Privacy Policy | National Benefit Services

Privacy Policy

Security, Privacy, and Terms of Use

Effective 05/18/2021

Security and Privacy

General

We know you trust us with personal and private information.  We feel we have a responsibility to provide you a secure online experience and give you the tools and information you need to manage and protect your online privacy.  This disclosure informs you about the information this web site collects, who may receive it, what we do with it, and how we protect it. We do not sell client lists or client information.  We do not share client information with outside parties except as necessary to provide our services or if we are required to do so by law.

For clarification about this policy or if you have questions, feel free to contact us.

How to contact us

If you have questions or concerns, email service@nbsbenefits.com, call 800-274-0503.

To report a security problem or incident, email incident@nbsbenefits.com.

How and why we collect information

NBS requests information from client plan sponsors to initially establish plan sponsor (account) and plan records.  This information includes information about the sponsoring employer, bank accounts used for electronic payments, plan specifications, and contact information.  These records and all other records relating to the plan are stored in systems managed, maintained, and hosted by NBS and in systems of third-party partners who are obligated to protect data to standards satisfactory to NBS.  These systems are collectively referred to as “NBS systems” throughout this narrative.

During the course of plan operations, participant accounts are created through enrollment, election, or other files provided by the plan sponsor or by participants accessing web-based NBS systems and setting up their own accounts.  In some cases, NBS provides this information to other parties such as investment companies, banks, insurance companies, or other financial institutions in order to establish investment accounts, issue debit cards, and make appropriate payments necessary for the plan to operate.

Participant account information is further acquired by NBS through various means including contribution files submitted by plan sponsors, account balance files received from investment providers or banks, insurance companies or health plan providers, debit card transactions from retail stores or medical facilities, and claim reimbursement or distribution requests submitted by participants.  NBS obtains this information in a variety of ways including secure FTP connections with institutions, participant and plan sponsor submissions through web-based NBS systems, file downloads from investment companies, faxes, and mail.

This information is stored in NBS systems.  The information is used by NBS to administer benefit plans; provide useful features to plan participants; verify the identity of individuals; create reports and account statements for plan sponsors and participants; perform required government fillings and tax reporting; and ensure plans are operated in compliance with laws, regulations, legal plan documents, and official plan procedures.  Information is made available to the plan sponsor’s representatives, plan participants, the plan’s designated advisor or broker, and government agencies, as appropriate.  Information is shared through the web-portals of NBS systems, partner organization systems, and other secure transmission methods.

Some information about users of our websites such as browser type, access time, and referring site address is automatically collected and used to maintain quality of service and provide general site usage statistics.  NBS does not track users’ activities across other third-party sites or services.

In some cases, you may review and change your personal information directly through the NBS website.  Otherwise, you may request to review or change your personal information by contacting us by email at service@nbsbenefits.com, or calling 800-274-0503.

Information we collect

NBS collects a variety of information about plans, individuals (plan participants), and financial accounts.  The kind of information collected varies depending on the type of plan or benefit such as a 401(k) plan, a flexible spending account (FSA), health reimbursement arrangement (HRA), health savings account (HSA), 403(b) plan, or COBRA plan.

HIPPA Privacy Notice

In some situations, NBS collects health or medical information about you, your dependents, and other plan participants as necessary to administer applicable benefit plans.  For additional disclosure about health and medical information, please see our HIPPA Privacy Notice: HIPAA Privacy Notice 2020

NBS availability commitment

NBS provides online tools to enhance the experience of our partners and clients. These tools include website, data collection, and communication tools such as SFTP, HTTPS file upload, and Secure Email. All relevant NBS tools have a minimum uptime availability of 99% excluding regular scheduled maintenance. Regular scheduled maintenance typically happens on the third Friday of every month.

Security is everyone’s responsibility

We take safeguarding your information seriously. In fact, we believe keeping your information safe and secure is every employee’s responsibility. However, even the best security measures can only prevent malicious activity if you are also vigilant and employ safeguards to protect your information. For example, you should not share passwords to NBS sites and you should transmit information to NBS using the secure methods that have been provided. If you become aware of or suspect a security problem, contact NBS immediately at incident@nbsbenefits.com.

