Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Securing Your Information-Rich Employee Benefit Plans

By Robert M. Projansky and Miriam S. Dubin
October 02, 2017

In today's digital environment, where a single ransomware attack can cripple hundreds of thousands of computer systems worldwide in a matter of days, most people recognize that protecting confidential information is more important than ever before. Much of today's discussion focuses on the exposure of consumer data, like credit card numbers.

However, a shift in focus may be necessary, as hackers have turned to a more information-rich source: employee benefit plans. This article examines the threat facing benefit plans, explores the applicable legal landscape, and recommends steps to better equip plans to prepare for and manage data breaches.

Cybersecurity Risks to Plan Information

Benefit plan data is especially sensitive because it can include a wealth of personally identifiable information (PII) — often far more than a simple consumer data breach — such as Social Security numbers, dates of birth, financial and medical information, family members and bank account details. This suggests that benefit plans may be a prime target for hackers. Moreover, plan administration often involves third-party vendors over which benefit plan administrators have less control, putting data at further risk of inadvertent or deliberate breach. Adding further to the risk is that participants themselves often have online access to their own sensitive information, creating yet another vulnerability.

Not unlike consumer data breaches, breaches can occur at the plan, vendor or participant level for both innocent and nefarious reasons — infected Web sites, phishing schemes, malware infections, viruses, advance persistent threats (i.e., repeated and targeted attacks, often by a foreign state), the accidental transfer of data to unintended third parties, loss of mobile devices and so on.

Being Cognizant of Applicable Law

For plans, the consequences of such breaches are heightened because a single breach can trigger liability under multiple state and federal laws.

From the federal law perspective, much attention has been focused on the Health Insurance Portability and Accountability Act (HIPAA), which requires health plans to protect the privacy of participant information, conduct risk assessments, and implement appropriate procedural and technical safeguards and notify affected individuals of breaches. Some are now beginning to suggest that the Employee Retirement Income Security Act of 1974 (ERISA) may also be a potential source of liability.

While ERISA does not expressly set forth required measures for protecting plan data, some practitioners have argued that such an obligation exists under ERISA's general fiduciary duty provisions. Specifically, ERISA mandates plan fiduciaries to act with the care, skill and diligence that a prudent person familiar with such matters would use in like circumstances (ERISA § 404(a)(1)(B)). These practitioners have prognosticated that, given the proliferation of cyberattacks and particular sensitivity of the data involved, it is only a matter of time before a plaintiff argues that an individual familiar with the holding of sensitive data would have taken specific steps to protect it — thus creating a duty for the plan fiduciary. In the absence of specific guidance from the U.S. Department of Labor, the challenge is how to identify the measures that will satisfy this duty, if it does exist.

Apart from the federal law, many states have enacted laws that impact cybersecurity. For example, various states have enacted laws around secure disposal of PII, the use of Social Security numbers, protection of medical information and breach notification.

While ERISA has provisions generally preempting state law (to prevent plans from having to comply with the various laws of 50 different states), the limited case law on the subject suggests that many of these state laws impacting cybersecurity would not be preempted. Accordingly, plan fiduciaries are well-advised to be mindful of these laws and attempt to comply.

Proactive Measures

Given the severity of the risk and the sizeable body of applicable law, benefit plans should take proactive steps to mitigate the costs and liabilities associated with data breaches. Several such measures are outlined below.

1. Understand the plan's data and come up with a strategy. To develop an effective cybersecurity strategy, it is critical to first understand the data's sensitivity and how the data is maintained, stored, accessed and transmitted.

2. Develop systems to ensure compliance. Once a strategy is developed, responsibility should be allocated for its implementation at all levels of the plan's administration. Individuals with access to data should be trained on cybersecurity. Participants with online access should be advised of the importance of maintaining the confidentiality of their passwords. Finally, procedures for testing security, reporting breaches, retaining data and controlling access to data should be communicated to those tasked with the strategy's enforcement.

3. Have systems in place to respond to a breach and notify affected individuals. Benefit plans should maintain a written incident response plan — a “playbook” — for responding to data breaches and designate a team to ensure its implementation. The plan should consolidate the applicable sources of law, best practices and requisite contacts so that this information is readily accessible when needed. A simulated data breach can help train the team to effectively implement the plan.

4. Continuously manage vendors. Vendors must be carefully scrutinized at the outset and monitored on an ongoing basis. Plans should assess the maturity of the vendor's cybersecurity procedures. This can be done through review of vendor self-assessments, third-party assessments and request for proposal responses. Contracting should e completed with an eye toward cybersecurity — consider adding a data security addendum.

5. Consider cyber insurance. Cyber insurance can fill gaps in a plan's existing insurance protection. Because plan data is particularly sensitive and susceptible to cyber attack and inadvertent exposure, plan administrators should consider the applicability of state and federal law in developing a cybersecurity framework to protect data and respond to breaches. Adopting a proactive approach is imperative to ensuring the privacy of confidential plan data and minimizing liability if and when a breach does occur.

*****
Robert M. Projansky is a partner in Proskauer Rose's Employee Benefits & Executive Compensation Group, and is head of the firm's Health Care Reform Task Force. Miriam S. Dubin is an associate in the firm. Malerie L. Bulot, who was a Summer Associate, assisted in drafting this article, which also appeared in ALM's Legaltech News.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.