ERISA/Cybersecurity Considerations in the COVID Age | Blogs | Privacy, Cybersecurity & Technology Law Perspectives

“Because that’s where the money is,” was the famous quote fictitiously attributed to Willie Sutton when asked why he robbed banks. Given the trillions of dollars held by employee benefit plans, these plans are prime targets for cybercriminals. Plan participants also are increasingly accessing their plan information business online, but are not always reviewing their account history for accuracy. Plan participants, administrators, and service providers are also prime targets for cybercrime, especially as a result of issues caused by COVID-19. In fact, since the rollout of the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”), there has been a dramatic increase in the number of 401(k) plan participants seeking distributions and loans.

Plan sponsors are now faced with the detailed compliance requirements of the Employee Retirement Income Security Act of 1974, as amended (“ERISA”), and cybersecurity laws. Since ERISA pre-dates modern computing, ERISA regulations are silent regarding cybersecurity. Neither the Department of Labor (“DOL”) nor the IRS have issued any formal guidance addressing cybersecurity obligations under ERISA. COVID-19 has resulted in more employees working remotely and further complicated ERISA/cybersecurity related considerations. Regardless, ERISA mandates that plan fiduciaries meet certain standards of conduct.

Understanding who may be considered an ERISA plan fiduciary, including a determination of their fiduciary obligations with respect to a plan, its participants, and beneficiaries, is critical. Plan fiduciaries are always the prime target for potential liability (i.e., including for alleged breach of fiduciary duty). Plan fiduciaries must address data breach matters. So, what can fiduciaries do to minimize their cybersecurity liability? Continue reading to find out…

Who is an ERISA fiduciary?

An ERISA fiduciary (see subsection (21), “29 U.S. Code § 1002. Definitions”) includes any person to the extent such person has discretionary authority or control over plan management or assets. This also extends to plan administration and those who render investment advice for a fee with respect to plan assets. ERISA fiduciaries can include plan sponsors, trustees, plan administrators, third-party administrators, investment advisors, and investment managers.

So, is personal information a plan asset?

While there is no formal guidance as to the applicable fiduciary standards under ERISA with respect to cybersecurity, a plan asset will be determined by the facts and circumstances. While confidential participant data may not be deemed to be a plan asset as it is not property that is capable of being monetized to fund retirement benefits,¹ state data breach laws, which may give rise to other fiduciary obligations, may apply. Accordingly, a conservative approach would be to take reasonable actions to protect the plan assets, including participant personal information. Plan account funds are always considered to be plan assets, and ERISA’s fiduciary protections will apply in the event that such account funds are compromised.

So, what obligations does an ERISA fiduciary have with respect to an ERISA-covered employee benefit plan?

Once again, ERISA is very clear regarding what’s required:

“. . . a fiduciary shall discharge his duties with respect to a plan solely in the interest of the participants and beneficiaries, and for the exclusive purpose of (i) providing benefits to participants and their beneficiaries, (ii) defraying reasonable expenses of administering the plan; and (iii) with the care, skill, prudence and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.”

While there’s no formal guidance from the DOL or the IRS regarding plan cybersecurity, in 2015, the ERISA Advisory Council outlined certain cybersecurity obligations for all plan fiduciaries in “Cybersecurity Considerations for Benefit Plans.” In addition, plan fiduciaries should consider industry best practices that would be generally applicable to similar industries, such as financial and healthcare and apply cybersecurity protocols as applicable to their own organizations.

Does this mean we are off the hook under ERISA with respect to Cybersecurity?

Very unlikely.

So, what should the Plan Committee consider and do?

It is critical that participant data and, if applicable, plan investments be protected from attack. In particular, the Committee must ensure that technical, physical, and administrative safeguards are in place and are designed to protect the confidentiality, integrity, availability, and resiliency of plan assets, and that such safeguards meet the Committee’s legal obligations and industry standards.

