“Because that’s where the money is,” was the famous quote fictitiously attributed to Willie Sutton when asked why he robbed banks. Given the trillions of dollars held by employee benefit plans, these plans are prime targets for cybercriminals. Plan participants also are increasingly accessing their plan information business online, but are not always reviewing their account history for accuracy. Plan participants, administrators, and service providers are also prime targets for cybercrime, especially as a result of issues caused by COVID-19. In fact, since the rollout of the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”), there has been a dramatic increase in the number of 401(k) plan participants seeking distributions and loans.
Plan sponsors are now faced with the detailed compliance requirements of the Employee Retirement Income Security Act of 1974, as amended (“ERISA”), and cybersecurity laws. Since ERISA pre-dates modern computing, ERISA regulations are silent regarding cybersecurity. Neither the Department of Labor (“DOL”) nor the IRS have issued any formal guidance addressing cybersecurity obligations under ERISA. COVID-19 has resulted in more employees working remotely and further complicated ERISA/cybersecurity related considerations. Regardless, ERISA mandates that plan fiduciaries meet certain standards of conduct.
Understanding who may be considered an ERISA plan fiduciary, including a determination of their fiduciary obligations with respect to a plan, its participants, and beneficiaries, is critical. Plan fiduciaries are always the prime target for potential liability (i.e., including for alleged breach of fiduciary duty). Plan fiduciaries must address data breach matters. So, what can fiduciaries do to minimize their cybersecurity liability? Continue reading to find out…
An ERISA fiduciary (see subsection (21), “29 U.S. Code § 1002. Definitions”) includes any person to the extent such person has discretionary authority or control over plan management or assets. This also extends to plan administration and those who render investment advice for a fee with respect to plan assets. ERISA fiduciaries can include plan sponsors, trustees, plan administrators, third-party administrators, investment advisors, and investment managers.
While there is no formal guidance as to the applicable fiduciary standards under ERISA with respect to cybersecurity, a plan asset will be determined by the facts and circumstances. While confidential participant data may not be deemed to be a plan asset as it is not property that is capable of being monetized to fund retirement benefits,1 state data breach laws, which may give rise to other fiduciary obligations, may apply. Accordingly, a conservative approach would be to take reasonable actions to protect the plan assets, including participant personal information. Plan account funds are always considered to be plan assets, and ERISA’s fiduciary protections will apply in the event that such account funds are compromised.
Once again, ERISA is very clear regarding what’s required:
“. . . a fiduciary shall discharge his duties with respect to a plan solely in the interest of the participants and beneficiaries, and for the exclusive purpose of (i) providing benefits to participants and their beneficiaries, (ii) defraying reasonable expenses of administering the plan; and (iii) with the care, skill, prudence and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.”
While there’s no formal guidance from the DOL or the IRS regarding plan cybersecurity, in 2015, the ERISA Advisory Council outlined certain cybersecurity obligations for all plan fiduciaries in “Cybersecurity Considerations for Benefit Plans.” In addition, plan fiduciaries should consider industry best practices that would be generally applicable to similar industries, such as financial and healthcare and apply cybersecurity protocols as applicable to their own organizations.
It is critical that participant data and, if applicable, plan investments be protected from attack. In particular, the Committee must ensure that technical, physical, and administrative safeguards are in place and are designed to protect the confidentiality, integrity, availability, and resiliency of plan assets, and that such safeguards meet the Committee’s legal obligations and industry standards.
Regardless of the Committee’s efforts, a cyber-attack may occur. A key factor in understanding potential liability will be determined by how the Committee responds to and manages any cyber-attack if, as, and when one occurs. It is entirely possible that despite the occurrence of a cyber-attack, the Committee or other responsible fiduciary may not have violated ERISA’s prudence standard and requirement to discharge its duties with respect to an employee benefit plan solely in the interest of participants and beneficiaries.
Several key considerations include:
In summary, there’s not a specific section under ERISA entitled “Cybersecurity,” but plan sponsors and fiduciaries need to consider even more protective mechanisms with respect to plan assets and data to prevent losses and potential liability.
1 See Divane v. Northwestern. Univ., No. 16 C 8157, 2018 WL 2388118, (N.D. Ill. May 25, 2018), aff’d, No. 18-2569, 2020 WL 1444966 (7th Cir. Mar. 25, 2020)
|As part of Foley’s ongoing commitment to provide legal insight to our clients and colleagues, our Employee Benefits and Executive Compensation Group has a monthly newsletter we call “Employee Benefits Insights,” where we provide you with updates on the most recent and pressing matters concerning employee benefits and other related topics. Click here or click the button to the left to subscribe.|