How we keep information safe

We use a variety of industry-leading and externally audited security practices to protect your data. We maintain physical, electronic, and procedural safeguards to help prevent unauthorized access to and improper use of personally identifiable information.  Some of the ways which we keep information safe include:

  • Whether you visit us online or by phone we always verify your identity before granting access to your accounts.
  • We watch for suspicious irregularities across our network and infrastructure every day and quickly take appropriate action.
  • Firewalls protect NBS networks and computer systems from hackers and cyber-attacks by defining, controlling, and limiting access to websites, networks, and computer systems.
  • We do not store sensitive data on unencrypted portable media such as laptops, external hard drives, flash drives, or other devices.
  • A browser can communicate securely with a website by encrypting information as it passes across the internet. We require the use of browsers which support encryption to log into our websites.
  • Sensitive data which is transmitted outside the NBS network is encrypted according to industry standards.
  • We use software to regularly scan and assess our systems for threats and vulnerabilities. We also regularly engage the services of outside experts to look for potential weakness.  Potential threats and vulnerabilities are reviewed and prioritized for remediation.
  • We use Intrusion Detection Systems to detect and identify potential intruders to our systems.
  • A time out feature is used on selected portions of our website. This feature will automatically log you out of your current online session after a period of inactivity. Re-establishing and authenticating your credentials for your online session helps prevent unauthorized access to your account.
  • NBS uses “always on” (enforced TLS) encryption tunnels to communicate with plan sponsors or, if preferred, secure messaging. To access secure messaging, users must log in and authenticate.
  • We regularly engage the services of outside experts to perform security reviews of our online services and systems.
  • We store copies of client data in geographically diverse collocations in the United States. Data is replicated in real time and, in the event of failure at one location, we can quickly restore system availability using the backup data.  The collocation companies maintain the highest standards of security and availability.
  • We regularly test our disaster recovery procedures to ensure we can our systems and services are available with minimal disruptions.
  • Our offices are secured and monitored to prevent theft and damage. Authorized personnel can only enter work areas through use of a security badge.
  • We limit access to systems containing customer data to only those employees who need it to conduct business. We carefully monitor access and only grant it to appropriate employees on a case-by-case basis.
  • Our employees are trained on our security policies and procedures and work diligently to protect the integrity of your information.
  • We make sure that our employees know and adhere to our security policies. We require periodic training on our security policies for all employees.
  • We utilize onsite shredding services of paper documents to ensure obsolete records are securely disposed of.

Passwords

You are required to establish and use a password and user ID to access certain online services.  You must keep your ID and password confidential.  Your account and password should never be shared with another person.  NBS will never ask for your password.  NBS employees do not have access to the passwords you establish.

Email

NBS will not send confidential or protected information (such as social security numbers) by unsecured email.  Similarly, you should avoid sending sensitive information to us through unsecured email.  If you are an employer or plan sponsor you should use this website or secure email to send information.  If you are a plan participant you should send information by mail, fax, or through this website.

Our service partners

In some cases, NBS offers services to clients through software partnerships.  NBS owns all partner commitments established through service agreements.  The software partner may provide systems and infrastructure that make up the NBS platform.  NBS requires partners to maintain high standards of security and privacy and these relationships are reviewed and updated as necessary.

Links to other sites

Some NBS websites may contain links to other sites not under our control.  We provide these links as a convenience to you but we are not responsible for the contents of linked sites nor does inclusion of any link imply endorsement by NBS.

SOC audit reports

NBS strives to provide appropriate validation of security and availability safeguards.  A mixed approach of internal testing and third-party independent attestation reports are used to provide this assurance.

SOC 1

NBS makes available a Service Organization Controls 1 (SOC 1), Type II report.  The report was prepared in accordance with the attestation standards of the American Institute of Certified Public Accounts, using the Audit and Accounting Guide, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1) (v. January 1, 2017).

Our SOC 1 report addresses relevant aspects of our internal control environment, including controls over our retirement and cafeteria benefit plan administration and transaction processing. The SOC 1 report audit attests that NBS control objectives are appropriately designed and that the controls safeguarding client data are operating effectively.

SOC 2

NBS also makes available a Service Organization Controls 2 (SOC 2), Type II, report.  The report was prepared based on the criteria for a description of a service organization’s system set forth in DC section 200, 2018 Description Criteria for Description of a Service Organization’s System in a SOC 2 Report to provide reasonable assurance that relevant service commitments and system requirements were achieved based on relevant trust services criteria.

The NBS SOC 2 is an evaluation of the design and effectiveness of controls that meet the criteria for security and availability set forth in the AICPA’s Trust Services Principles criteria. This report provides additional transparency into NBS’s safeguards based on defined industry standards and further demonstrates NBS’s ability to protect client data.

To obtain a copy of NBS’s SOC 1or SOC2 report, contact your NBS relationship manager.

For additional information about SOC 1, SOC 2, and audit controls, see nbsbenefits.com/data.

Changes to Security and Privacy Notice

NBS may make changes to this Security and Privacy Notice at any time. In the event of a change, the updated version of the notice will appear on this page with the effective or changed date in the upper left-hand corner.

California Privacy Notice

California law requires that we provide you certain privacy-related information. The information on this webpage fulfills those requirements. In addition, please review our Privacy Notice for California Residents for information regarding your rights under the California Consumer Privacy Act of 2018 (CCPA).

Nevada Privacy Notice

Nevada law requires that we provide you certain privacy-related information. The information on this webpage fulfills those requirements.

