The Equifax hack has shown not just how easy it canbe for the bad guys to get hold of personal information from majorrepositories like the Equifax database, but also highlights theneed for employers to be aware that such hacks putemployees’ personal data at risk.

In particular, 401(k)s could be targeted by those who managed tosnatch the information, according to the Society for Human ResourceManagement.

It points out in a report that Equifax is by far not the onlyholder of sensitive information that could be used and abused bycybercriminals. In fact, last year the Chicago Tribunereported that the retirement accounts of 91municipal employees had been breached.

The cybersecurity incident at consumer credit reporting agencyEquifax, announced September 7, affected 143 million U.S.consumers, according to Edward McAndrew, an attorney with BallardSpahr in Philadelphia and former cybercrime prosecutor for theDepartment of Justice.

The information accessed and now compromised includes names,Social Security numbers, birth dates, addressesand in some instances driver's license numbers, as well as otherinformation such as credit card numbers.

That can put an employee’s entire financial—and even health—life at risk, if cyberthieves targetretirement plan assets and health insurance coverage.

However, while accounts need to be monitored going forward (theyshould be anyway), employees needn’t assume that just because ofthe Equifax hack 401(k)s are more vulnerable than before.

That’s according to Robert Siciliano, CSP, CEO ofIDTheftSecurity.com in Boston, who says in the report that “it’s aleap” to think that way. He says that using multifactorauthentication -- that is, requiring the user to present severalpieces of evidence to prove their identity -- to access aretirement plan account is a good idea, noting that it has been apractice recommended by the U.S. Federal Financial InstitutionsExamination Council since 2005.

However, employees could be conned into providing even moresensitive information, such as who the employee's financial analystis or the answers to security questions, so that 401(k) plans couldindeed be accessed. Most of the time, Siciliano says, scammers getsuch additional information by telephone or e-mail.

Employers on top of the problem can take several actions to helpprotect their employees’ data despite the hack, as noted below.Here are 8 actions to take:

8. If your business has been the target of an attack, reportit.

Share information about threats to your information systems withthe federal government, which will alert other companies.

When companies fail to share information about attemptedbreaches to their systems, it makes it easier for the bad guys tomove on to the next target without consequences.

You might be concerned about sharing information about a databreach with the government opening up the company to liability—butunder the Cybersecurity Information Sharing Act of 2015, companieshave more protection from liability when sharing information aboutthreats to their systems with the federal government, which canthen warn other companies about the threat.

7. Confirm that vendors have adequate informationsecurity.

While you’re at it, you should check farther down the line andrequest information from your third-party vendors on the securitymeasures they require from their outside vendors.

Sometimes that’s the link in the chain that fails and allowsunauthorized access to data systems.

You need to be sure that payroll and health insurance vendorshave adequate information security, as well as having in place avendor agreement that includes provisions related to securitybreach notification, including who pays for it.

Employers should look for vendor adherence to ISO 27001 securitystandards, as well as to guidelines from the National Institute ofStandards and Technology.

6. Record the least amount of confidential informationpossible.

If you don’t have the information, it can’t be stolen—and whyload your systems up with data that you don’t really require?

Instead, you might even want to consider reviewing the types ofinformation that you do collect, and if it’s not all necessary,pare it back.

According to Amar Sarwal, vice president and chief legalstrategist for the Association of Corporate Counsel in Washington,D.C., companies may have Social Security, driver’s license orpassport numbers on Forms I-9, while use of direct deposit meansthat employers have employees’ bank account information. Plansponsors may have protected health information, he adds in thereport.

And Adam Temple, a spokesman for the National Association ofProfessional Background Screeners, points out in the report that toconduct background screening, employers will have information knownas personally identifiable information (PII).

PII, he explains, is requested from an applicant at variouspoints in the job application process and may include somecombination of legal name, date of birth, Social Security numberand driver’s license number

5. Train employees on how to spot and avoid phishingattempts.

Employees can’t be blamed for what they don’t know; if theyhaven’t encountered such tactics before, they’re all too likely tofall prey to a hacker’s efforts to reel them in and steal theirinformation.

And since phishing can not only open the door to hacked accountsbut also confidential company information, educated employees canhelp to protect not just their own information but also that of thecompany they work for.

4. Warn employees to watch out for new-account fraud, such as acredit card or loan that the employee did not apply for.

Siciliano says in the report that new-account fraud, when acyberthief successfully applies for a new credit card or loan withcredit information stolen from a hack, is the main risk of the databreach because this is “the low-hanging fruit.”

Not only that, but employees shouldn’t stop at checking just asingle account. They should check each one for signs ofunauthorized access, lest thieves use data they’ve stolen from oneplace to gain access to another.

If they see unfamiliar transactions, they should check directlywith the financial institution. They also shouldn’t let their guarddown—sometimes hackers sit on stolen data for a while, till thefuror quiets down, and then they move.

And last but far from least, they should request credit reportsto make sure no new accounts or loans are floating around that theyhaven’t yet discovered; any suspicious activity should be met byfiling a dispute.

3. Don’t rely on credit checks when you’re deciding whether tohire a new employee.

Be wary of checking credit as a condition for employment, thereport warns.

You might find that the credit check includes fraudulentactivity, and relying on that information can potentially cost youa good employee.

|

2. Boost safeguards for employees’ personal information.

This could mean setting up employee training on keeping theirpersonal information private, as well as additional authenticationmeasures or stronger security.

|

1. Coordinate with third-party administrators to suggest thatemployees monitor their accounts for fraudulent activity—and switchto multifactor authentication.

Make sure that that TPAs notify plan participants of thepotential vulnerability of their 401(k) accounts, so they can keepan eye on their assets and account activity.

If there are options to use more than one form of authenticationto access an account, suggest they use it; if there aren’t, lookinto the possibility of incorporating additional securityfactors.