There has been an increasing focus in recent years on the intersection of ERISA’s fiduciary duties and the issues of cybersecurity and data (including participant data) protection. Beyond the potential for pecuniary and reputational harm due to a breach, this interest has been driven by an increasing number of lawsuits in which plaintiffs allege that a plan fiduciary and/or service provider breached ERISA by failing to protect against a cybersecurity attack or data breach.
There are also signs that the DOL, the primary regulator of ERISA’s fiduciary duties, may be increasingly focused on the question of what ERISA’s fiduciary duties may require with respect to these issues. These signs include:
- Late in 2020, Mr. Timothy D. Hauser, the Deputy Assistant Secretary for National Office Operations of the Employee Benefits Security Administration (EBSA) – the agency of the DOL devoted to employee benefit plans matters – reportedly said that EBSA was in the process of drafting guidance on cybersecurity issues confronting plan sponsors and third-party providers that service the plan. As of the publication of this blog, this guidance has not yet been issued.
- It was also reported that Mr. Hauser indicated that he anticipates seeing a DOL audit initiative focusing on these areas, including as to the adequacy of plan and service provider cybersecurity and data protection programs.
- On March 15, the Government Accountability Office (GAO) published a report, dated February 11, 2021, examining the data that plan sponsors and their service providers exchange during the administration of defined contribution plans and the associated cybersecurity risks. The report recommends that the DOL formally state whether it is an ERISA plan fiduciary’s responsibility to mitigate cybersecurity risks in defined contribution plans and to establish minimum expectations for addressing cybersecurity risks in such plans.
- On March 16, at a hearing before the Senate Health, Education, Labor and Pensions Committee, Julie Su, President Joseph Biden’s nominee for Deputy Secretary of Labor, committed to making retirement plan cybersecurity a priority for her and the DOL if she is confirmed.
- In November 2016, the Advisory Council on Employee Welfare and Pension Benefit Plans (the ERISA Advisory Council), which advises the DOL on ERISA matters and makes recommendations that can influence DOL rule making and investigatory initiatives, published a report to the Secretary of Labor titled “Cybersecurity Considerations for Benefit Plans.” In its report, the ERISA Advisory Council included questions regarding data protection that it thought may be helpful to plan fiduciaries contracting with and evaluating service providers.
While the possibility of future guidance could suggest that a wait-and-see approach might be prudent, the threat of a new DOL audit initiative may warrant plan fiduciaries and service providers taking proactive steps now. If recent history is any guide, the DOL could start such investigations – and make adverse findings of fiduciary breach – before it has issued guidance, which is something that occurred recently and with surprising regularity in its missing participant enforcement initiative. Thus, it may be risky for plan fiduciaries to delay taking steps while awaiting such guidance. Moreover, taking and documenting such steps may help mitigate risk associated with the recent increase in participant-initiated litigation around these issues as evidenced by a number of high-profile cases.
As a starting point, ERISA plan fiduciaries may want to consider taking the immediate steps of reviewing service provider agreements—particularly agreements with third-party administrators and trustees that serve a critical role in the security of assets and participant data—to understand the provider’s contractual privacy and security obligations and to educate themselves on the processes and protections already in place and any enhancements that are available but not yet adopted or offered to participants (e.g., two factor authentication, biometric/voiceprint security, account blocks, etc.). Also as an initial step, ERISA plan fiduciaries may consider the benefits from regularly sending privacy and cybersecurity-specific questionnaires to the plan service providers and having service providers attend fiduciary committee meetings (by telephone, video, or in person) to present on data privacy and cybersecurity matters.
If you are considering taking steps to address the potential ERISA fiduciary risks around data privacy and cybersecurity, such as preparing the questionnaire discussed above, or if you have any questions about the scope of a fiduciary’s duty to monitor plan service providers, please feel free to contact the authors or your Morgan Lewis contacts.