High profile cyberattacks and data breaches have become routine occurrences. Cyber threats are so pervasive that many privacy and security experts advise that responsible parties ‘ like fiduciaries of employee benefit plans ‘ should prepare for when a data breach occurs, not if . Data collected by employee benefit plans includes sensitive information that makes them a particularly attractive target for cybercrime. While the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH), sets forth requirements applicable to the security and privacy of protected health information collected by health plans, no such guidance currently exists with respect to the security and privacy of personal identifiable information (PII) collected by employee benefit plans other than health plans. However, plan sponsors and fiduciaries should be aware of, and address, security and privacy issues in connection with PII.
Personal Identifiable Information
The Office of Management and Budget (OMB) defines PII as “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” OMB Memorandum M-07-16. The U.S. Department of Labor (DOL) has, at least informally, stated that information permitting the physical or online contacting of a specific individual is the same as personally identifiable information, and that this information can be maintained in either paper, electronic or other media.
ERISA Advisory Council
In response to increasing concerns about privacy, security, and fraud in the benefits area, in 2011, the Advisory Council on Employee Welfare and Pension Benefit Plans (the Council) presented its report on privacy and security issues affecting employee benefit plans. The common threats identified by the Council were the theft of personal identities and other PII, and the theft of money from bank accounts, investment funds, and retirement accounts. The Council identified four major areas for effective practices and policy as follows: data management, technology management, service provider management, and people issues. The Council also identified the following practices for employers and plan sponsors in each of the four major areas to minimize security breaches:
- Keep only data that is needed.
- Use effective processes to discard unnecessary data, including back-up paper and electronic copies.
- Know where PII is located in all of the organization’s systems.
- Understand cloud computing and/or remote data storage, including how data is stored and protected.
- Keep computer systems updated, including prompt installation of software patches.
- Stay current on electronic threats and effective response.
- Follow National Institute of Security and Technology guidelines on computer configuration.
- Maintain complete log-in for the network, firewalls, routers, and key software applications.
- Limit or define usage of portable devices.
Service Provider Management
- Consider privacy and security factors regarding the selection and performing of due diligence for providers.
- Make sure subcontractors are held to the same standards as the service provider.
- Perform criminal background checks and drug screening for employees with access to PII.
- Ensure all personnel who have access to PII are trained in properly safeguarding it. Include training in areas such as data retention/destruction, social networking, social engineering, and litigation holds.
- Designate an individual to be in charge of privacy and security.
- Educate all stakeholders regarding appropriate focus according to their roles.
- Implement and test contingency plans for use in the event of a data breach.
- Educate employees about the importance of safe-guarding their data at all times.
- Focus on security measures in place for distributions. Ensure added security for participants at the time of distribution.
The Council also identified the following general practices:
- Make sure to know what partners have access to PII and that they are paying attention to these issues.
- Perform periodic risk assessments (Generally Accepted Privacy Principles (GAPP)).
- Maintain good controls and be careful about who can over-ride them.
- Use a process to confirm compliance with all policies.
- Make sure policies are clear and communicated to all appropriate parties.
The Council noted the complex legal environments governing mutual funds, banks, insurance companies, and health benefit plans with regard to securing PII. The framework includes HIPAA, HITECH, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act, the Gramm-Leach-Bliley Act, and various state identify theft, consumer protection, and breach notification laws.
The Council recommended that the DOL provide guidance on the obligation of plan fiduciaries to secure and keep private the PII of plan participants and beneficiaries, including the extent to which PII of benefit plan participants and beneficiaries should be protected in plan administration. To date, however, no such guidance has been provided by the DOL. A 2016 Advisory Council is examining the elements of a scalable cyber risk management strategy for benefit plans, with the intent to draft recommendations to the Secretary of Labor for consideration.
Fiduciary Standard Under ERISA
The Employee Retirement Income Security Act of 1974 (ERISA), as amended, imposes the prudent person standard of care. A fiduciary must discharge his or her duties with respect to a plan solely in the interest of the participants and beneficiaries and for the exclusive purpose of providing benefits to participants and their beneficiaries and defraying reasonable expenses of administering the plan. In doing so, the fiduciary must act with the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent person acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims. Fiduciaries that breach their duties are held personally liable under ERISA.
ERISA does not specifically address privacy and security of PII; however, given the frequency and common nature of cyberattacks, a prudent fiduciary should evaluate and address such risks. As such, fiduciaries should establish and follow policies and procedures for collecting and securing PII. Fiduciaries may look to the practices set forth by the Council as a starting point in establishing such policies and procedures. The rules under HIPAA and HITECH also provide a frame of reference from which fiduciaries may evaluate privacy and security issues. Given the extent to which plan sponsors and fiduciaries tend to rely on third-party administrators for plan administration, service provider management is a particularly important area of focus.
Service Provider Selection and Management
As noted by the Council, plan sponsors should assess privacy and security factors in selecting service providers. Plan sponsors should have an ongoing process for monitoring its service providers and documenting their diligence efforts in this regard. Many service providers are already subject to certain industry-specific regulations regarding PII. Plan sponsors should generally understand which, if any, regulatory schemes to which their service providers are subject, and request documentation from the service providers regarding compliance with such regulations. Plan sponsors should also request information from their service providers regarding security systems and risks, including audit information such as Statements on Standards for Attestation Engagements No. 16 and related Service Organization Control reports. Plan sponsors should also review service provider agreements to ensure that privacy, security, liability provisions, and standards imposed on subcontractors are appropriate. Plan sponsors should review and monitor the service providers’ security and privacy programs.
Cyber Risk Insurance
Plan sponsors should consider whether specific cyber risk insurance coverage is appropriate. Cyber risk insurance is generally not included in typical commercial liability coverage. Cyber and privacy policies cover liability arising from a data breach. Such policies may cover a variety of expenses associated with data breaches including notification costs, credit monitoring, costs to defend certain regulatory claims, fines and penalties, and other losses arising from identity theft. Employee benefit plans may benefit from separate cyber risk insurance coverage; however, plan sponsors and fiduciaries should understand how any existing cyber risk and fiduciary liability coverages may address cyber claims related to employee benefit plans to determine if separate coverage is necessary. Plan sponsors and fiduciaries should also understand how such coverages treat both first-party claims and third-party claims. First-party claims generally include direct costs for responding to a breach, while third-party claims generally include lawsuits from affected participants and responding to regulators.
Despite the absence of specific guidance (other than HIPAA and HITECH), plan sponsors and fiduciaries need to be aware of privacy and security issues related to PII. Furthermore, plan sponsors and fiduciaries should actively and prudently evaluate and address privacy and security concerns related to PII collected by employee benefit plans, and develop appropriate policies and procedures to limit exposure.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.