Cybersecurity Risks to Benefit Plans

Headlines tell the story about the cybersecurity threats facing consumer or customer data, but employee data can be an information security target as well. Employee data carries a lot of the information that cyber criminals seek, including Social Security numbers, dates of birth, financial and medical information, bank account details, beneficiary information and confidential emails. Former employee data may also be vulnerable if your plan has weak employee off-boarding procedures which may inadvertently result in storing old information off-network.

The number of cyber attacks continues to rise. Employee benefit plans should evaluate their protocol to make sure they are prepared for the risks in their environment.

State Requirements

Regulators are cracking down on information security protocol. Benefit plan administrators should be aware of the laws and adjust their administrative practices accordingly. Many states have notification laws and other reporting obligations that define when a breach has occurred, who needs to be notified of a breach and when the breach notification should be received.

Benefit plans should review their plan participant data and identify the states that might need to be involved should a breach occur. Focus on the state of residence of the plan participant, not the brick and mortar location of the plan administrator when determining your data security nexus. For pension plans, the states involved could be any state in which a retiree lives. It may also include beneficiaries' states of residence.

States may have unique requirements around disposal of sensitive, personally identifiable information (PII) or particular Social Security protection laws, such as not mailing items with a plan participant's full Social Security number. Requirements may also be in place around protecting medical information.

Please note: the Employee Retirement Income Security Act of 1974 (ERISA) has a preemption for state laws and their relation to ERISA-qualified plans. The exemption has two aspects:

  • Express preemption under ERISA §514(a) and
  • Preemption due to a conflict with ERISA's exclusive remedial scheme set forth in ERISA §502(a).

State laws that duplicate, supplement or supplant the ERISA civil enforcement to recover benefits under the terms of the plan, enforce rights under a plan or clarify rights to future benefits under a plan are preempted when it conflicts with the clear Congressional intent to make the ERISA remedy exclusive.

What does ERISA Say about Data Security?

ERISA indirectly addresses data security and the protection of sensitive PII through the Duty of Care or Prudent Expert Rule. Under Duty of Care, a fiduciary must act with the care, skill, prudence and diligence that a prudent person activing in a like capacity and familiar with such matters would use in similar circumstances.

No clear guidance has come from the Department of Labor (DOL) yet to clarify the fiduciary's responsibility in protecting participant PII. The ERISA Advisory Council issued a report in November 2016 to the DOL that provides cybersecurity best practices and considerations for plan sponsors, fiduciaries and service providers. Cybersecurity Considerations for Benefit Plans focuses on vulnerabilities in employee benefit plans, caused in part by the number of users and service providers and the lack of regulatory framework. The DOL has yet to act to clarify the cybersecurity issue.

What Plan Sponsors can do to Protect Themselves from Personal Liability

ERISA holds a fiduciary who breaches any of Duty of Care personally liable for any losses to the plan that result from breach of duty. Plan sponsors can limit their personal liability for a data breach if they can demonstrate the plan had security policies in place and the fiduciary took reasonable steps to safeguard plan data or had undertaken proper due diligence in selecting a plan service provider.

Fallout from the Target breach also indicates that plan sponsors may be successful in mitigating the personal liability element of a cyber attack. Target shareholders filed derivate action against Target directors and executive offices, but a Special Litigation Committee recommended the derivative action be dismissed.

How Benefit Plans can be Protected from Cybersecurity Incidents

A robust information security program is vital to the protection of employee benefit plans. A written plan that identifies and controls risks to information and information systems should be in place. It is recommended that information security plans include how to properly dispose of PII, data inventory and classification, policies and procedures and an incident response plan.

Plan sponsors should also undertake a Security Awareness Program. The program should reflect the plan's attitude toward protecting physical and intellectual assets of the organization, and include elements of employee training and controlled testing of information security program components.

Information security programs should be baselined to leading industry standards and frameworks, like the National Institute of Standards and Technology. Policies and procedures must also be enforced to be effective.

For More Information

To learn more about how employee benefit plans can protect their PII, please contact us.

Related Reading

Published on June 29, 2017