Labor unions, pension funds, and benefits offices face an increasing number of cybersecurity threats. As with most industries, union leaders frequently rely on third parties to ensure data security. It’s crucial to follow the Department of Labor’s (DOL) 2021 cybersecurity guidelines with an active cybersecurity program. Failure to achieve DOL cybersecurity compliance opens you up to more than just increased risk of cyberattack, it can lead to legal action from federal and state enforcement agencies in the event of a data breach. Beyond this, comprehensive cybersecurity and data privacy programs protect the data of union members and their families, as well as their health and retirement benefits. This article will explore key cybersecurity considerations, best practices, and regulatory compliance obligations that labor unions and fund offices should be aware of to ensure they’re protecting the sensitive information they’re entrusted with.

Understanding the Risks

Labor unions and fund offices manage a vast array of sensitive data attractive to cybercriminals, including personal identification information (PII), protected health information (PHI), financial statements, and other confidential documents. Additionally, fund offices manage health, welfare, and retirement benefits for their participants. Tens of millions of dollars move by and through fund offices and their investment advisors daily. Ensuring the appropriate cybersecurity processes are in place is essential. Common cyber threats to these offices can include:

• Fraudulent funds transfers: Attackers impersonate legitimate entities to trick organizations into authorizing payments to fraudulent accounts, commonly through Business Email Compromise (BEC) schemes.
• Phishing attacks: Cybercriminals often use deceptive emails or websites to trick union staff into revealing login credentials or downloading malicious software.
• Ransomware: Malicious software that encrypts office files, consequently rendering them inaccessible until a ransom is paid.
• Data breaches: Hackers can infiltrate systems, stealing sensitive data or gaining unauthorized access to member records.
• Insider threats: Employees or contractors who inadvertently or intentionally misuse access to sensitive information.

The consequences of a cyberattack on labor unions and fund offices can be devastating, including a decrease in member trust, financial losses, regulatory penalties, and broad oversight for months/years thereafter — not to mention lawsuits. In addition to maintaining robust cybersecurity measures, it’s essential for leadership to document cybersecurity practices to prove compliance in the event of litigation or an agency enforcement action being initiated for failure to comply.

Compliance Obligations: Understanding Regulations

Compliance with federal and state cybersecurity data regulations is neither optional nor a “tomorrow problem.” Under the law, noncompliance sets in motion clear consequences, from fines and penalties to agency oversight to ensure full compliance, and sometimes organizational paralysis from having to respond to seemingly endless investigations and subpoenas. 

Department of Labor Cybersecurity Guidelines

A set of best practices for plan sponsors and fiduciaries includes implementing a formal, well-documented cybersecurity program, conducting regular risk assessments, and ensuring strong access controls, among other measures.

Health Insurance Portability & Accountability Act (HIPAA) 

If the union offers health benefits they are subject to HIPAA, which requires unions to implement physical, administrative, and technical safeguards to secure healthcare data and prevent breaches.

Federal Trade Commission (FTC) Safeguards Rule 

The FTC’s Safeguards Rule applies to financial institutions and mandates the creation of a written information security program. Unions providing financial benefits must create a cybersecurity plan that includes risk assessments, security measures, and employee training.

State-Specific Data Protection Laws 

Many states have their own data protection laws. For example, California’s Consumer Privacy Act (CCPA) and New York’s SHIELD Act impose stringent requirements for data privacy, security, and breach notification. Unions operating in these states must be aware of and comply with the applicable laws to avoid penalties.

Keep in mind that for any state-specific law or regulation, the union or fund office is bound by the law of the jurisdiction where the member, participant, or beneficiary lives. This jurisdictional piece of the law includes retired members, which can mean that a fund office physically located in New Jersey could have data from members or participants in a multitude of other states. So, it’s essential for union and benefit offices to understand the nature of the data and where its members/participants reside to meet all applicable legal requirements.

Unions and fund offices should have specialized legal counsel who regularly deal with state-level proactive cybersecurity requirements. Simply put, general fund counsel or even corporate counsel cannot effectively advise organizations of the nuanced differences found in these laws and more importantly how these differences apply to the industry.

Best Practices For Cypersecurity 

While regulatory compliance and incident response plans are essential, there are several proactive best practices union and fund offices can adopt to reduce the likelihood of a breach.

• Comprehensive & Documented
• Cybersecurity Program
• Annual Risk Assessments
• Third-Party Audits of Security Controls
• Third-Party Vendor Management
• Cybersecurity Awareness Training
• Incident and Breach Response Plan

Each aspect of the previously mentioned best practices should be carefully considered and curated by professionals with legal and technical knowledge. Additionally, considering the unique nature of the industry, general cybersecurity professionals may also fall short of truly reducing risk and legal liability. It’s important these professionals understand both the nature of the data collected and the nature of the organizations involved. By understanding regulatory legal requirements, developing a robust incident response plan, and adopting best practices for cybersecurity, unions and fund offices can achieve their fundamental goals of protecting members’ sensitive data, maintaining trust, and avoiding costly breaches. But as technology continues to evolve, the commitment to cybersecurity must remain a top priority to safeguard the future of this industry and its members, participants, and beneficiaries.