type of PII exchange.
So why the lack of security awareness? Mostly, that passivity is a by-product of convenience. That is not to say employees are lazy, but technological advances are all about “convenience.” Add to that the lack of formal data security training for employees, and you have an environment ripe for a data breach. An employee can simply connect their smartphone or other mobile device (oh yeah, they have those too!) to an easy hotspot at a local coffee shop (remember convenience) and your sensitive data is available for hackers to see.
To prove the point, Avast, a company that provides virtual mobile platforms, decided to test how people use their mobile devices when offered free internet. They set up several fake Wi-Fi accounts at the 2016 Republican National Convention (no matter your opinion of politicians, most are pretty well-educated). They called them names like “Google Starbucks”, “I vote Trump! Free Internet” or “I vote Hillary! Free Internet.” By the end of the convention, 1,200 people had accessed the fake Wi-Fi and transmitted 1.6 gigabytes of data. Though Avast deleted all the data, what they knew about the data that was transmitted and the mobile activity of the folks who logged on, should scare you into action.
So, what to do? We’d love to say buy software, but the single biggest step you can take is employee education and training. People simply do not understand the subject of security as well as they should, and you don’t have to be an IT professional to learn the basics (if you employ an IT professional, they are the perfect person to deliver the training). Make the training annual and MANDATORY. Just like CPE, have employees sign in and sign out, maybe even answer a question or two to show that they have absorbed the information. Also, let employees see PII on a “need to know” basis. If they don’t need access, don’t give it and narrow down your firm’s scope of risk.
Second, make sure you have the right software and invest in secure technology. Use secure file transfer for sensitive documents and reject incoming emails with attachments that should have been secured. If you don’t feel tech-savvy enough to do it electronically, then immediately respond (with a new email, not a reply on the one you received) telling the sender and possibly an owner that you are concerned about this transmission and that they may need to act on their end. Be sure you have alternative route for the client to send you this information in the future. When traveling, avoid free Wi-Fi networks by using a secure hotspot.
Document your processes for handling secure data. Who has access to see it, how long do you keep it, how will it be destroyed? PensionPro is in the process of completing our SOC 2 audit for 2017. Our audit requires that a qualified external firm observe us for six months to be sure that, not only do we have policies in place, that we are in compliance with them. Though you may not have to go to this extreme, follow these best practices and document how your data is kept secure.
Client data is submitted to you with the understanding that you will keep it safe. As TPAs we are expected to protect personally identifiable information to the best of our ability, through the “best practices” available. As you collect your client’s data this year, or even head out for holiday shopping, reflect on where that information is headed and how it’s shared. In the age of information, ignorance is not bliss.