Regardless of the Committee’s efforts, a cyber-attack may occur. A key factor in understanding potential liability will be determined by how the Committee responds to and manages any cyber-attack if, as, and when one occurs. It is entirely possible that despite the occurrence of a cyber-attack, the Committee or other responsible fiduciary may not have violated ERISA’s prudence standard and requirement to discharge its duties with respect to an employee benefit plan solely in the interest of participants and beneficiaries.

Several key considerations include:

Does the Committee have a cyber-risk management strategy and plan to protect participant data and plan investment information, including a comprehensive and clear cybersecurity program?

As part of the risk assessment, the Committee must regularly review the program in light of the sensitivity and nature of the plan’s assets and the risk of loss, as well as the potential liabilities that such loss could create. Minimally, the plan should address preparation, detection, containment, eradication, and recovery, and post-incident review, including lessons learned and revising the plan to account for any shortcomings. As part of its plan, the Committee should consider whether to identify, review, and include any outside service providers, including forensics, PR, notification providers, and counsel as part of the plan. Once an incident occurs, it may be too late to start conducting diligence on the service providers or negotiate favorable contract terms.
Has the Committee properly inquired to the plan’s applicable third party service providers with respect to their cybersecurity practices and what safeguards have been implemented?

Has the third party’s cybersecurity program been validated and tested? Are the employees, agents, and subcontractors aware of and trained on their obligations? Is there an obligation to report breaches and suspected breaches to the Committee? Is access to the plan’s assets limited?

The Committee should conduct its own diligence on each third party’s data breach response plan and consider whether they align with the Committee’s plan. Any divergence between the two should be identified and addressed. The Committee should consider conducting table-top or simulation exercises with the third party to ensure alignment and that the parties will be able to effectively manage a security incident.
Does the Committee communicate with participants and beneficiaries regarding cyber-risk attacks and what protocols are in place to minimize the risk of a security breach?

Do the plan and third party service providers have properly trained IT staff to address the cybersecurity risks inherent in the deployment? What protocols are in place for communicating a security risk?

How is access to plan assets managed, including with respect to personal devices and company-owned devices, especially when outside the corporate network? Are devices centrally-managed and controlled, and do they include proper security measures and restrictions? Can access be remotely terminated to wipe any device or user that may compromise the security, integrity, availability, or confidentiality of the plan assets, and in the event that an individual is no longer associated with the plan?

Are individuals required to use strong passwords and multi-factor authentication to help protect against unauthorized access?

Are employees and contractors trained on and kept up to date on the latest cybersecurity risks such as phishing, malware, and clickbait? Have plan participants been notified about good cyber hygiene? Do employees and plan participants know who to reach out to in the event they suspect an incident has occurred, if the plan assets are compromised, or the plan participant or their account was compromised?

Is there a remote work policy in place? Has it been reviewed since COVID-19? Has it been communicated to employees and have they been trained on it?
What liability reduction measures has the Committee put in place in the event of an attack including fiduciary liability insurance?

Do the Committee and any applicable third parties have an appropriate amount of cybersecurity insurance to cover any losses?

In summary, there’s not a specific section under ERISA entitled “Cybersecurity,” but plan sponsors and fiduciaries need to consider even more protective mechanisms with respect to plan assets and data to prevent losses and potential liability.

-------------------------------------------------------------------

¹ See Divane v. Northwestern. Univ., No. 16 C 8157, 2018 WL 2388118, (N.D. Ill. May 25, 2018), aff’d, No. 18-2569, 2020 WL 1444966 (7th Cir. Mar. 25, 2020)

As part of Foley’s ongoing commitment to provide legal insight to our clients and colleagues, our Employee Benefits and Executive Compensation Group has a monthly newsletter we call “Employee Benefits Insights,” where we provide you with updates on the most recent and pressing matters concerning employee benefits and other related topics. Click here or click the button to the left to subscribe.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.