Privacy and Security of Personal Information Collected by Employee Benefit Plans

ERISA Advisory Council

In response to increasing concerns about privacy, security, and fraud in the benefits area, in 2011, the Advisory Council on Employee Welfare and Pension Benefit Plans (the Council) presented its report on privacy and security issues affecting employee benefit plans. The common threats identified by the Council were the theft of personal identities and other PII, and the theft of money from bank accounts, investment funds, and retirement accounts. The Council identified four major areas for effective practices and policy as follows: data management, technology management, service provider management, and people issues. The Council also identified the following practices for employers and plan sponsors in each of the four major areas to minimize security breaches:

Data Management

• Keep only data that is needed.
• Use effective processes to discard unnecessary data, including back-up paper and electronic copies.
• Know where PII is located in all of the organization's systems.
• Understand cloud computing and/or remote data storage, including how data is stored and protected.

Technology Management

• Keep computer systems updated, including prompt installation of software patches.
• Stay current on electronic threats and effective response.
• Follow National Institute of Security and Technology guidelines on computer configuration.
• Maintain complete log-in for the network, firewalls, routers, and key software applications.
• Limit or define usage of portable devices.

Service Provider Management

• Consider privacy and security factors regarding the selection and performing of due diligence for providers.
• Make sure subcontractors are held to the same standards as the service provider.
• People Issues
• Perform criminal background checks and drug screening for employees with access to PII.
• Ensure all personnel who have access to PII are trained in properly safeguarding it. Include training in areas such as data retention/destruction, social networking, social engineering, and litigation holds.
• Designate an individual to be in charge of privacy and security.
• Educate all stakeholders regarding appropriate focus according to their roles.
• Implement and test contingency plans for use in the event of a data breach.
• Educate employees about the importance of safe-guarding their data at all times.
• Focus on security measures in place for distributions. Ensure added security for participants at the time of distribution.

The Council also identified the following general practices:

• Make sure to know what partners have access to PII and that they are paying attention to these issues.
• Perform periodic risk assessments (Generally Accepted Privacy Principles (GAPP)).
• Maintain good controls and be careful about who can over-ride them.
• Use a process to confirm compliance with all policies.
• Make sure policies are clear and communicated to all appropriate parties.
• Adopt a privacy policy designed for the organization.

The Council noted the complex legal environments governing mutual funds, banks, insurance companies, and health benefit plans with regard to securing PII. The framework includes HIPAA, HITECH, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act, the Gramm-Leach-Bliley Act, and various state identify theft, consumer protection, and breach notification laws.

The Council recommended that the DOL provide guidance on the obligation of plan fiduciaries to secure and keep private the PII of plan participants and beneficiaries, including the extent to which PII of benefit plan participants and beneficiaries should be protected in plan administration. To date, however, no such guidance has been provided by the DOL. A 2016 Advisory Council is examining the elements of a scalable cyber risk management strategy for benefit plans, with the intent to draft recommendations to the Secretary of Labor for consideration.

Fiduciary Standard under ERISA

The Employee Retirement Income Security Act of 1974 (ERISA), as amended, imposes the prudent person standard of care. A fiduciary must discharge his or her duties with respect to a plan solely in the interest of the participants and beneficiaries and for the exclusive purpose of providing benefits to participants and their beneficiaries and defraying reasonable expenses of administering the plan. In doing so, the fiduciary must act with the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent person acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims. Fiduciaries that breach their duties are held personally liable under ERISA.

ERISA does not specifically address privacy and security of PII; however, given the frequency and common nature of cyberattacks, a prudent fiduciary should evaluate and address such risks. As such, fiduciaries should establish and follow policies and procedures for collecting and securing PII. Fiduciaries may look to the practices set forth by the Council as a starting point in establishing such policies and procedures. The rules under HIPAA and HITECH also provide a frame of reference from which fiduciaries may evaluate privacy and security issues. Given the extent to which plan sponsors and fiduciaries tend to rely on third-party administrators for plan administration, service provider management is a particularly important area of focus.

Service Provider Selection and Management

As noted by the Council, plan sponsors should assess privacy and security factors in selecting service providers. Plan sponsors should have an ongoing process for monitoring its service providers and documenting their diligence efforts in this regard. Many service providers are already subject to certain industry-specific regulations regarding PII. Plan sponsors should generally understand which, if any, regulatory schemes to which their service providers are subject, and request documentation from the service providers regarding compliance with such regulations. Plan sponsors should also request information from their service providers regarding security systems and risks, including audit information such as Statements on Standards for Attestation Engagements No. 16 and related Service Organization Control reports. Plan sponsors should also review service provider agreements to ensure that privacy, security, liability provisions, and standards imposed on subcontractors are appropriate. Plan sponsors should review and monitor the service providers' security and privacy programs.

Cyber Risk Insurance

Plan sponsors should consider whether specific cyber risk insurance coverage is appropriate. Cyber risk insurance is generally not included in typical commercial liability coverage. Cyber and privacy policies cover liability arising from a data breach. Such policies may cover a variety of expenses associated with data breaches including notification costs, credit monitoring, costs to defend certain regulatory claims, fines and penalties, and other losses arising from identity theft. Employee benefit plans may benefit from separate cyber risk insurance coverage; however, plan sponsors and fiduciaries should understand how any existing cyber risk and fiduciary liability coverages may address cyber claims related to employee benefit plans to determine if separate coverage is necessary. Plan sponsors and fiduciaries should also understand how such coverages treat both first-party claims and third-party claims. First-party claims generally include direct costs for responding to a breach, while third-party claims generally include lawsuits from affected participants and responding to regulators.

Conclusion

Despite the absence of specific guidance (other than HIPAA and HITECH), plan sponsors and fiduciaries need to be aware of privacy and security issues related to PII. Furthermore, plan sponsors and fiduciaries should actively and prudently evaluate and address privacy and security concerns related to PII collected by employee benefit plans, and develop appropriate policies and procedures to limit exposure.

Marc Bussone is a lawyer in the Nashville, TN, office of Bradley Arant Boult Cummings LLP where he advises clients on a broad range of employee benefit and executive compensation matters. Bussone works with plan sponsors and fiduciaries on all aspects of regulatory compliance matters related to benefit plans. He can be reached at [email protected].