United States: Cybersecurity For Retirement Plans

Many cybersecurity breaches have been reported over the last few years. The most notable of these is the recent Equifax breach. These types of breaches pose a threat to plan assets and personal data of participants in employee benefit plans. The main areas of concern include the unauthorized exposure of participants' personal information, the theft of money from retirement accounts, and the infiltration of service provider systems. The cost to a plan sponsor of dealing with a cybersecurity breach can be astronomical. Therefore, plan sponsors and fiduciaries should take steps now to address the risks posed by a cybersecurity attack and develop a strategy for managing those risks.

The Environment

Earlier this year, Equifax, one of the largest credit reporting agencies, disclosed that personal and financial information for around 143 million consumers was compromised in a cybersecurity breach that began in late spring. According to the company, the breach started in May of this year and continued until it was discovered in late July. The information that was hacked includes Social Security numbers, birth dates, driver's license numbers, and addresses. The breach also included credit card numbers for more than 200,000 customers and documentation related to disputes for some 180,000 customers. Unfortunately, this enormous data breach is not unprecedented. In 2013, personal information of approximately one billion Yahoo! users was compromised and, in 2014, the personal information of some 145 million Ebay users was also exposed.

Breaches also have occurred in the retirement plan area. In one case, a union pension plan's data was subject to a ransomware attack. Ramsomware is a program that holds data hostage until the owner of the data pays a ransom (usually in bitcoin or actual dollars). Fortunately, the union pension plan had adequate backup of the data and was able to avoid paying the ransom. In another case, a hacker caused a government defined contribution plan to issue fraudulent loans from accounts of participants whose personal information had been stolen. Approximately 60 of these loans were issued to web profiles created by the hacker, costing participants over $2.5 million in plan assets. Other cases have occurred, but they have been largely underreported.

The expense of dealing with a cybersecurity breach can be substantial. These expenses may include the cost of notifying participants of the breach, investigating the breach, recovering data, restoring systems, hiring a public relations firm, reputational damage to the company, and the cost of restoring plan assets. There also may be legal costs; security breaches can trigger governmental investigations, penalties under federal or state law, and civil lawsuits.

The monumental size and high-profile nature of many of these breaches have placed fiduciaries of employee benefit plans on notice of the risk of cyberattacks. Fiduciaries should address these risks to avoid substantial cost and even personal liability.

The Legal Landscape

There are numerous state laws dealing with cybersecurity breaches In which personal information is stolen or otherwise comprised.1 Generally, these laws provide that affected employees must be notified of the breach. They also may give affected employees a private right of action against the employer that failed to safeguard their personal information. Some states even require the employer to provide affected employees with identity theft and credit monitoring protection for a period of time following the breach.

In the area of employee benefit plans, federal regulation governing cybersecurity is not comprehensive. While the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA), governs the protection of health information used or generated by certain health, dental, and vision plans, there is no federal statute or regulation that applies comprehensively to cybersecurity for retirement plans. Many retirement plans are covered by the Employee Retirement Income Security Act of 1974, as amended (ERISA). However, ERISA's application to cybersecurity breaches is unclear. It is possible that ERISA would pre-empt state laws governing cyberbreaches. It is also possible that the fiduciary duty provisions of ERISA would apply to the protection of participants' personal information and data. Personal information may be "plan assets" under ERISA. To the extent the fiduciary provisions apply, then plan fiduciaries would be required to discharge their duties with the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.2 Plan fiduciaries also would be required to discharge their duties with respect to a plan solely in the interest of plan participants and beneficiaries.3

Several pronouncements issued by the U.S. Department of Labor (DOL) relate to protecting personal information in ERISA-covered plans. For example, in DOL Technical Release No. 2011-03, the DOL stated that in order for a plan administrator to use electronic media (e.g., a web site) for purposes of disclosing information about plan investments, the plan administrator must take "appropriate and necessary measures reasonably calculated to ensure that the electronic delivery system protects the confidentiality of personal information."4 In addition, in DOL Regulation Section 2520.104b-1, the DOL stated that if a plan administrator discloses information about the plan electronically, it must protect the confidentiality of personal information relating to the individual's accounts and benefits.5 Failure to follow either the technical advice release or the DOL regulation could result in civil penalties against the offending plan administrator.

Next Steps for Plan Fiduciaries and Sponsors

The growing trend is for plan fiduciaries to establish prudent procedures to protect plan participants' personal information and plan assets from cyberattacks.

