Individual plan fiduciaries may be unaware they may be personally liable when failing to take reasonable steps to protect a plan participant’s information and a plan’s assets from cybersecurity threats. An organization’s benefit plans are valuable targets which may include personal information such as bank accounts, retirement accounts, personal data and medical records. Medical records, once accessed, can be worth substantial money to criminals. Hackers could distribute retirement plan assets.
For these reasons, plan fiduciaries should be concerned with their personal liability for a cybersecurity breach with ERISA employee benefit plans.
In its 2016 report, Cybersecurity Considerations for Benefit Plans,
the ERISA Advisory Council (an industry advisory group sponsored by the Department of Labor) reported that employee benefit plans can be vulnerable to cyber-attacks and thus exposed to risks relating to privacy, security and fraud. Since that report was published, many benefit plan sponsors have noted that cybersecurity is becoming important in the daily operations of employee benefit plans.
Cybersecurity risks may exist internally, externally and when data is transmitted. Benefit plans often depend upon third-party administrators, actuaries, auditors, trustees, insurers and consultants, any or all of whom may possess significant amounts of personal information for plan participants that is necessary for the administration of a benefit plan. As a result, a cybersecurity breach could occur within the plan sponsor’s system, when this data is transmitted to third parties, or through a breach of plan vendors’ systems. Plan fiduciaries, such as plan administrators, named fiduciaries, plan committees, and others have a general duty under ERISA Section 404 with respect to the general management of the plan, which encompasses the duty to protect personally identifiable information, protected health information and plan assets.
And, as noted above, plan sponsor employees and others who serve as plan fiduciaries in their individual capacity may be personally liable for failing to meet ERISA’s standards of prudence and care with regard to plan records and participants’ privacy.
In addition, sponsors of health care benefit plans are subject to additional requirements to protect data privacy under the Health Insurance Portability and Accountability Act of 1996.
The ‘prudent fiduciary’ standard
Fiduciaries of most employee benefit plans (subject to ERISA) are held to a high standard. Under ERISA Code Section 404, they must “act with the care, skill, prudence and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character with like aims.” This is frequently referred to as “the prudent fiduciary standard.” ERISA does not require that fiduciaries become cybersecurity experts. However, they must know enough to perform the reasonably necessary and proper due diligence on their internal systems and the systems of their chosen service providers.
There are no specific federal laws or universally-accepted industry standards that govern fiduciary responsibility for implementing a cybersecurity plan for ERISA plans. However, it is usually possible to determine reasonably necessary steps that should be considered to implement a due diligence process for cybersecurity processes and procedures. Equally, it may be determined that fiduciaries have failed to perform the due diligence a prudent fiduciary should take and, as a result, a data breach of the plan information or assets, and the costs of the breach could result in personal liability for the fiduciaries.
Asking the right questions
Fiduciaries need to understand and investigate how the plan administrator, plan sponsor, and third-party vendors manage the plan’s data. They need to ask questions and take steps to obtain a working knowledge of each service provider’s data-handling and security policies, including data at rest and in transit.
There is some guidance for plan fiduciaries in the ERISA Advisory Council’s report that can assist plan fiduciaries in taking steps to minimize cybersecurity risks to benefit plan data. The report was issued to help plan sponsors, administrators, and service providers manage their cybersecurity risks, develop feasible cybersecurity strategies and provide a starting place for more detailed planning.
The report indicates that, in general, employers should at a minimum 1) manage risks of a potential breach and 2) demonstrate a fiduciary’s prudent effort to protect plan participants and plan assets.
The report also advises that plan administrators and others should establish specific policies for protecting data (such as training, reporting and testing) and procedures to recover and restore systems in case of a breach. In particular, the report indicates the primary areas fiduciaries should consider in navigating cybersecurity risks, including:
- Establishing a cybersecurity strategy
- Contracting with service providers
- Investigating cybersecurity insurance
Cybersecurity is an important factor when a fiduciary is considering how best to protect personal and health-related participant data as well as plan assets. A cybersecurity breach may cause economic losses and significant resource allocation to mitigate damage after the fact. In such cases, individual fiduciaries may be personally liable for losses and costs if they have failed to take reasonably prudent steps to manage this risk. As a result, fiduciaries should take the necessary steps to minimize risk to protect themselves and the plans for which they are fiduciaries. Fiduciaries should seek professional advice or consult an internal IT department to assess the cybersecurity risk for their ERISA health, welfare, and retirement plans.
Compensation and Benefits
+1 312 602 8167
Compensation and Benefits
+1 404 704 0114