On April 14, 2021, the Department of Labor (“DOL”) issued several pieces of guidance on cyber security best practices, including: (1) a press release, (2) Online Security Tips for retirement plan participants, (3) a Tips for Hiring a Service Provider with Strong Cybersecurity Practices, and (4) Cybersecurity Program Best Practices. This set of cybersecurity guidance emphasizes how critical it is for fiduciaries to focus on cybersecurity issues in selecting, contracting with and monitoring the performance of recordkeepers and other plan service providers to protect plan participants. Fiduciaries should focus on cybersecurity in performing service provider due diligence, in negotiating service provider contracts, and in ongoing monitoring of a service provider’s compliance with policies and procedures and to ensure that any breaches are promptly reported, investigated and addressed.
Cybersecurity and Fiduciary Duties
The ERISA fiduciary standards require that a plan be administered in accordance with a standard of care for a prudent person who is familiar with such matters. Accordingly, ERISA fiduciaries must ensure that a plan’s administration is in accordance with industry standards for cybersecurity in the financial services industry. Fiduciaries have a responsibility to safeguard plan assets, and so they must ensure that controls are in place to avoid financial losses to plans that may result from a cybersecurity breach.
Breaches of participant data due to cybersecurity incidents could also implicate fiduciary duties to the extent that participant data are considered “plan assets,” as has been challenged in some recent litigation. These cases involve claims that participant data has been improperly used for purposes other than plan administration, such as for marketing of other services. The limited number of courts that have ruled on the issue applied ordinary principles of property law to conclude that participant data is not a plan asset. Divane v. Northwestern University, 2018 WL 2388118 (N.D. Ill. 2018), aff’d, 953 F.3d 980 (7th Cir. 2020); Harmon v. Shell Oil Co., 2021 WL 1232694 (S.D. Tex. March 30, 2021). However, the issue remains an open question in most jurisdictions.
Cybersecurity Considerations for Fiduciaries
The DOL’s cybersecurity guidance affirms the importance of taking cybersecurity into consideration when fiduciaries are selecting, contracting with and monitoring recordkeepers or other plan service providers. In particular, the “Tips for Hiring a Service Provider with Strong Cybersecurity Practices” encourages fiduciaries to address cybersecurity as follows:
- Due Diligence. In selecting a service provider, fiduciaries should review the service provider’s cybersecurity policies and procedures to assess how they compare to industry standards. This includes:
o Confirming whether third party audits are performed and reviewing any audit reports;
o Inquiring about any security incidents and what steps have been taken in response to them;
o Reviewing public information, including litigation records, regarding any cybersecurity incidents involving a service provider; and
o Assessing levels of cybersecurity or identity theft insurance policies and levels of coverage.
- Contract Provisions. Contracts with service providers should:
o Require the service provider to obtain a third party audit to assess compliance with policies and procedures;
o Prohibit the use or sharing of participant information without consent and generally meet a strong standard of care for protecting the information;
o Require prompt notification in the event of any cyber incident or data breach and cooperation to investigate and address the cause of the breach;
o Require compliance with privacy laws and regulations regarding the privacy and security of participant information; and
o Require appropriate levels of professional liability and errors and omissions insurance, cyber liability and privacy breach insurance and other fiduciary bond or blanket crime insurance.
The DOL’s “Cybersecurity Best Program Practices” describe what the DOL believes to be best practices and procedures for service providers. Plan fiduciaries can use this as a reference in evaluating the cybersecurity practices and procedures of potential service providers.
Fiduciaries may also want to ensure that the “Online Security Tips” are shared with individual participants or similar information is provided by the plan’s recordkeeper or other service provider.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.