|
In its most recent step to combat cybersecurity risks to employee benefit plans, the U.S. Department of Labor (DOL) clarified on September 6, 2024, that its guidance on cybersecurity applies to health and welfare plans as well as retirement plans. The new guidance underscores the risk to employers that fail to ensure adequate cybersecurity of plan data and assets. Breaches of plan assets and sensitive personal information in plans, such as Social Security numbers, financial account numbers, and health information, occur regularly and can lead to DOL investigations and lawsuits from plan participants.
Although employers generally outsource administration of ERISA plans to service providers, employers retain a fiduciary duty to manage the plan for the benefit of the participants. The DOL appears to interpret this to mean that employers have a duty to safeguard plan data and assets from cybersecurity risks. In 2021, the DOL kicked off a cybersecurity initiative for ERISA plans with the issuance of a press release and three guidance documents on managing cybersecurity risks, which the latest guidance updates. The DOL has since conducted numerous investigations into the cybersecurity programs of ERISA plans.
Cybersecurity and ERISA Plans
ERISA plans are prime targets for hackers. The most immediate payday comes from directly withdrawing money from individuals' retirement accounts. In a single incident, an individual may lose their life savings. Even if the cyber-attackers do not manage to obtain account funds directly, hacking into plans may win them a rich trove of personal data, including names, Social Security numbers, financial account numbers, and health insurance numbers, which the hackers can sell on the black market. Other criminals may then use this data to steal the identity of plan participants or access their financial accounts themselves. Although subject to strict data security requirements under financial and health laws, the financial institutions and health plan administrators that manage plan assets and data are far from immune to data breaches. In a 2024 annual report on data breaches, Verizon reported at least 1,115 confirmed data breaches in the financial and insurance industries and 1,220 confirmed breaches in the healthcare industry.1
Fiduciary Duties and Lawsuits
After a hack impacting an ERISA plan's assets or data, plan participants increasingly respond with litigation. Their targets can include the employer that sponsors the plan, plan administrators, and other fiduciaries. These suits can involve serious allegations, including breaches of the fiduciary duties ERISA imposes, for alleged failures to maintain adequate cybersecurity measures.
The plaintiffs' bar representing participants in such lawsuits is specialized and opportunistic. Hundreds of class actions have been filed against ERISA fiduciaries in the past five years alone. Over 200 ERISA class actions alleging breaches of ERISA's various fiduciary duties were filed in 2020. That pace slowed in 2023, which saw just over 100 ERISA class-action filings. Yet in 2024, the ERISA plaintiffs' bar demonstrated a recommitment to these class actions by filing suits alleging breaches of fiduciary duties concerning forfeiture accounts and employee welfare plans.
Plan sponsors can therefore find themselves targeted by lawsuits questioning their fiduciary practices. As these lawsuits continue, and as the theories pursued in litigation continue to evolve, fiduciaries should understand that their data security practices (and their supervision of the data security practices used by the service providers they hire) could become the subject of litigation. And this risk is not merely theoretical, as there have already been about 20 lawsuits brought under ERISA to challenge fiduciary oversight of cybersecurity practices since 2018.
Federal Agency Focus on Cyber Security in ERISA Plans
Over the past 10 years, the DOL has increased its focus on cybersecurity and the responsibilities of plan sponsors and fiduciaries to implement measures that protect plan participants and plan assets. Among other things, when auditing ERISA-governed plans, the DOL now regularly reviews the cybersecurity efforts of the plans sponsors and fiduciaries. These audits happen more frequently than private lawsuits, as the DOL claims to have closed 907 civil investigations in the 2022 fiscal year.
In 2016, the Advisory Council on Employee Welfare and Pension Benefit Plans issued a document on its examination of cybersecurity considerations related to pension and welfare benefit plans. In preparing the document, the Council expanded on privacy and security issues examined by the 2011 Council and focused on cyber risk management strategies and other efforts to aid plan sponsors, fiduciaries, and service providers to develop cybersecurity programs. While comprehensive, the report was nonbinding.
Extending its focus, in April 2021, the DOL's Employee Benefits Security Administration announced its first guidance on cybersecurity. The agency updated this guidance in September of this year, confirming that it applies to "all types of plans governed by [ERISA], including health and welfare plans, and all employee retirement benefit plans." The guidance is provided in three forms: Tips for Hiring a Service Provider with Strong Cybersecurity Practices, Cybersecurity Program Best Practices, and Online Security Tips. Though offered as recommendations, it is likely that the guidance will become more of a standard or expectation for ERISA-governed plans.
