Groom principal Michael Kreps, chair of the firm’s Retirement Services group, was featured in the PLANSPONSOR article, “Be Prepared: When a Cybersecurity Issue Occurs, Plan Sponsors Can Spring Into Action,” where he discussed data breaches of plan participant data and the necessary protocols in dealing with the aftermath of such incidents.
In an unusually clear dichotomy, after informing participants of two separate plan sponsors of a breach, one set of plan participants had no response, while nearly 300 participants in the other plan reached out with questions. “I can’t find any reason why one would have such a massive response,” Kreps said, “So, we’ve defaulted toward clear, concise communications to people to tell them what happened, how you’re addressing it and flagging risks for them.”
According to PLANSPONSOR, Kreps said that he, “also sees the need for plan sponsors to consider both SEC rules and DOL guidance, along with requirements that can vary by state.”
“It’s a bit of a thicket because, depending on the type of the breach and the type of the data involved and the location, you have to be cognizant of all the state privacy laws as well,” said Kreps.
The outlet went on to say that, “Kreps sees best practices as a multi-step approach: detecting the breach; understanding what happened; notifying the insurance carrier; tapping expertise, in house or external, to quickly get a sense of who was impacted; and finally notifying participants as quickly as possible.”
“When a security issue is detected, Kreps encourages plan sponsors to be as clear as possible in disclosing a breach,” PLANSPONSOR reported.
“Most normal humans expect this to happen to them: that their information may be stolen,” said Kreps. “We’ve all just kind of accepted it, but what they get really annoyed about, from a PR, client, customer participant relations standpoint, is not being told, not having an idea of what’s happening and not knowing how to get things done to fix it.”
Regarding the responsibility of plan sponsors, “When they know, move as quickly as possible,” he said. “And when you are aware of the breach, then try and get those notices out.”
PLANSPONSOR wrote that, “Kreps advises plan sponsors to write rapid notice requirements into their service agreements with a specific timeline for when to inform a plan sponsor of a breach and an outline of who will be taking the lead on communication, as well as approval rights for any communication.”
To read the article, click here.