Choose Site

The outsourcing of retirement plan recordkeeping and other administrative responsibilities has increased in recent years for both defined contribution and defined benefit plans. Although there is no overarching privacy law governing retirement plans, fiduciaries must adhere to the “prudent expert” standard of care in fulfilling their duties, and be continuously diligent and attentive to the privacy and security of participant data.

This diligence extends to the structuring of outsourcing agreements for administrative responsibilities. Read this post from our Tech & Sourcing @ Morgan Lewis blog for more data security considerations in plan administration outsourcing agreements.

Partner Matthew Hawes was quoted in a recent Law360 article about strategies employers can use to safeguard their retirement plans against cybersecurity risks. Matt discusses how the lack of sufficient protections against cybersecurity breaches can been seen as a violation of fiduciary duty. Read the full article, 4 Tips For Handling Retirement Plans’ Cybersecurity Risks.

Whether due to an upcoming contract expiration, change in leadership, decline in service quality, regulatory issues, or any of the other many events that occur during an outsourcing engagement, invariably, the original agreement with the service provider must be modified. Please read this post from our Tech&Sourcing @ Morgan Lewis blog to learn about issues that should be considered before entering into such renegotiations.

The ERISA Advisory Council (Council) has been tackling the issue of cybersecurity as it relates to benefit plans since 2011, and just this last summer, the Council held two hearings where it heard testimony from various experts and interested parties on the issue. Following these hearings, the Council issued a report that remained unpublished until this month, when it was released by the Department of Labor (DOL). The report, titled “Cybersecurity Considerations for Benefit Plans” (Report), states that the Council focused on providing information to “plan sponsors, fiduciaries and service providers in evaluating and developing a cybersecurity risk management program for benefit plans.” The Council provides two recommendations in the Report:

  1. Make the Report and its appendices available via the DOL’s website as soon as administratively feasible to provide plan sponsors, fiduciaries, and service providers with information on developing and maintaining robust cyber-risk management programs for benefit plans.
  2. Provide information to the employee benefit plan community of plan sponsors, fiduciaries, and service providers to educate them on cybersecurity risks and potential approaches for managing these risks.

The Office of Civil Rights (OCR) of the US Department of Health and Human Services (HHS) recently released guidance on cloud computing that allows entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to take advantage of cloud service providers (CSPs) while still complying with HIPAA. This guidance is welcome at a time when employers are moving increasingly to an electronic atmosphere—with access to protected health information (PHI) being offered through mobile devices and data being saved on cloud platforms.

CSPs generally offer online access to sharing computer resources ranging from data storage to complete software solutions (e.g., electronic medical record systems). Common cloud services include on-demand internet access to computing services (e.g., networks, servers, storage, and applications).

Join us in December for these upcoming programs on a variety of employee benefits and executive compensation topics:

Visit our events page for more of our latest programs.

Retirement plans store extensive personal data on each participant and beneficiary, ranging from Social Security numbers and addresses to dates of birth, bank account information, and other sensitive financial information. This collection of personal identifiable information presents an attractive and potentially exploitable opportunity for criminals, hackers, and other unauthorized third parties. A plan administrator’s failure to proactively assess risk and protect sensitive information has the potential not only to put plan assets at risk but also to result in breach of fiduciary duty claims in the event of a breach. Please join us on June 15 for a one-hour webinar to discuss these issues.

Topics will include:

  • Data privacy and cybersecurity as a high priority
  • Steps to fulfill your fiduciary duties
  • Challenges related to service providers and service provider agreements
  • The future landscape of data privacy and cybersecurity for retirement plans

Health plan administrators are (or certainly should be) well-versed in their obligations under the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH). Failure to secure protected health information (PHI) from disclosure can result in civil monetary penalties of up to $1.5 million and potential criminal penalties of up to 10 years’ imprisonment. Penalties of this size have the tendency to get people’s attention. But, if you are a retirement plan fiduciary or administrator (which likely includes officers and other senior-level executives at a company), are you aware of your obligations to protect sensitive data and other personal information in your control and the control of your vendors?

Retirement plans store extensive personal data on each participant and beneficiary. This data ranges from Social Security numbers and addresses to dates of birth, bank account and financial information, and other records and is stored physically and in electronic forms for years, if not decades. The term often used for this type of information is “personal identifiable information” (PII). While stored, numerous human resources and benefits department personnel, participants, beneficiaries, recordkeepers, trustees, consultants, and other vendors have access to some or all of this highly sensitive information. The extensive trove of PII presents an attractive, and often undersecured and easily exploitable, opportunity for criminals intent on stealing identities or on the outright theft of plan assets and benefit payments.

Federal laws similar to HIPAA but applicable to retirement plans have not (yet) been enacted. However, this does not mean that retirement plan fiduciaries and administrators are off the hook. Under the Employee Retirement Income Security Act of 1974 (ERISA), as amended, a fiduciary is required to discharge his or her duties solely in the interests of plan participants and beneficiaries, and, in doing so, must adhere to a standard of care frequently described as the “prudent expert” standard. Under this standard, it is not difficult to conclude that a retirement plan fiduciary who does not take certain precautions with regard to the protection of PII may be in breach of his or her fiduciary duty. And, although a breach of an ERISA fiduciary duty does not trigger clear statutory penalties like those applicable under HIPAA and HITECH, under ERISA, fiduciaries are personally liable for their fiduciary breaches.

On March 21, 2016, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced that it has begun the second phase of its HIPAA Audit Program. The HIPAA Audit Program is intended to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

In this second phase, OCR will review the HIPAA policies and procedures that each covered entity and business associate is required to adopt as part of its HIPAA compliance scheme. The HIPAA policies and procedures must describe the standards and implementation specifications adopted by a covered entity or a business associate to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

In its announcement, OCR states that the second phase of the HIPAA Audit Program will begin with data verification and an email being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner. OCR will then transmit a pre-audit questionnaire to gather data from the covered entity or business associate. This data will be used with other information to create an audit subject pool.

While OCR acknowledges that its email may unintentionally be directed to an entity’s spam folder, it will not accept that as an excuse for not responding. Rather, OCR expects covered entities and business associate to check their junk or spam email folders for emails from OCR.

To learn more about the second phase of OCR’s HIPAA Audit program, please see our LawFlash titled OCR Launches Phase 2 of HIPAA Audits. You may also visit HHS’s website.