Is Your Plan Cybersecure Right Now?
Not a day goes by without another news story about a cybersecurity incident compromising the data of a few million people. Not to be too cynical, but it is no longer big news. Yet, in the employee benefits world, cybersecurity has been back-burnered even though cybersecurity claims have emerged as a new frontier in ERISA fiduciary duty litigation and the Department of Labor, some time ago, said it would issue cybersecurity guidance to assist plan fiduciaries and service providers to protect participant data and assets.
On April 14, 2021, the DOL did just that issuing three separate “guides” aimed at 1) plan sponsors/fiduciaries; 2) participants/beneficiaries; and 3) plan service providers, along with a warning from the Acting Assistant Secretary for Employee Benefits Security of the “importance that plan sponsors and fiduciaries must place on combatting cybercrime.” So what should an employer or other plan fiduciary know and do right now? Sorry, Scarlett O’Hara, “tomorrow is not another day” when it comes to protecting participant data and plan assets.
I What Does ERISA Require Right Now?
The language of ERISA itself does not explicitly “require” anything of plan fiduciaries right now as to cybersecurity. However, the DOL’s just issued guidance states unequivocally that “Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks”.
And although no court has yet to match the DOL’s pronouncement, there have been at least three cases (pre-DOL guidance) in which participants have alleged that employers and other plan fiduciaries breaches the fiduciary duties of loyalty and of prudence by causing/allowing a plan to make unauthorized distributions of plan funds or assets and/or failing to monitor recordkeeper/custodial distributions processes and other administrative acts. Although two of these cases were settled one case, Barnett v. Abbott Laboratories, Case No, 20 - CV - 2127 (E.D. Ill. 2020), is ongoing and worth taking a look at particularly in light of the DOL’s guidance.
In Barnett, a retired participant sued, among others, the plan sponsor and the third party administrator, alleging that they had breached their fiduciary duties of loyalty and prudence, by among other things, allowing unknown person(s) to access her retirement account online, reset her password and transfer $245,000 from her plan account to a bank account that was not hers and as to the plan sponsor, by failing to monitor the third party administrator. Although the court has now twice dismissed the claims against the plan sponsor, (the second time just last February) it has twice given plaintiff the chance to amend her claims against the plan sponsor after taking discovery to “beef up” her allegations that the plan sponsor breached its duties in hiring/retaining the third party administrator.
Apart from the potential for cybersecurity implied fiduciary duties, DOL regulations right now do expressly impose a cybersecurity duty with respect to the electronic transmission of personal participant information. Section 2520.104b-1(c)(1)(i) requires fiduciaries to take “appropriate and necessary measures reasonably calculated to ensure that the system for furnishing documents…protects the confidentiality of personal information relating to the individual’s accounts and benefits (e.g., incorporating into the system measures designed to preclude unauthorized receipt of or access to such information by individuals other than the individual for whom the information is intended).” DOL Reg. Section 2520.104b-1(c)(1)(i). (emphasis added).
In short, although neither ERISA nor any court has expressly identified exact cybersecurity protective measures that fiduciaries must take, nor as of now, has a court held an employer or other fiduciary liable for a loss caused by a cybersecurity breach, participants can be expected to rely on the new DOL guidance to argue that ERISA requires fiduciaries, as part of their duties of loyalty and prudence, to protect participant assets and personal information from cybertheft right now.
II. So What Should Employers/Other Plan Fiduciaries Do Right Now?
First, plan fiduciaries right now should take ownership of their duties both 1) to protect participant data and plan assets within the sponsoring company or “in-house”; and 2) to ensure that “outside” service providers have strong cybersecurity practices that apply to their plans. To get started right now:
In-house: Plan fiduciaries should:
1. Determine immediately whether there is a written cybersecurity program that already applies to the plan, e.g., the employer may have its own cybersecurity processes that already covers plan activities. If there is none, then the plan fiduciaries will need to promptly establish a written program that complies with DOL best practices guidance.
For any cybersecurity program that applies to an employee benefit plan:
Determine whether the program complies with DOL Best Practices.
Consider engaging cybersecurity experts to review/evaluate the program (these could be the Company’s own internal experts).
