Skip to content

Be Aware and Be Prepared: Data Privacy and Employee Benefits

May 20, 2024

Data privacy concerns continue to grow. For many businesses, employee benefits are a major source of sensitive data subject to growing risks. Here are some key privacy considerations from an employee benefits perspective.

Do you know where data is coming from and going to?

Knowing what benefits data your business has is a critical first step. Benefits information often includes names, personal contact information, beneficiary designations, Social Security Numbers, banking information, and information about spouses and dependents. This is why benefits information creates so many risks for businesses and opportunities for bad actors. Once you know what data you have, knowing who sends, receives, and accesses that data is critical to compliance and risk reduction.

Is there a plan in place to determine if a breach has occurred and how to respond?

Breaches happen increasingly often. Planning and having a process to follow is an essential part of a proper response. This includes processes to determine if a potential breach has occurred, and processes for responding to breach notifications from service providers.

Do you obtain appropriate information to access your risks?

The type and amount of data used by service providers will determine how carefully and frequently you should review their policies, procedures, and any past problems. This information can help you determine your risk and risk mitigation.

Are necessary agreements in place with service providers?

Privacy provisions should be added to service provider agreements. This language needs to be up-to-date and maintained for compliance purposes. Whether it is a Business Associate Agreement for HIPAA or a data privacy addendum for broader privacy compliance of language in the primary agreement, this language will be the starting point for setting expectations, assessing liability, and documenting compliance.

Is your privacy policy consistent?

It is important that the privacy policy you have provided to employees remains consistent with the actions you and your service providers take with employee benefits data. It is also important to ensure these privacy policies are in compliance with the applicable and regularly changing data privacy laws.

Do you know what laws, standards, and contractual obligations apply?

A wide array of state and federal laws provide privacy rules. Understanding which laws apply and what data they apply to is an important first step. For instance, the Department of Labor has shown an increasing focus on data privacy under ERISA, especially regarding ERISA’s fiduciary duties and personal liability.  

Is your documentation sufficient?

Beyond agreements, your documentation should be sufficient to record compliance if there is an audit or investigation, provide instructions if there are concerns about a data privacy incident, and reduce liability through insurance coverage and other protection.

Does insurance cover your risks?

Breaches and penalties are often excluded from general insurance coverage. Even when you have a rider or policy specific to data privacy, there can be exclusions if you do not have sufficient processes and procedures in place. Work with trusted advisors to ensure you have the insurance coverage you want and expect, and on how to ensure that its coverage will apply to your circumstances.

Do you offer privacy benefits?

Providing data monitoring, alerts and similar services can be offered as a benefit in many circumstances. However, to maximize the benefit to employees, the benefit must follow several rules, which can differ depending on the specifics of your business.

It is never too early to address data privacy for employee benefits or otherwise. This advisory provides only a summary of some of the biggest aspects of privacy for benefits. If you have questions or need assistance, contact a member of our Employee Benefits and Executive Compensation or Data Privacy and Cybersecurity Teams.

Featured Authors

Featured Author

Charles M. Russman

Partner

Charles is an experienced attorney who focuses on employee benefits, executive compensation, tax, and data privacy matters. He helps clients design benefits plans, offers guidance on employer fiduciary issues, and counsels clients on data privacy matters.

Sign up to be the first to access our leading legal insights.

The link you have selected will redirect you to a third-party website located on another server. We are offering the link for your convenience. Varnum has no responsibility for any external websites and makes no express or implied warranties about any external websites.

Please be aware that contacting us via e-mail does not create an attorney-client relationship between you and the firm. Do not send confidential information to the firm until you have spoken with one of our attorneys and receive authorization to send such materials.