NewsDude
07-30-2008, 04:10 PM
The absolute protection of Social Security numbers is critical in today's world of human resource and employee benefit administration, including the handling of 401(k) plans.
Such security concerns exists whether plan administration is done in-house or it is outsourced. In our Internet world, identity theft is a huge and growing problem. Computer systems of some of the largest organizations in the country, including a well known national 401(k) provider and even our country's intelligence agencies, have been hacked and information has been compromised.
High tech is not the only way to access confidential information: Unlocked desktop and laptop computers, unsecured work papers and trash also are sources for identity thieves. As most companies outsource 401(k) administration or certain aspects of it, I want to focus on security of retirement plan data at third-party firms.
What kind of routine practices from a 401(k) provider should raise security questions?
* Do plan participant statements contain Social Security numbers?
* Do plan participants need to use a Social Security number (instead of a user name) for online access?
* Do e-mail reports, such as on-demand statements, include Social Security numbers and/or birth dates?
* Are participant logins verified by a multi-factor authentication to confirm legitimate logins and computer connections? (This also prevents "phishing" attacks wherein participants are induced into entering confidential information into bogus look-alike Web sites.)
Any of those practices can be problematic to the security of employees' confidential information, which you are entrusted to safeguard.
What other controls should be in place at a 401(k) service provider? Ask for copies of the Type II SAS-70 Audit Report, an information security policy and a business continuity plan. The documents will show whether the organization is serious about 401(k) data security and should describe what controls are in place and their adequacy as well as contingency...
More... (http://www.toptechnews.com/story.xhtml?story_id=61027)
Such security concerns exists whether plan administration is done in-house or it is outsourced. In our Internet world, identity theft is a huge and growing problem. Computer systems of some of the largest organizations in the country, including a well known national 401(k) provider and even our country's intelligence agencies, have been hacked and information has been compromised.
High tech is not the only way to access confidential information: Unlocked desktop and laptop computers, unsecured work papers and trash also are sources for identity thieves. As most companies outsource 401(k) administration or certain aspects of it, I want to focus on security of retirement plan data at third-party firms.
What kind of routine practices from a 401(k) provider should raise security questions?
* Do plan participant statements contain Social Security numbers?
* Do plan participants need to use a Social Security number (instead of a user name) for online access?
* Do e-mail reports, such as on-demand statements, include Social Security numbers and/or birth dates?
* Are participant logins verified by a multi-factor authentication to confirm legitimate logins and computer connections? (This also prevents "phishing" attacks wherein participants are induced into entering confidential information into bogus look-alike Web sites.)
Any of those practices can be problematic to the security of employees' confidential information, which you are entrusted to safeguard.
What other controls should be in place at a 401(k) service provider? Ask for copies of the Type II SAS-70 Audit Report, an information security policy and a business continuity plan. The documents will show whether the organization is serious about 401(k) data security and should describe what controls are in place and their adequacy as well as contingency...
More... (http://www.toptechnews.com/story.xhtml?story_id=61027)