Follow Us

Law.com Subscribers SAVE 30%

Call 855-808-4530 or email GroupSales@alm.com to receive your discount on a new subscription.

Commercial Law Law Firm Management Regulations Technology Media and Telecom

Privacy and Security of Personal Information Collected by Benefit Plans

High profile cyberattacks and data breaches have become routine occurrences. Cyber threats are so pervasive that many privacy and security experts advise that responsible parties ' like fiduciaries of employee benefit plans ' should prepare for when a data breach occurs, not if. Plan sponsors and fiduciaries should be aware of, and address, security and privacy issues in connection with personal information.

Print
X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.

High profile cyberattacks and data breaches have become routine occurrences. Cyber threats are so pervasive that many privacy and security experts advise that responsible parties ‘ like fiduciaries of employee benefit plans ‘ should prepare for when a data breach occurs, not if . Data collected by employee benefit plans includes sensitive information that makes them a particularly attractive target for cybercrime. While the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH), sets forth requirements applicable to the security and privacy of protected health information collected by health plans, no such guidance currently exists with respect to the security and privacy of personal identifiable information (PII) collected by employee benefit plans other than health plans. However, plan sponsors and fiduciaries should be aware of, and address, security and privacy issues in connection with PII.

Personal Identifiable Information

The Office of Management and Budget (OMB) defines PII as “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” OMB Memorandum M-07-16. The U.S. Department of Labor (DOL) has, at least informally, stated that information permitting the physical or online contacting of a specific individual is the same as personally identifiable information, and that this information can be maintained in either paper, electronic or other media.

ERISA Advisory Council

In response to increasing concerns about privacy, security, and fraud in the benefits area, in 2011, the Advisory Council on Employee Welfare and Pension Benefit Plans (the Council) presented its report on privacy and security issues affecting employee benefit plans. The common threats identified by the Council were the theft of personal identities and other PII, and the theft of money from bank accounts, investment funds, and retirement accounts. The Council identified four major areas for effective practices and policy as follows: data management, technology management, service provider management, and people issues. The Council also identified the following practices for employers and plan sponsors in each of the four major areas to minimize security breaches:

Data Management

Technology Management

Service Provider Management

People Issues

The Council also identified the following general practices:

The Council noted the complex legal environments governing mutual funds, banks, insurance companies, and health benefit plans with regard to securing PII. The framework includes HIPAA, HITECH, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act, the Gramm-Leach-Bliley Act, and various state identify theft, consumer protection, and breach notification laws.

The Council recommended that the DOL provide guidance on the obligation of plan fiduciaries to secure and keep private the PII of plan participants and beneficiaries, including the extent to which PII of benefit plan participants and beneficiaries should be protected in plan administration. To date, however, no such guidance has been provided by the DOL. A 2016 Advisory Council is examining the elements of a scalable cyber risk management strategy for benefit plans, with the intent to draft recommendations to the Secretary of Labor for consideration.

Fiduciary Standard Under ERISA

The Employee Retirement Income Security Act of 1974 (ERISA), as amended, imposes the prudent person standard of care. A fiduciary must discharge his or her duties with respect to a plan solely in the interest of the participants and beneficiaries and for the exclusive purpose of providing benefits to participants and their beneficiaries and defraying reasonable expenses of administering the plan. In doing so, the fiduciary must act with the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent person acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims. Fiduciaries that breach their duties are held personally liable under ERISA.

ERISA does not specifically address privacy and security of PII; however, given the frequency and common nature of cyberattacks, a prudent fiduciary should evaluate and address such risks. As such, fiduciaries should establish and follow policies and procedures for collecting and securing PII. Fiduciaries may look to the practices set forth by the Council as a starting point in establishing such policies and procedures. The rules under HIPAA and HITECH also provide a frame of reference from which fiduciaries may evaluate privacy and security issues. Given the extent to which plan sponsors and fiduciaries tend to rely on third-party administrators for plan administration, service provider management is a particularly important area of focus.

Service Provider Selection and Management

As noted by the Council, plan sponsors should assess privacy and security factors in selecting service providers. Plan sponsors should have an ongoing process for monitoring its service providers and documenting their diligence efforts in this regard. Many service providers are already subject to certain industry-specific regulations regarding PII. Plan sponsors should generally understand which, if any, regulatory schemes to which their service providers are subject, and request documentation from the service providers regarding compliance with such regulations. Plan sponsors should also request information from their service providers regarding security systems and risks, including audit information such as Statements on Standards for Attestation Engagements No. 16 and related Service Organization Control reports. Plan sponsors should also review service provider agreements to ensure that privacy, security, liability provisions, and standards imposed on subcontractors are appropriate. Plan sponsors should review and monitor the service providers’ security and privacy programs.

Cyber Risk Insurance

Plan sponsors should consider whether specific cyber risk insurance coverage is appropriate. Cyber risk insurance is generally not included in typical commercial liability coverage. Cyber and privacy policies cover liability arising from a data breach. Such policies may cover a variety of expenses associated with data breaches including notification costs, credit monitoring, costs to defend certain regulatory claims, fines and penalties, and other losses arising from identity theft. Employee benefit plans may benefit from separate cyber risk insurance coverage; however, plan sponsors and fiduciaries should understand how any existing cyber risk and fiduciary liability coverages may address cyber claims related to employee benefit plans to determine if separate coverage is necessary. Plan sponsors and fiduciaries should also understand how such coverages treat both first-party claims and third-party claims. First-party claims generally include direct costs for responding to a breach, while third-party claims generally include lawsuits from affected participants and responding to regulators.

Conclusion

Despite the absence of specific guidance (other than HIPAA and HITECH), plan sponsors and fiduciaries need to be aware of privacy and security issues related to PII. Furthermore, plan sponsors and fiduciaries should actively and prudently evaluate and address privacy and security concerns related to PII collected by employee benefit plans, and develop appropriate policies and procedures to limit exposure.


Marc Bussone is a lawyer in the Nashville, TN, office of Bradley Arant Boult Cummings LLP where he advises clients on a broad range of employee benefit and executive compensation matters. Bussone works with plan sponsors and fiduciaries on all aspects of regulatory compliance matters related to benefit plans. He can be reached at mbussone@bradley.com.

The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.

Read These Next