Even DOL is issuing cybersecurity instructions: best practices to protect your data

The U.S. Department of Labor’s (DOL) Employee Benefits Security Administration recently issued cybersecurity guidance to help employers protect “the retirement benefits of America’s workers.”

Goals, scope of new guidance

The new guidance falls neatly in line with preexisting laws and is intended to help address the dramatic uptick in cybersecurity problems involving personnel benefits and financial records as well as the Biden administration’s focus on infrastructure and improving U.S. data security. In terms of the need for legal compliance, the DOL points out the Employee Retirement and Income Security Act (ERISA) requires “plan fiduciaries [to] take appropriate precautions to mitigate . . . [cybersecurity] risk.”

The guidance doesn’t stray into technical requirements but instead reiterates some of the core principles of basic cybersecurity expectations. It contains sections on cybersecurity best practices as well as tips for hiring a service provider.

Best practices

The best-practices document echoes several things already part of any Health Insurance Portability and Accountability Act (HIPAA) or standard cybersecurity compliance program including (1) a documented cybersecurity process and (2) annual risk assessments to determine whether it’s working. Notably, the majority of HIPAA cases involve a failure to have security guidelines and regular security assessments in place.