Cybersecurity Risks to Employee Benefit Plans - Are You Prepared?

18 December 2017 Labor & Employment Law Perspectives Blog
Authors: Belinda S. Morgan

Unless you’ve been living on a remote mountaintop or inside a cave for the past 10 years, chances are good you’ve either been affected by a cybersecurity breach or know someone who has. Among many other businesses, recent cybersecurity breaches have affected large retailers and bankers, internet providers, and even the U.S. government. The 2017 breach of Equifax (one of the largest credit bureaus in the U.S.) left the names, Social Security Numbers, birthdates and addresses of more than 140 million Americans exposed to hackers.

Cybersecurity Threats to Employee Benefit Plans and Service Providers. In light of the high cost of a cybersecurity breach – including not only financial costs, but also potential damage to a business’ reputation – most companies have strengthened their overall cybersecurity protocols. They may not,  however, have fully considered the threat hackers pose to participant data collected for their employee benefit plans.

Hackers have recently targeted benefit plans and plan service providers (such as third-party administrators, record keepers, trustees, etc.), viewing them as valuable targets due to the participant data they must maintain. Plans and service providers have fallen victim to schemes to steal participant data, fraudulent transfers of participant assets (through direct transfers and fraudulent plan loans), and ransomware attacks.  Even though only a relatively small number of such attacks have occurred (so far), they have resulted in millions of dollars in losses.

Duty to Protect Participant Data. The Employee Retirement Income Security Act of 1974, as amended (ERISA), doesn’t currently require plan sponsors to safeguard participants’ personally identifiable information (though that may one day change).  Even without a specific statutory or regulatory requirement to protect such data, however, ERISA Section 404 still requires benefit plan sponsors and other fiduciaries to administer their plans for the exclusive benefit of plan participants and beneficiaries, and with the “care, skill, prudence, and diligence under the circumstances that a prudent man acting in a like capacity and familiar with such matters would use.”  That likely includes protecting participants’ personal information.

ERISA Advisory Council Recommendations. The ERISA Advisory Council (the Advisory Council), a committee that advises the Department of Labor on ERISA matters, has been concerned about cybersecurity risks to employee benefit plans for several years.  In its 2016 report discussing those risks, the Advisory Council advised plan sponsors to adopt procedures for: (i) understanding what data might be subject to cyberattacks; (ii) responding to cyberattacks; and (iii) recovering from cyberattacks. The Advisory Council stressed the need for plan sponsors to thoroughly vet their service providers and to negotiate contract provisions to lower or mitigate the costs of correcting a possible cyberattack on a plan.  Finally, the Advisory Council encouraged plan sponsors to review and understand the limitations of their business insurance coverage, and consider cyber insurance to address possible coverage gaps.

As part of their ERISA duty to monitor plan service providers, plan sponsors must understand how their service providers store and protect the participant data they handle. Plan sponsors should also understand the providers’ procedures for breach notification, including any obligations they may have to notify participants or governmental authorities.  Plan sponsors can glean this information from reviewing the agreements with their benefit plan providers and from discussions with those providers.

If (or more likely, when) a cybersecurity breach occurs, plan sponsors should have a plan in place for addressing the breach. It should include procedures for how the sponsor, likely working with its service providers, will communicate with plan participants  who may be anxious about the breach and protecting their data.  Sponsors should also have a process for determining how a breach will be corrected and what remedies will be used.  Sponsors should document both their overall process for responding to cybersecurity breaches and any steps they take in correcting an actual breach.  This will help show that they acted prudently in the face of the breach.

When implementing a cybersecurity risk management strategy, plan sponsors should remember that one size does not fit all.  The sponsor’s approach will depend on its own circumstances, balancing the need to protect plan participant data and the sponsor’s own business needs.  For instance, rather than adopting a completely new cybersecurity policy for its benefit plans, a sponsor might “piggyback” that policy onto the sponsor’s general cybersecurity policies.

Given the growing cybersecurity risks to employee benefit plan participant data, plan sponsors should have procedures and policies in place to protect that data, and should be prepared to quickly respond to and resolve any breaches that may occur.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services