With cybersecurity risks on the rise and increased awareness of the sophisticated ability of hackers in the modern world, many plan sponsors have expressed growing concerns that they may have fiduciary liability with respect to protection of participants’ personal information. By now, most plan sponsors have become accustomed to complying the Health Insurance Portability and Accountability Act (“HIPAA”) with respect to participant data within their employer-sponsored health plan. However, employers are not accustomed to applying such standards in the retirement plan context. Given the heightened cybersecurity risks in today’s digital society, employers serving as plan sponsors of retirement and welfare benefit plans should begin to implement policies and procedures to protect participant data and carefully monitor their service providers as they handle participant data.
In recent years, there has been a push for regulation governing protection of personally identifiable information (“PII”) in the retirement plan context. In 2011, an ERISA advisory council that serves as an advisor to the Secretary of Labor issued a report urging the Department of Labor (“DOL”) to issue guidance or regulations relating to the obligation of plan fiduciaries to protect the PII of plan participants and beneficiaries. The counsel expressed concern over insecurity of plan financial data, asking the DOL to provide guidance on whether ERISA fiduciaries must secure PII and develop educational materials for participants. Specific areas of concern included theft of PII or money from accounts, unsecured/unencrypted data, hacking into plan administration and service provider systems, outdated password protections, phishing emails, and stolen hardware. The counsel met again in 2016 and once again urged the DOL to issue guidance and hoped that the report could serve as a reference for plan sponsors to secure plan data and assets from cybersecurity risks.
To date, the DOL has issued no direct guidance on cybersecurity considerations for PII within retirement and welfare plans. However, a new argument has emerged under ERISA fiduciary standards that the “prudent man” rule, exclusive benefit rule, and the obligation to select and monitor service providers include the obligation to maintain the privacy and security of plan data and monitor service providers’ use of the data. Under ERISA, fiduciaries must act prudently, taking the course of action that a similar, prudent man would in like circumstances and with like knowledge. Furthermore, ERISA requires fiduciaries to act only for the exclusive benefit of plan participants and their beneficiaries. Finally, ERISA fiduciaries must prudently select and monitor a plan’s service providers.
Some have begun to use Interpretive Bulletin 96-1 as a reference point to establish a requirement of prudence in service provider selections, including the prudent selection of a service provider that securely maintains electronic plan data. Additionally, one of the arguments in a lawsuit against Vanderbilt University stated that the University failed to protect plan assets by allowing third parties to market services to participants, referring to participant and financial data held by the plan as “plan assets” protected by fiduciary obligations. In that case, the plaintiffs argued that the University allowed the plan’s recordkeeper to obtain access to participants’ private and sensitive information, including investment choices, account information, contact information, proximity to retirement, age, and more, in order to market and sell its own insurance products to participants outside the plan. The plaintiffs claimed that such an action violated the University’s fiduciary duty to work for the exclusive benefit of the participants. Unfortunately, the parties recently came to a settlement agreement before the courts had a chance to rule on whether ERISA protections will apply to personal plan information.
Although there is no direct guidance from the DOL on fiduciary standards as applied to the privacy and security of participant data, it is likely in the coming years the DOL will find that retirement and welfare plan fiduciaries have a responsibility to safeguard participant data in compliance with the prudence standard, given the common knowledge of cybersecurity risks in today’s society. Specifically, plan sponsors should be aware of their duty to monitor service providers and their security measures in place for protecting plan data. Going forward, plan sponsors should implement security policies and procedures relating to the protection of PII and participant data. Some companies have formed cybersecurity committees for purposes of implementing these procedures and increasing awareness internally about the seriousness of cybersecurity. Further, in choosing service providers, plan sponsors should exercise due diligence in questioning the providers’ security measures, breach reporting practices, and contract provisions relating to the protection of plan data.