Securing Your Information-Rich Employee Benefit Plans

Benefit plan data is especially sensitive because it can include a wealth of personally identifiable information (PII) — often far more than a simple consumer data breach — such as Social Security numbers, dates of birth, financial and medical information, family members and bank account details. This suggests that benefit plans may be a prime target for hackers. Moreover, plan administration often involves third-party vendors over which benefit plan administrators have less control, putting data at further risk of inadvertent or deliberate breach. Adding further to the risk is that participants themselves often have online access to their own sensitive information, creating yet another vulnerability.

Not unlike consumer data breaches, breaches can occur at the plan, vendor or participant level for both innocent and nefarious reasons — infected Web sites, phishing schemes, malware infections, viruses, advance persistent threats (i.e., repeated and targeted attacks, often by a foreign state), the accidental transfer of data to unintended third parties, loss of mobile devices and so on.

Being Cognizant of Applicable Law

For plans, the consequences of such breaches are heightened because a single breach can trigger liability under multiple state and federal laws.

From the federal law perspective, much attention has been focused on the Health Insurance Portability and Accountability Act (HIPAA), which requires health plans to protect the privacy of participant information, conduct risk assessments, and implement appropriate procedural and technical safeguards and notify affected individuals of breaches. Some are now beginning to suggest that the Employee Retirement Income Security Act of 1974 (ERISA) may also be a potential source of liability.

While ERISA does not expressly set forth required measures for protecting plan data, some practitioners have argued that such an obligation exists under ERISA's general fiduciary duty provisions. Specifically, ERISA mandates plan fiduciaries to act with the care, skill and diligence that a prudent man familiar with such matters would use in like circumstances (ERISA §404(a)(1)(B)). These practitioners have prognosticated that, given the proliferation of cyberattacks and particular sensitivity of the data involved, it is only a matter of time before a plaintiff argues that an individual familiar with the holding of sensitive data would have taken specific steps to protect it — thus creating a duty for the plan fiduciary. In the absence of specific guidance from the U.S. Department of Labor, the challenge is how to identify the measures that will satisfy this duty, if it does exist.

Apart from the federal law, many states have enacted laws that impact cybersecurity. For example, various states have enacted laws around secure disposal of PII, the use of Social Security numbers, protection of medical information and breach notification. Others have adopted general cybersecurity laws addressing all of these issues and more. Many have also applied their consumer protection laws to regulate cybersecurity, as has the federal government.

While ERISA has provisions generally preempting state law (to prevent plans from having to comply with the various laws of 50 different states), the limited case law on the subject suggests that many of these state laws impacting cybersecurity would not be preempted. Accordingly, plan fiduciaries are well-advised to be mindful of these laws and attempt to comply.

This creates a particular challenge because in many cases there is little uniformity among states. What's more, the applicability of a given state's law often depends on the residence of the affected individual, not the state in which the plan is administered. Thus, a plan could be subject to the law of any state in which a participant, former participant or beneficiary resides.

Proactive Measures

Given the severity of the risk and the sizeable body of applicable law, benefit plans should take proactive steps to mitigate the costs and liabilities associated with data breaches. Several such measures are outlined below.

1. Understand the plan's data and come up with a strategy. To develop an effective cybersecurity strategy, it is critical to first understand the data's sensitivity and how the data is maintained, stored, accessed and transmitted.

2. Develop systems to ensure compliance. Once a strategy is developed, responsibility should be allocated for its implementation at all levels of the plan's administration. Individuals with access to data should be trained on cybersecurity. Participants with online access should be advised of the importance of maintaining the confidentiality of their passwords. Finally, procedures for testing security, reporting breaches, retaining data and controlling access to data should be communicated to those tasked with the strategy's enforcement.

3. Have systems in place to respond to a breach and notify affected individuals. Benefit plans should maintain a written incident response plan — a “playbook” — for responding to data breaches and designate a team to ensure its implementation. The plan should consolidate the applicable sources of law, best practices and requisite contacts so that this information is readily accessible when needed. A simulated data breach can help train the team to effectively implement the plan.

4. Continuously manage vendors. Vendors must be carefully scrutinized at the outset and monitored on an ongoing basis. Plans should assess the maturity of the vendor's cybersecurity procedures. This can be done through review of vendor self-assessments, third-party assessments and request for proposal responses. Contracting should e completed with an eye toward cybersecurity — consider adding a data security addendum that addresses such issues as limited access and disclosure, administrative and technical safeguards, data location, breach investigation/notification, vendor liability, subcontracting, data destruction and the like. Throughout the relationship, vendors should be monitored carefully..

5. Consider cyber insurance. There is a wide variety of cyber insurance policies available. Such coverage can fill gaps in a plan's existing insurance protection. Because plan data is particularly sensitive and susceptible to cyber attack and inadvertent exposure, plan administrators should consider the applicability of state and federal law in developing a cybersecurity framework to protect data and respond to breaches. Adopting a proactive approach is imperative to ensuring the privacy of confidential plan data and minimizing liability if and when a breach does occur.

*****
Robert M. Projansky is a partner in Proskauer Rose's Employee Benefits & Executive Compensation Group and head of the firm's Health Care Reform Task Force. Miriam S. Dubin is an associate in Proskauer's Labor & Employment Law Department and a member of the firm's Employee Benefits & Executive Compensation Group. Malerie L. Bulot, a Summer Associate at Proskauer, assisted in drafting this article. This article also appeared in our ALM sibling, Legaltech News.