Determine, with assistance of cybersecurity personnel/experts, that the program is designed to both: (i) protect participant data such as Personally Identifiable Information, Protected Health Information, participant enrollment data, account balances, and (ii) avoid, detect and combat cybertheft of plan assets.
Determine and evaluate how the program defines a security incident/breach that triggers responsibility/liability to determine if the definition is sufficient for plan purposes.
Evaluate the program’s notice and remedial procedures in the event of a security incident/breach or cybertheft incident to determine if they are sufficient for plan purposes.
Evaluate back up plans and disaster recovery protections in the event of a natural disaster, ransomware or similar attack.
2. Ensure, with assistance of cybersecurity personnel/experts, that whatever system Company uses to store and transfer data relating to plan participants is “reasonably calculated” to protect the transmitted information within the meaning of the DOL regulation discussed above.
3. Provide best practices education and training, including fiduciary training, to all personnel who handle participant data and assets.
4. Provide best practices education and training to participants with respect to accessing and protecting their plan accounts and test participant compliance regularly (e.g., simulated phishing attacks etc.). This is particularly critical in these widespread pandemic related remote work at home times. Education and training should include all topics (e.g. strong passwords, phishing, account monitoring etc.) covered in the DOL’s recently issued “Online Security Tips” for participants/beneficiaries.
5. Review existing insurance policies (fiduciary, ERISA fidelity bond, cyber insurance, employment practices liability insurance, general liability insurance) to determine if cyber risks are covered. Work with your insurance brokers and/or other consultants to secure adequate coverage.
6. Consult with ERISA counsel regarding whether participant best practices should be set forth in Summary Plan Description, enrollment forms or other participant communications and/or whether other measures should be taken as a defensive measure against fiduciary breach claims.
Outside Service Providers: Plan in-house fiduciaries should:
Evaluate all existing and potential service provider agreements and relationships to determine whether each service provider has a written cybersecurity program that adequately protects plan/participant data and assets. The DOL’s recent guidance, “Tips for Hiring A Service Provider with Strong Cybersecurity Practices” lists helpful steps in vetting the service provider’s program, most of which are covered here:
If the service provider does have a written program:
Review program and ensure, with in-house or outside cybersecurity expert assistance, that it meets DOL Best Practices as well as applicable cybersecurity industry standards and applicable federal, state, and foreign cybersecurity and privacy laws.
Review and ensure that program contains acceptable definition of “security breach” or other cyber-incident of which a participant would expect notice and remediation.
Review and ensure that the program provides for notice of breach or other cyber-incident, remediation of loss and other remedies in the event of a breach.
Obtain and review the service provider’s track record regarding security incidents and remediation.
Obtain and review historical third-party cybersecurity audits (for example, an auditor’s AICPA SOC 2) of provider’s program.
Review relevant cybersecurity/other insurance.
Ensure that service agreement:
expressly incorporates written program as covenant by service provider for which breach would trigger indemnity obligations.
does not let service provider “off the hook” for cybersecurity (and confidentiality) breaches elsewhere in agreement.
provides for continuing annual third-party cybersecurity audits and right to conduct your own audit.
If it does not have a written program, or worse, it will not provide its program:
Consider engaging a different service provider.
Draft and include comprehensive cybersecurity provisions including but not limited to restrictions on the use by the service provider of participant data and other information to be included in service agreement.
Either way, employers and other plan fiduciaries must periodically monitor and document service provider’s cybersecurity compliance throughout the term of the service agreement.
Plan fiduciaries cannot wait for “another day;” they need to examine existing cybersecurity protection and/or move quickly right now to put in place prudent and appropriate safeguards to protect participant data and assets on both the “in-house” and “out-house” fronts. The time is right now, as the DOL has said, to mitigate the loss from a potential fiduciary breach down the road.
© Boutwell Fay LLP 2021, All Rights Reserved. This handout is for information purposes only and may constitute attorney advertising. It should not be construed as legal advice and does not create an attorney-client relationship. If you have questions or would like our advice with respect to any of this information, please contact us. The information contained in this article is effective as of May 2021.