Welcome to Cybersecurity Awareness Month. With many high-profile cybersecurity attacks in the news in recent years, it’s worth paying extra attention to the topic. Federal agencies—the IRS and the Departments of Labor and Health and Human Services—are certainly taking the lead on improving their own cybersecurity and protecting your data.
So let’s take a look at what these agencies are doing to protect you in your daily excursions into cyberspace.
At the IRS
Cybersecurity is a big reason the IRS requires you to register with ID.me and authenticate your identity.
However, the Treasury Inspector General for Tax Administration and the Government Accountability Office think the IRS can do better.
The IRS should:
- Improve the maintenance of a comprehensive and accurate inventory of its information systems.
- Ensure its information systems consistently maintain a baseline configuration in compliance with government policy.
- Fix flaws and patch systems on a timely basis.
- Encrypt data at rest.
- Implement multi-factor authentication in its facilities and network.
The GAO’s report card focused on the IRS’ efforts to ensure cybersecurity when dealing with outside third parties. Presumably, MFA through ID.me is part of this effort. But the GAO also took issue with the IRS’ claim that further steps toward cybersecurity would require approval from Congress; the GAO doesn’t believe this is necessary.
At the DOL
The DOL doesn’t interact electronically with the public like the IRS does, so its public-facing cybersecurity plans haven’t garnered the same attention as the IRS’ measures have.
Every time your employees surf a website or tap an app to see how their 401(k) investments are doing, they’re pushing your plan into cyberspace. So the DOL has suggested cybersecurity standards for 401(k) plans, and it considers those suggestions to be part of your fiduciary duty to protect plan assets. Upshot: DOL audits will cover a plan’s cybersecurity precautions.
The DOL lays out its suggestions in three publications:
At the HHS
The HHS’ concern is the HIPAA security rule for covered entities—group health plans and third-party administrators. Like the DOL, it doesn’t interact with covered entities itself. But like the IRS, its main focus is ensuring covered entities use MFA when they communicate with one another.
And costly pitfalls await covered entities not using MFA. HHS recently fined a nonprofit health system $1.25 million and required it to implement a corrective action plan to be monitored by the HHS’ Office of Civil Rights because it didn’t use effective authentication processes.
What’s the price to you?
Employers are increasingly being held liable for security breaches resulting in the theft of employees’ identities:
- 401(k) participants whose identities have been stolen have sued their plans.
- So far, courts in Georgia and Maine have held employers liable under state payday and negligence laws for cybersecurity breaches.
With the price ratcheting up, point your browser here for some basic cybersecurity tips.