Educational Assistance Programs: A Valuable Benefit for Employee Development
Educational assistance programs let employers help pay employees' tuition and student loan expenses tax-free, and new IRS guidance clarifies how they work.
Questions about your benefits? Contact your HR administrator.
The IRS recently highlighted the importance of maintaining a Written Information Security Plan to protect sensitive HR and benefits data from cyber threats.
HR and benefits departments manage some of an organization’s most sensitive information, including Social Security numbers, payroll records, health plan elections, dependent information, tax reporting data, direct deposit information, and employee medical information. As cyber threats continue to evolve, employers should take steps to ensure they have a documented approach to protecting that information.
The IRS recently highlighted the importance of maintaining a Written Information Security Plan (WISP). While the IRS guidance is directed toward tax professionals, the same principles apply to employers, HR departments, benefits administrators, payroll teams, and any organization that collects, stores, or transmits confidential employee information.
A WISP is a written document that outlines how an organization protects sensitive information, identifies risks, responds to security incidents, and continuously evaluates its security controls. The most effective plans are tailored to the organization’s size, complexity, technology environment, and the type of information it handles.
According to IRS guidance, a strong information security program should focus on several core areas:
Organizations should also designate one or more individuals responsible for overseeing the information security program, assessing risks, implementing safeguards, and monitoring compliance with security policies.
Although every organization is different, HR and benefits teams should consider whether their security program addresses the following areas:
Access Controls
Employee information should only be accessible to individuals with a legitimate business need. User accounts should be unique to each employee, permissions should be based on job responsibilities, and access rights should be reviewed periodically. Shared logins should be avoided whenever possible.
Password and Authentication Practices
Strong password requirements and multi-factor authentication (MFA) can significantly reduce the risk of unauthorized access. MFA is especially important for benefits administration platforms, payroll systems, email accounts, and remote access tools.
Employee Training
Many security incidents begin with phishing emails, fraudulent text messages, or social engineering attempts. Regular employee training can help staff identify suspicious communications and understand their responsibilities when handling confidential information.
Vendor Management
HR departments often rely on payroll providers, benefits administrators, enrollment platforms, COBRA administrators, brokers, consultants, and other service providers. Organizations should evaluate whether vendors maintain appropriate safeguards and understand how employee information is stored, processed, and transmitted.
Data Backup and Recovery
Security planning should include procedures for backing up important data and restoring systems following a cyber incident, ransomware attack, hardware failure, or natural disaster. Organizations should periodically test their backup and recovery processes to verify they function as intended.
Physical Security
Information security is not limited to electronic systems. Employers should consider how paper records, personnel files, benefit enrollment forms, and other physical documents are protected from unauthorized access.
Incident Response Planning
A WISP should outline how the organization will respond if a security incident occurs. This may include identifying key decision-makers, documenting notification procedures, preserving evidence, coordinating with vendors, and communicating with affected individuals when necessary.
Regular Reviews and Updates
One of the IRS’s key recommendations is that security plans should not remain static. Organizations should periodically review and update their WISP to account for changes in technology, staffing, business operations, and emerging threats. A plan developed several years ago may no longer adequately address today’s cybersecurity risks.
As part of an annual review, HR and benefits professionals may want to ask:
Employee and benefits data remain attractive targets for cybercriminals. A Written Information Security Plan helps organizations establish a structured framework for protecting that information, reducing risk, and responding effectively when incidents occur. For HR and benefits professionals, a well-maintained WISP can serve as an important component of a broader privacy, security, and compliance strategy while helping safeguard the sensitive information employees entrust to their employer.
Benefit Allocation Systems (BAS) provides online solutions for: Employee Benefits Enrollment; COBRA; Flexible Spending Accounts (FSAs); Health Reimbursement Accounts (HRAs); Leave of Absence Premium Billing (LOA); Affordable Care Act Record Keeping, Compliance & IRS Reporting (ACA); Group Insurance Premium Billing; Property & Casualty Premium Billing; and Payroll Integration.
MyEnroll360 integrates with major insurance carriers for enrollment eligibility management (e.g., Blue Cross, Blue Shield, Aetna, United Health Care, Kaiser, CIGNA and others), and with leading payroll platforms for enrollment deduction management (e.g., Workday, ADP, Paylocity, PayCor, UKG, and others).
This article is for informational purposes only and is not intended as legal, tax, or benefits advice. Readers should not rely on this information for taking (or not taking) any action relating to employment, compliance, or benefits. Always consult with a qualified professional before making decisions based on this content.