Tag Archives: cybersecurity

Participant Data And Fiduciary Liability: The Current Regulatory Environment, The Vanderbilt Lawsuit, And Best Practices For Benefit Plan Sponsors

With cybersecurity risks on the rise and increased awareness of the sophisticated ability of hackers in the modern world, many plan sponsors have expressed growing concerns that they may have fiduciary liability with respect to protection of participants’ personal information. By now, most plan sponsors have become accustomed to complying the Health Insurance Portability and Accountability Act (“HIPAA”) with respect to participant data within their employer-sponsored health plan. However, employers are not accustomed to applying such standards in the retirement plan context. Given the heightened cybersecurity risks in today’s digital society, employers serving as plan sponsors of retirement and welfare benefit plans should begin to implement policies and procedures to protect participant data and carefully monitor their service providers as they handle participant data.

In recent years, there has been a push for regulation governing protection of personally identifiable information (“PII”) in the retirement plan context. In 2011, an ERISA advisory council that serves as an advisor to the Secretary of Labor issued a report urging the Department of Labor (“DOL”) to issue guidance or regulations relating to the obligation of plan fiduciaries to protect the PII of plan participants and beneficiaries. The counsel expressed concern over insecurity of plan financial data, asking the DOL to provide guidance on whether ERISA fiduciaries must secure PII and develop educational materials for participants. Specific areas of concern included theft of PII or money from accounts, unsecured/unencrypted data, hacking into plan administration and service provider systems, outdated password protections, phishing emails, and stolen hardware. The counsel met again in 2016 and once again urged the DOL to issue guidance and hoped that the report could serve as a reference for plan sponsors to secure plan data and assets from cybersecurity risks.

To date, the DOL has issued no direct guidance on cybersecurity considerations for PII within retirement and welfare plans. However, a new argument has emerged under ERISA fiduciary standards that the “prudent man” rule, exclusive benefit rule, and the obligation to select and monitor service providers include the obligation to maintain the privacy and security of plan data and monitor service providers’ use of the data. Under ERISA, fiduciaries must act prudently, taking the course of action that a similar, prudent man would in like circumstances and with like knowledge. Furthermore, ERISA requires fiduciaries to act only for the exclusive benefit of plan participants and their beneficiaries. Finally, ERISA fiduciaries must prudently select and monitor a plan’s service providers.

Some have begun to use Interpretive Bulletin 96-1 as a reference point to establish a requirement of prudence in service provider selections, including the prudent selection of a service provider that securely maintains electronic plan data. Additionally, one of the arguments in a lawsuit against Vanderbilt University stated that the University failed to protect plan assets by allowing third parties to market services to participants, referring to participant and financial data held by the plan as “plan assets” protected by fiduciary obligations. In that case, the plaintiffs argued that the University allowed the plan’s recordkeeper to obtain access to participants’ private and sensitive information, including investment choices, account information, contact information, proximity to retirement, age, and more, in order to market and sell its own insurance products to participants outside the plan. The plaintiffs claimed that such an action violated the University’s fiduciary duty to work for the exclusive benefit of the participants. Unfortunately, the parties recently came to a settlement agreement before the courts had a chance to rule on whether ERISA protections will apply to personal plan information.

Although there is no direct guidance from the DOL on fiduciary standards as applied to the privacy and security of participant data, it is likely in the coming years the DOL will find that retirement and welfare plan fiduciaries have a responsibility to safeguard participant data in compliance with the prudence standard, given the common knowledge of cybersecurity risks in today’s society. Specifically, plan sponsors should be aware of their duty to monitor service providers and their security measures in place for protecting plan data. Going forward, plan sponsors should implement security policies and procedures relating to the protection of PII and participant data. Some companies have formed cybersecurity committees for purposes of implementing these procedures and increasing awareness internally about the seriousness of cybersecurity. Further, in choosing service providers, plan sponsors should exercise due diligence in questioning the providers’ security measures, breach reporting practices, and contract provisions relating to the protection of plan data.

Share Button

FTC Gets Thumbs Up to Act as Cybersecurity Cop: What Does It Mean for Your Business?

Cybersecurity Cop

A recent federal court decision upheld the Federal Trade Commission’s (FTC) authority to take enforcement action on behalf of consumers against businesses that fail to take reasonable steps to secure sensitive consumer information.

The U.S. Court of Appeals for the Third Circuit ruled that the FTC could proceed with a lawsuit alleging hotel chain Wyndham Worldwide Corp. was, at least in part, responsible for the three unauthorized intrusions it experienced over the span of two years that compromised the credit card numbers of 619,000 customers and lead to more than $10.6 million in fraudulent charges (click here to read the ruling). The FTC alleged that Wyndham had engaged in cybersecurity practices that, collectively, were unfair and unreasonable, resulting in unnecessary exposure of consumers’ sensitive data. Such Wyndham cybersecurity practices cited by the FTC as unfair and unreasonable, included but were not limited to, lax password management, lack of appropriate firewall protection for consumer data, use of outdated software and its failure to follow proper incident response procedures.

Going forward, based on the reasoning of the Wyndham decision, it is going to be difficult for any business, large or small, to take the position that it was somehow unaware of the importance of cybersecurity. As such, it is imperative that your business have appropriate cybersecurity practices and policies in place for the protection of sensitive consumer information. When reviewing your business’s current cybersecurity practices and policies, keep in mind the following principles:

    • Be aware of all the personal information collected, retained and shared. Review your system to learn how your business and/or vendors use consumer data. Restrict access to sensitive data to only those “need to know” employees or vendors.
  • Keep only personal information required for legitimate business operations. If you don’t need it, don’t keep it.
    • Use physical and electronic security to protect the information your business retains.  Such security could include firewalls, encryption of sensitive data or implementing password management rules.
  • Properly dispose of personal information as soon as it is no longer necessary for business operations. When disposing of old computers and portable storage devices, use software for securely erasing data.
  • Have a plan to respond to security incidents. Designate someone on your staff to someone with sufficient authority within your organization to coordinate and implement the response plan. Investigate security incidents immediately.

Please contact a member of the McGrath North Privacy and Data Security Group if you have further questions or would like to discuss your business’s cybersecurity practices and policies.

Share Button

A Roadmap To Cybersecurity Readiness

cybersecurity readinessDeputy Treasury Secretary Sarah Bloom Raskin recently outlined ten questions that bank CEOs should ask to assess their institutions’ cybersecurity readiness. Speaking at a Texas Bankers Association conference in Austin, Secretary Raskin stressed the importance of using the following questions as a roadmap to deal with cyber threats:

Question 1:  Is cyber risk part of our current risk management framework?

Question 2:  Do we follow the NIST Cybersecurity Framework?

Question 3:  Do we know the cyber risks that our vendors and third-party service providers expose us to, and do we know the rigor of their cybersecurity controls?

Question 4:  Do we have cyber risk insurance?

Question 5:  Do we engage in basic cyber hygiene?

Question 6:  Do we share incident information with industry groups?

Question 7:  Do we have a cyber-incident playbook and who is the point person for managing response and recovery?

Question 8:  What roles do senior leaders and the board play in managing and overseeing the cyber incident response?

Question 9:  When and how do we engage with law enforcement after a breach?

Question 10:  After a cyber incident, when and how do we inform our customers, investors, and the general public?

While primarily addressed to bank CEOs, Secretary Raskin’s roadmap also provides a useful guide for any business executive focused on cyber risk management.  If you have questions about your organization’s cybersecurity readiness or how to assess the cybersecurity readiness of your vendors and third-party service providers, contact a member of the McGrath North Privacy and Data Security Group.

Share Button