The Employee Benefits Security Administration (EBSA) of the US Department of Labor (DOL) has continued to be active in civil and criminal enforcement investigations of ERISA’s fiduciary duties. This blog post details two recent updates concerning the DOL’s ERISA enforcement program.
2022 Enforcement Statistics
Each year, EBSA announces statistics measuring its enforcement activities. These statistics can provide insight into EBSA’s enforcement priorities, as well as the pace of its enforcement program.
In the DOL’s 2022 fiscal year (October 2021 to September 2022), EBSA recovered more than $1.4 billion for plans, participants, and beneficiaries, with $931 million being recovered through enforcement actions. To achieve these results, EBSA closed 907 civil investigations, 595 of which led to monetary results for plans or other corrective activities. EBSA also obtained 402 nonmonetary civil corrections in connection with its enforcement program, and it referred 55 cases for litigation. Of its criminal investigations, EBSA closed 164 criminal investigations, which led to the indictment of 103 individuals for plan-related offenses.
One observation is that these numbers are down from prior years. At the same time, however, these numbers still reflect an active DOL enforcement program.
Another notable point from this data is that a large portion of EBSA’s enforcement actions came from one investigatory initiative: the DOL’s investigations related to terminated vested participants (or missing participants). The DOL reported its investigations “helped 6,928 terminated vested participants in defined benefit plans collect benefits of $542 million owed to them.” These recoveries were over half of the DOL’s reported civil investigatory recovery amounts. This indicates that the DOL’s missing participant investigatory initiative remains active and that plans might still find themselves subject to a missing participant investigation.
Increased Focus on Cybersecurity Reviews, Including of Health & Welfare Plans
In response to increased data breach incidents and cyber theft involving ERISA benefits plans, in April 2021, the DOL issued guidance for plan sponsors, plan fiduciaries, recordkeepers, and plan participants addressing cybersecurity practices. Since then, DOL officials have publicly stated an intention to focus on cybersecurity issues in its ERISA investigations. As we have previously reported, we have seen an active enforcement program by the DOL on cybersecurity practices of retirement plans and retirement plan vendors.
The DOL has started including these cybersecurity questions and inquiries in health and welfare plan investigations, as well. This is a significant development because when the DOL’s cybersecurity guidance was issued, there was some uncertainty about whether the DOL viewed it as applying to health and welfare plans. This development indicates the DOL does view the guidance as applying to all manner of ERISA benefit plans. With this development, health, and welfare plans, particularly those that have been affected by data breach events, may be especially vulnerable to a cybersecurity inquiry by the DOL. Plan sponsors of health and welfare plans should remember that compliance with the Health Insurance Portability and Accountability Act (HIPAA) may not be enough—and the DOL’s cybersecurity guidance must also be considered.
As part of health and welfare plan investigations, the has DOL taken an interest in a wide variety of documents related to cybersecurity practices, including:
- documents governing the IT systems, a breach response plan, a disaster recovery plan, and copies of system development lifecycle controls (SDLC), if applicable;
- schedules of systems critical to the maintenance and protection of participant data and assets (including information on data used by the plan, where data resides, systems outsourced to service providers, and file sharing systems);
- external and internal cybersecurity audit reports, including audits of IT systems (SOC 1 or SOC 2), as well as internal and external (with auditors) communications;
- existence of cybersecurity insurance coverage;
- documents mentioning or discussing cybersecurity, including emails and minutes of plan committee or board of trustees/directors meetings where the plan’s cybersecurity readiness was discussed; and
- documents regarding cybersecurity events about unauthorized access or suspicious activity.
This is an extensive (but not exhaustive) list, and fiduciaries of ERISA-regulated health and welfare plans—particularly those affected by data breach events—should evaluate compliance with the DOL cybersecurity guidance as well as ensure that its HIPAA compliance protocol, including its HIPAA privacy and security policies and procedures, are up to date.
Addressing DOL Enforcement Activities
In anticipation of these DOL investigatory activities, ERISA fiduciaries and plan sponsors may find it helpful to engage in a proactive review of ERISA fiduciary compliance, including one related to missing participant and cybersecurity issues.
For questions on DOL audit requests addressing missing participants or cybersecurity issues or how best to address the DOL’s guidance in these areas, contact the authors of this blog post or your Morgan Lewis contacts.