Plan fiduciaries should engage their ERISA counsel to develop a reasonable yet comprehensive approach to dealing with cybersecurity issues for their employee benefit plans. Broadly, the approach should include a review of the plan sponsor's security systems and procedures, a review of the security systems and procedures of third-party service providers (such as the plan's third-party administrator), and communicating with plan participants to help maximize security efforts. Ideally, the strategy for dealing with cybersecurity issues for employee benefit plans should be integrated with the company's overall cybersecurity strategy.

The initial step for implementing a strategy is to identify who is responsible for implementing the strategy. Typically, this would fall upon the administrative and/or investment committee that oversees the plan. A discrete subset of committee members also could be tasked with the responsibility. An important consideration in selecting the committee or members who oversee the strategy is their ability to understand the data and the processes for storing the data.

The first thing the responsible fiduciary should do is evaluate the data security measures currently implemented by the plan sponsor. Coordinating this undertaking with internal IT departments is likely essential. The responsible fiduciary should seek to understand what data is being used, where it is stored, and how it is accessed. Key components of the review will be to determine whether the data is encrypted and whether access to the data is adequately controlled and protected. The responsible fiduciary also should seek to understand when data is retained and when it is discarded. The responsible fiduciary also should evaluate backup and recovery plans and determine how frequently the plan sponsor's systems are tested.

Next, the responsible fiduciary should identify all service providers with access to plan data, and request and evaluate their cybersecurity programs and controls, including transmission and encryption protocols and procedures. If a service provider has additional security measures that it can offer the plan sponsor, the responsible fiduciary should consider implementing such additional security measures (examples include email alerts, restricting web site access for only recognized devices, and voice verification software). The plan sponsor's ERISA counsel should review the plan's service provider contracts to ensure they address data security, provide appropriate indemnities to the plan sponsor, and otherwise adequately protect the plan sponsor in the event of any loss due to a cybersecurity breach. Generally, service provider agreements should contain appropriate contractual obligations for data protection and a fair apportionment of risk between the parties to the contract. The contract should address compliance with applicable data privacy laws, adherence to relevant industry standards, and obligations of the parties in the event of a cybersecurity breach. The agreement also should address the level and type of insurance coverage the service provider maintains and whether third-party losses are covered.

Finally, the responsible fiduciary should consider communicating security tips to plan participants in order to bolster security efforts. Such tips could include creating strong passwords. Emails and Social Security numbers should not be used for either user names or passwords. The plan sponsor should require stronger passwords, such as those with at least nine characters, including at least one upper case letter, number, and punctuation mark. Plan sponsors also should require participants to frequently update their passwords and security Q&As. Participants should be reminded to keep their user names and passwords private and not to "save" them on their computer's browser. Participants also should be reminded to regularly access their accounts to ensure there has been no tampering or unauthorized access. If there has been unauthorized access of tampering, participants should be told where to report the breach.

Plan fiduciaries should document the steps they have taken to review and improve their employee benefit plans' data security, including communications with service providers and participants, and any changes implemented as a result of such review. To further manage the risk of a cybersecurity breach, plan fiduciaries should consider reviewing applicable insurance coverage. Traditional insurance coverage (fiduciary liability, errors and omissions, directors and officers, and ERISA bonds) may not cover a cybersecurity breach or only provide limited coverage, so additional coverage may be desirable. Any insurance policy covering cybersecurity breaches should be reviewed carefully by someone who is familiar with such policies.


The Equifax breach and other high-profile breaches have put plan sponsors and fiduciaries on notice that the threat of cybersecurity attack is very real. Plan sponsors and fiduciaries need to do all they can in order to protect the personal information of participants and plan assets. Failure to act could be very costly. Plan sponsors and fiduciaries, along with their ERISA counsel, should develop a strategy for addressing and managing the risks of a cybersecurity attack. Such a strategy should include evaluating the plan sponsor's security systems and protocols, evaluating the security systems and protocols of the plan's service providers, and communicating with plan participants in order to maximize security efforts. Undertaking such a strategy is consistent with the standard of prudence by which all ERISA fiduciaries are required to abide, and will serve to protect the plan, plan sponsors, and participants to the maximum extent possible.


1. See, e.g., Cal. Civ. Code §§ 1798.29, 1798.82; N.Y. Gen. Bus. Law § 899-AA, N.Y. State Tech. Law 208.

2. ERISA § 404(a)(1)(B).

3. ERISA § 404(a)(1).

4. DOL Technical Release 2011-3, Interim Policy on Electronic Disclosure Under 29 CFR 2550.404a-5 (September 13, 2011).

5. 29 C.F.R. § 2520.104b-1(c)(1)(i)(B).

Originally published by Employee Relations Law Journal, Spring 2018.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions