Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
High-profile cyberattacks and data breaches have become routine occurrences. Cyber threats are so pervasive that many privacy and security experts advise that responsible parties ' like fiduciaries of employee benefit plans ' should prepare for when a data breach occurs, not if . Data collected by employee benefit plans includes sensitive information that make them a particularly attractive target for cybercrime. While the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH), sets forth requirements applicable to the security and privacy of protected health information collected by health plans, no such guidance currently exists with respect to the security and privacy of personal identifiable information (PII) collected by employee benefit plans other than health plans. However, plan sponsors and fiduciaries should be aware of, and address, security and privacy issues in connection with PII.
Personal Identifiable Information
The Office of Management and Budget (OMB) defines PII as “information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.” OMB Memorandum M-07-16. The U.S. Department of Labor (DOL) has, at least informally, stated that information permitting the physical or online contacting of a specific individual is the same as personally identifiable information, and that this information can be maintained in either paper, electronic or other media.
ERISA Advisory Council
In response to increasing concerns about privacy, security, and fraud in the benefits area, in 2011, the Advisory Council on Employee Welfare and Pension Benefit Plans (the Council) presented its report on privacy and security issues affecting employee benefit plans. The common threats identified by the Council were the theft of personal identities and other PII, and the theft of money from bank accounts, investment funds, and retirement accounts. The Council identified four major areas for effective practices and policy as follows: data management, technology management, service provider management, and people issues. The Council also identified the following practices for employers and plan sponsors in each of the four major areas to minimize security breaches:
Data Management
Technology Management
Service Provider Management
The Council also identified the following general practices:
The Council noted the complex legal environments governing mutual funds, banks, insurance companies, and health benefit plans with regard to securing PII. The framework includes HIPAA, HITECH, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act, the Gramm-Leach-Bliley Act, and various state identify theft, consumer protection, and breach notification laws.
The Council recommended that the DOL provide guidance on the obligation of plan fiduciaries to secure and keep private the PII of plan participants and beneficiaries, including the extent to which PII of benefit plan participants and beneficiaries should be protected in plan administration. To date, however, no such guidance has been provided by the DOL. A 2016 Advisory Council is examining the elements of a scalable cyber risk management strategy for benefit plans with the intent to draft recommendations to the Secretary of Labor for consideration.
Fiduciary Standard Under ERISA
The Employee Retirement Income Security Act of 1974, as amended (ERISA), imposes the prudent person standard of care. A fiduciary must discharge his or her duties with respect to a plan solely in the interest of the participants and beneficiaries and for the exclusive purpose of providing benefits to participants and their beneficiaries and defraying reasonable expenses of administering the plan. In doing so, the fiduciary must act with the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent person acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims. Fiduciaries who breach their duties are held personally liable under ERISA.
ERISA does not specifically address privacy and security of PII; however, given the frequency and common nature of cyberattacks, a prudent fiduciary should evaluate and address such risks. As such, fiduciaries should establish and follow policies and procedures for collecting and securing PII. Fiduciaries may look to the practices set forth by the Council as a starting point in establishing such policies and procedures. The rules under HIPAA and HITECH also provide a frame of reference from which fiduciaries may evaluate privacy and security issues. Given the extent to which plan sponsors and fiduciaries tend to rely on third-party administrators for plan administration, service provider management is a particularly important area of focus.
Service Provider Selection and Management
As noted by the Council, plan sponsors should assess privacy and security factors in selecting service providers. Plan sponsors should have an ongoing process for monitoring its service providers and documenting their diligence efforts in this regard. Many service providers are already subject to certain industry-specific regulations regarding PII. Plan sponsors should generally understand which, if any, regulatory schemes to which their service providers are subject, and request documentation from the service providers regarding compliance with such regulations.
Plan sponsors should also request information from their service providers regarding security systems and risks, including audit information such as Statements on Standards for Attestation Engagements No. 16 and related Service Organization Control reports. Plan sponsors should also review service provider agreements to ensure that privacy, security, liability provisions, and standards imposed on subcontractors are appropriate. Plan sponsors should review and monitor the service providers' security and privacy programs.
Cyber Risk Insurance
Plan sponsors should consider whether specific cyber risk insurance coverages are appropriate. Cyber risk insurance is generally not included in typical commercial liability coverage. Cyber and privacy policies cover liability arising from a data breach. Such policies may cover a variety of expenses associated with data breaches, including notification costs, credit monitoring, costs to defend certain regulatory claims, fines and penalties, and other losses arising from identity theft.
Employee benefit plans may benefit from separate cyber risk insurance coverage; however, plan sponsors and fiduciaries should understand how any existing cyber risk and fiduciary liability coverages may address cyber claims related to employee benefit plans to determine if separate coverage is necessary. Plan sponsors and fiduciaries should also understand how such coverages treat both first-party and third-party claims. First-party claims generally include direct costs for responding to a breach, while third-party claims generally include lawsuits from affected participants and responding to regulators.
Conclusion
Despite the absence of specific guidance (other than HIPAA and HITECH), plan sponsors and fiduciaries need to be aware of privacy and security issues related to PII. Furthermore, plan sponsors and fiduciaries should actively and prudently evaluate and address privacy and security concerns related to PII collected by employee benefit plans, and develop appropriate policies and procedures to limit exposure.
Marc Bussone is a lawyer in the Nashville, TN, office of Bradley Arant Boult Cummings LLP. Reach him at [email protected].
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.