While Affordable Care Act compliance and other healthcare concerns topped the minds of business executives and benefits professionals, cyber security also took center stage this year as employers looked to develop policies and procedures to protect themselves – and employees’ personal health information – from cyberattacks.
Data from The Graham Company released earlier this year noted that nearly three quarters of business leaders are most concerned about potential risks associated with cyber security threats to their organizations. And in a year that saw health insurer Anthem be the subject of a cyberattack in which the personal information of 80 million people was breached, employers have been taking more proactive approaches to mitigating risks of security breaches.
“I do see more employers reassuring employees about HIPAA [Health Insurance Portability and Accountability Act] focused data security,” says Jennifer Walton-Faifer, an employee benefits attorney in Mercer’s Chicago office and member of the firm’s Regulatory Resources Group.
Also see: “
In the end, the cost of maintaining the best security that an employer can is usually significantly less than the cost of a breach, she says, pointing to three main costs of a breach: reputation, financial costs and employee relations costs.
“I often talk with employers and they ask if they’re protected in the event of a breach, then when they’re asked where their policy and procedure document is or the last time they did a security risk assessment, often times they don’t know,” she says. “So they are not prepared.”
Identity theft
In another survey by Eastbridge Consulting Group, one in five employees was found to have been a victim of identity theft. Further, employees who travel for work were found to be 66% more likely to be a victim of identity theft, the study found.
“It’s been a really interesting evolution,” says Nick Rockwell, director of benefit solutions at LifeLock. “If you look at benefits from both a prevalence and severity state, a lot of current benefits take into account the likelihood that something bad can happen to you and how severe it will be. A cancer or disability policy, those have a huge severity contingent to them, but ID theft has a huge prevalence perspective.”
Also see: “
The big question to consider is the number of people that experience identity theft every year, he says. “I think the employee demand is only going to continue to grow and I think the big employer shift we see is [toward] the [benefit being] subsidized or employer-paid.”
Empowering employees
One employer has taken a more active role in helping employees protect their own data.
“One of our big initiatives this calendar year and rolling forward into the next calendar year, we’ve implemented a behavior-based information security initiative,” says Kathy Herndon, Kimball International’s director of HR systems and privacy compliance manager. “You can’t just tell [employees] what they should and should not do at work. You want to actually teach them a behavior that they want to carry with them outside of work to protect themselves.”
Some other things done recently, particularly with the Anthem breach, has been forming a close working partnership with Anthem to obtain sharable communications for employees, such as specifics on how to sign up for the free monitoring services.
“We had sessions here internally within our organization [that] employees could attend either in person or virtually that explained what happened, and how to sign up for tools and how to use them going forward,” adds Herndon, also a member of the Society for Human Resource Management’s technology panel. “There was a big effort to work with Anthem to get as much information to the hands of employees to empower them to take control … since this was their own personal data.”
Also see: “
A recent initiative from Kimball, which Mercer’s Walton-Faifer says is on the “front line,” involved the company sending out a phishing email as part of a training exercise.
“It looked very real, and we sent it out in different phases to see how many employees actually clicked on the link and how many didn’t and after we shared the results with the organization,” says Herndon.
Even following the training initiatives, the results of the exercise were “eye-opening,” Herndon says. Many didn’t realize that just hovering over a hyperlink can show where it will lead, or that emails containing company logos might not necessarily be coming from the company.
“But we do all these things as a means of empowering employees and making sure they understand,” she added. “It’s not about slapping them on the wrist. That is key.”
Walton-Faifer suggests employers take the following actions to better protect company and employee data:
- Implement required annual training for all employees who handle personal data.
- Create a process for people who are promoted/demoted in roles that involve handling personal data.
- Create a culture that encourages employees to speak up if something doesn’t look or feel right.
- Request a vendor’s HIPAA policies and procedures.
- Review state law for anything that could be required from an employer (e.g., a notification to the insurance commissioner in the event of a breach.)
