Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Employee Benefit Plan Information

By Marc Bussone
October 13, 2016

High-profile cyberattacks and data breaches have become routine occurrences. Cyber threats are so pervasive that many privacy and security experts advise that responsible parties ' like fiduciaries of employee benefit plans ' should prepare for when a data breach occurs, not if . Data collected by employee benefit plans includes sensitive information that make them a particularly attractive target for cybercrime. While the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH), sets forth requirements applicable to the security and privacy of protected health information collected by health plans, no such guidance currently exists with respect to the security and privacy of personal identifiable information (PII) collected by employee benefit plans other than health plans. However, plan sponsors and fiduciaries should be aware of, and address, security and privacy issues in connection with PII.

Personal Identifiable Information

The Office of Management and Budget (OMB) defines PII as “information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.” OMB Memorandum M-07-16. The U.S. Department of Labor (DOL) has, at least informally, stated that information permitting the physical or online contacting of a specific individual is the same as personally identifiable information, and that this information can be maintained in either paper, electronic or other media.

ERISA Advisory Council

In response to increasing concerns about privacy, security, and fraud in the benefits area, in 2011, the Advisory Council on Employee Welfare and Pension Benefit Plans (the Council) presented its report on privacy and security issues affecting employee benefit plans. The common threats identified by the Council were the theft of personal identities and other PII, and the theft of money from bank accounts, investment funds, and retirement accounts. The Council identified four major areas for effective practices and policy as follows: data management, technology management, service provider management, and people issues. The Council also identified the following practices for employers and plan sponsors in each of the four major areas to minimize security breaches:

Data Management

  • Keep only data that is needed.
  • Use effective processes to discard unnecessary data, including back-up paper and electronic copies.
  • Know where PII is located in all of the organization's systems.
  • Understand cloud computing and/or remote data storage, including how data is stored and protected.

Technology Management

  • Keep computer systems updated, including prompt installation of software patches.
  • Stay current on electronic threats and effective response.
  • Follow National Institute of Security and Technology guidelines on computer configuration.
  • Maintain complete log-in for the network, firewalls, routers, and key software applications.
  • Limit or define usage of portable devices.

Service Provider Management

  • Consider privacy and security factors regarding the selection and performing of due diligence for providers.
  • Make sure subcontractors are held to the same standards as the service provider.

People Issues

  • Perform criminal background checks and drug screening for employees with access to PII.
  • Ensure that all personnel who have access to PII are trained in properly safeguarding it. Include training in areas such as data retention/destruction, social networking, social engineering, and litigation holds.
  • Designate an individual to be in charge of privacy and security.
  • Educate all stakeholders regarding appropriate focus according to their roles.
  • Implement and test contingency plans for use in the event of a data breach.
  • Educate employees about the importance of safeguarding their data at all times.
  • Focus on security measures in place for distributions. Ensure added security for participants at the time of distribution.

The Council also identified the following general practices:

  • Make sure to know what partners have access to PII and that they are paying attention to these issues.
  • Perform periodic risk assessments (Generally Accepted Privacy Principles).
  • Maintain good controls and be careful about who can over-ride them.
  • Use a process to confirm compliance with all policies.
  • Make sure policies are clear and communicated to all appropriate parties.
  • Adopt a privacy policy designed for the organization.

The Council noted the complex legal environments governing mutual funds, banks, insurance companies, and health benefit plans with regard to securing PII. The framework includes HIPAA, HITECH, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act, the Gramm-Leach-Bliley Act, and various state identify theft, consumer protection, and breach notification laws.

The Council recommended that the DOL provide guidance on the obligation of plan fiduciaries to secure and keep private the PII of plan participants and beneficiaries, including the extent to which PII of benefit plan participants and beneficiaries should be protected in plan administration. To date, however, no such guidance has been provided by the DOL. A 2016 Advisory Council is examining the elements of a scalable cyber risk management strategy for benefit plans with the intent to draft recommendations to the Secretary of Labor for consideration.

Fiduciary Standard Under ERISA

The Employee Retirement Income Security Act of 1974, as amended (ERISA), imposes the prudent person standard of care. A fiduciary must discharge his or her duties with respect to a plan solely in the interest of the participants and beneficiaries and for the exclusive purpose of providing benefits to participants and their beneficiaries and defraying reasonable expenses of administering the plan. In doing so, the fiduciary must act with the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent person acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims. Fiduciaries who breach their duties are held personally liable under ERISA.

ERISA does not specifically address privacy and security of PII; however, given the frequency and common nature of cyberattacks, a prudent fiduciary should evaluate and address such risks. As such, fiduciaries should establish and follow policies and procedures for collecting and securing PII. Fiduciaries may look to the practices set forth by the Council as a starting point in establishing such policies and procedures. The rules under HIPAA and HITECH also provide a frame of reference from which fiduciaries may evaluate privacy and security issues. Given the extent to which plan sponsors and fiduciaries tend to rely on third-party administrators for plan administration, service provider management is a particularly important area of focus.

Service Provider Selection and Management

As noted by the Council, plan sponsors should assess privacy and security factors in selecting service providers. Plan sponsors should have an ongoing process for monitoring its service providers and documenting their diligence efforts in this regard. Many service providers are already subject to certain industry-specific regulations regarding PII. Plan sponsors should generally understand which, if any, regulatory schemes to which their service providers are subject, and request documentation from the service providers regarding compliance with such regulations.

Plan sponsors should also request information from their service providers regarding security systems and risks, including audit information such as Statements on Standards for Attestation Engagements No. 16 and related Service Organization Control reports. Plan sponsors should also review service provider agreements to ensure that privacy, security, liability provisions, and standards imposed on subcontractors are appropriate. Plan sponsors should review and monitor the service providers' security and privacy programs.

Cyber Risk Insurance

Plan sponsors should consider whether specific cyber risk insurance coverages are appropriate. Cyber risk insurance is generally not included in typical commercial liability coverage. Cyber and privacy policies cover liability arising from a data breach. Such policies may cover a variety of expenses associated with data breaches, including notification costs, credit monitoring, costs to defend certain regulatory claims, fines and penalties, and other losses arising from identity theft.

Employee benefit plans may benefit from separate cyber risk insurance coverage; however, plan sponsors and fiduciaries should understand how any existing cyber risk and fiduciary liability coverages may address cyber claims related to employee benefit plans to determine if separate coverage is necessary. Plan sponsors and fiduciaries should also understand how such coverages treat both first-party and third-party claims. First-party claims generally include direct costs for responding to a breach, while third-party claims generally include lawsuits from affected participants and responding to regulators.

Conclusion

Despite the absence of specific guidance (other than HIPAA and HITECH), plan sponsors and fiduciaries need to be aware of privacy and security issues related to PII. Furthermore, plan sponsors and fiduciaries should actively and prudently evaluate and address privacy and security concerns related to PII collected by employee benefit plans, and develop appropriate policies and procedures to limit exposure.


Marc Bussone is a lawyer in the Nashville, TN, office of Bradley Arant Boult Cummings LLP. Reach him at [email protected].

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.