Terms of Use

The NBS online portal is comprised of this and other websites and web pages operated by NBS.  By accessing this online portal, you acknowledge and agree to without modification the terms and conditions below. If you do not agree to the terms and conditions you should not access the NBS online portal.

NBS does not provide medical, legal, or financial advice. You should consult an appropriate professional for specific advice tailored to your situation.

Modification of these Terms of Use

NBS reserves the right to change the Terms of Use at any time.  Continued use of the NBS online portal signifies your acceptance of any changes.

Unauthorized use

Unauthorized use of the NBS online portal is strictly prohibited.  Unauthorized use includes using the portal in any manner which could damage, disable, overburden, or impair the portal or interfere with any other party’s use and enjoyment of the portal.  Unauthorized or unlawful use or disclosure of information about individuals or plan participants is strictly prohibited and will result in civil and criminal penalties under federal and state laws.  You may not attempt to obtain any materials or information through any means not intentionally made available or provided for through the portal.  You may not misuse passwords or misuse any information made available through the portal.

Passwords

You are required to establish and use a password and user ID to access certain online services.  You must keep your ID and password confidential.  Your account and password should never be shared with another person.

Admin accounts

Certain users of the NBS online portal are issued admin accounts which provide necessary access to plan sponsor records.  For example, a plan’s trustee, human resource representative, or advisor/broker may be issued admin accounts which provides access to information for all participants of the plan.  It is the responsibility of the plan sponsor to notify NBS when staffing, relationship, or work responsibilities change such that admin access for the user is no longer appropriate.  NBS will modify or disable the account accordingly.  NBS will not be held liable for the plan sponsor’s failure to notify NBS in a timely manner that a user’s account should be changed or disabled.

In some cases, based on instructions to NBS from authorized plan representatives, certain admin users are given the ability to create and issue new accounts to other users.  The plan sponsor is responsible to ensure new accounts issued in this manner are appropriate.  NBS will not be held liable for the plan sponsor’s failure to provision or administer these accounts appropriately.

Use of cookies

The NBS online portal use “cookies” to help you personalize your online experience. A cookie is a text file that is placed on your hard disk by a Web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you.
One of the primary purposes of cookies is to provide a convenience feature to save you time. The purpose of a cookie is to tell the Web server that you have returned to a specific page. For example, if you personalize NBS pages, or register with the NBS Portal site or services, a cookie helps us to recall your specific information on subsequent visits. This simplifies the process of recording your personal information, such as addresses, alternate addresses, and so on. When you return to the same portal pages, the information you previously provided can be retrieved, so you can easily use the portal features that you customized.
You have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, your experience on the NBS web portal may be limited or impaired.

Some web browsers include “Do Not Track” settings.  The NBS system does not respond to Do Not Track settings.

Legal notices

Liability disclaimer
The information, software, products, and services included in or available through the NBS online portal may include inaccuracies or typographical errors.  Changes or improvements may be made to the website at any time.
NBS makes no representations about the suitability, reliability, availability, timeliness, and accuracy of the information, software, products, services and related graphics contained in the NBS online portal web site for any purpose.  To the maximum extent permitted by applicable law, all such information, software, products, services and related graphics are provided “as is” without warranty or condition of any kind. NBS hereby disclaims all warranties and conditions with regard to this information, software, products, services and related graphics, including all implied warranties or conditions of merchantability, fitness for a particular purpose, title and non-infringement.

To the maximum extent permitted by applicable law, in no event shall NBS be liable for any direct, indirect, punitive, incidental, special, consequential damages or any damages whatsoever including, without limitation, damages for loss of use, data or profits, arising out of or in any way connected with the use or performance of the NBS online portal, with the delay or inability to use the NBS online portal or related services, the provision of or failure to provide services, or for any information, software, products, services and related graphics obtained through the NBS online portal, or otherwise arising out of the use of the NBS online portal, whether based on contract, tort, negligence, strict liability or otherwise, even if NBS has been advised of the possibility of damages. Because some states/jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. If you are dissatisfied with any portion of the NBS online portal, or with any of these terms of use, your sole and exclusive remedy is to discontinue using the NBS online portal.

Copyright

All contents of the NBS online portal are copyright National Benefit Services, LLC.  All rights reserved.
Unless otherwise indicated, information included in the NBS online portal is owned by NBS and cannot be copied, distributed, transmitted, or displayed in any manner without prior written consent.

Applicable law, jurisdiction, and venue

To the maximum extent permitted by law, this agreement is governed by the laws of the State of Utah, and you hereby consent to the exclusive jurisdiction and venue of courts in Salt Lake County, Utah, U.S.A. in all disputes arising out of or relating to the use of the NBS online portal. Use of the NBS online portal is unauthorized in any jurisdiction that does not give effect to all provisions of these terms and conditions.

Contact Information

How to contact us

If you have questions or concerns, email service@nbsbenefits.com, call 800-274-0503.

To report a security problem or incident, email incident@nbsbenefits.com.