630.886.7669

Sharing personal protected info online? Here’s what NOT to do

March 20, 2021

Personal Protected Information

When the pandemic hit in 2020, some of our customers faced an unexpected curveball. 

We’ve been doing virtual 401k audits for years, but many companies had maintained their relevant audit records on paper … until last year.

COVID revealed a compliance gap that hadn’t been an issue for these companies in the past: they didn’t know how to safely and securely share personal protected information with an auditor (or with anyone else) online.

For businesses who’d never taken their operations virtual, security protocols for paper files were well-established. But virtual security? That was a whole new animal.

Unsurprisingly, data security was one of the top errors we found in our audits last year. 

Plan administrators have an ERISA fiduciary duty defining how they should manage retirement plans, including implementing controls to restrict access to the plan’s systems, applications, and data. (In other words, plan administrators must keep the data secure.)

And GDPR has been in effect since May 2018, meaning that cybersecurity could have serious ramifications even beyond your benefits plan audit. (Yes, GDPR impacts U.S. businesses, too!)

Whether you’re sending employee information to an auditor like us, another third party, or even internal stakeholders, follow these critical guidelines to stay compliant with regulations protecting personal information and avoid a data breach.

Personal protected information includes more than you think

Understanding the definition of “personal protected information” is key to tightening your online security protocols.

When you think about sensitive employee information, you probably think of social security numbers and compensation details. However, “personal protected information” includes even simple data points like names, phone numbers, and addresses.

A good rule of thumb is that ANY identifying information unique to an employee is considered personal protected information, and should be handled accordingly.

Stop emailing sensitive information

No, seriously … Stop.

While sending an email might feel simple, it’s a big deal. Even if your own company has strict controls around email, any data you share is outside your control as soon as you hit “send.” 

And if you don’t already have rules around what should and should not be included in an email, you should start today.

Sending employee information via email is no longer okay because the data is far more vulnerable to a breach. 

Use secure portals instead

At Cassell Plan Audits, we use a secure client portal to exchange protected information with our clients. 

Without getting too technical, here’s how it works: When you send a message or file to a recipient, they’ll receive an email containing instructions on how to access it. They must log on and create an account to view the data that’s been shared. 

Think of it as two-factor authentication for file exchange.

Client portals even have some functionality that email doesn’t, depending on what you use. You can often schedule appointments, check past records, or perform other tasks within the portal itself.

Insist that your third-party partners protect sensitive info, too

Next time you’re working with an auditor or an accountant, check to make sure they use a secure portal. If they don’t provide one, ask! It’s not just a reasonable request—it’s a requirement.

Once you have a secure portal up and running, USE IT. Confirm understanding with everyone who handles sensitive data, since even one person can cause a serious violation.


We’ve been performing virtual audits for years, so please think of us as a resource—we’re happy to help check your data security protocols. Schedule your complimentary appointment with Cassell Plan Audits at 630.886.7669.

Leave a Reply

Your email address will not be published.