Understanding the DOL's Guidance on Cyber Security for ERISA Plans
As noted above, the DOL has issued three cybersecurity guidance documents. Of these, Tips for Hiring a Service Provider with Strong Cybersecurity Practices ("Tips") applies most directly to employers because employers sponsoring ERISA plans usually hire service providers to administer the plan but retain ultimate responsibility for the plan and are subject to fiduciary duties, which require close monitoring of service providers. Tips contains high-level recommendations for plan sponsors on vetting, and contracting with, plan service providers. The second guidance document, Cybersecurity Program Best Practices, contains recommendations on best practices for plan-related IT-systems and data protection. Cybersecurity Program Best Practices provides more detail than Tips and therefore may be helpful for employers in understanding what the DOL expects from the Tips in practice. Finally, the third document, Online Security Tips, provides tips to plan participants on protecting their online benefits accounts and is therefore less directly relevant to employers sponsoring ERISA plans.
While these three guidance documents seem exhaustive, plan sponsors likely will find their plan committees inundated by practical questions as they attempt to implement them. For example, Tips suggests that plan sponsors "[f]ind out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches[.]" But this does not explain the exact questions plan committees should be asking when vetting potential vendors. Plan sponsors therefore need to ensure their plan committees have identified minimal coverage terms and limits they will accept vendors to carry – and should likely commit to these positions before reviewing bids from potential vendors to avoid time-consuming duplication of efforts. Sponsors also must ensure that the contracts entered with service providers have terms that allow the enforcement of minimal insurance coverage expectations.
As another example, Tips advises that plan sponsors "[a]sk the service provider how it validates its practices, and what levels of security standards it has met and implemented." Yet security standards and validation practices are complicated subjects. Even experienced members of retirement plan committees may not fully understand these topics or have the technical expertise needed to substantively evaluate representations from prospective vendors.
Fortunately, the recommendations in Tips and Cybersecurity Program Best Practices will look familiar to information security professionals and privacy lawyers. The recommendations draw from emerging industry and legal standards for data security. These standards have developed in tandem with the development of electronic data systems over at least three decades and reflect a combination of case law, regulations, regulatory enforcement recommendations from standards-setting bodies, and practical experience. Plan sponsors can aid committees in evaluating vendor data security practices by having them work with information security professionals and privacy lawyers to understand industry and legal standards for cybersecurity.
Although it is unclear exactly what steps the DOL would deem "prudent" to ensure plan cybersecurity, plan sponsors and their committees can borrow from industry standards and the growing body of data protection common law. For example, service providers commonly validate their data security practices through annual third-party audits of their compliance with data security standards such as ISO 27001 or SOC 2. Plan sponsors may want to ensure that their committees understand standards like these, and that they are able to explain why they consider the measures they implemented were sufficient to protect participant data.
What Is New in the DOL's Updated Cybersecurity Guidance
The DOL's updated versions of its three guidance documents leave the bulk of the guidance unchanged. However, the new versions clarify that the DOL's cybersecurity recommendations apply to health and welfare plans as well as retirement plans. They also add a few additional suggestions on cybersecurity.
Application to Health and Welfare Plans
The 2021 guidance documents appeared to focus solely on retirement plans. The updated versions revised the introduction to each document to reference health and welfare plans in addition to retirement plans. However, most of the substantive guidance remains the same.
Because health and welfare plans are usually subject to HIPAA, cybersecurity guidance from the DOL seemed unnecessary. HIPAA regulations already impose detailed data security rules on employee health plans.2 These rules are not only significantly more demanding in substance than the DOL's cybersecurity recommendations, but because they are regulations, the HIPAA rules have more legal force than the DOL's guidance. Moreover, the U.S. Department of Health and Human Services (HHS), as well as state attorneys general, rigorously enforce compliance with HIPAA data security rules. HHS routinely conducts investigations of organizations that have experienced HIPAA data breaches and has reached seven-figure settlements with companies for violations of HIPAA's security rules. Nevertheless, the DOL's revision of its cybersecurity guidance to apply to health and welfare plans seems to confirm its intention to join HHS in enforcing data security standards for these plans – and to ensuring that plan sponsors are adequately monitoring vendors hired to administer these plans.
Already, many companies, after suffering a breach of employee health plan data, have found themselves the target of separate investigations by HHS and the DOL. In some cases, however, the DOL's cybersecurity guidance may fill a gap. Certain welfare plans are exempted from HIPAA, such as disability plans, accidental death benefits, and commuter benefits, and therefore HIPAA's data security rules and HHS's enforcement authority do not apply. But sponsors should be aware that the DOL's cybersecurity guidance could prove relevant to the data security practices used in connections with these programs.
New Cybersecurity Recommendations
The updated guidance documents also contain a few new cybersecurity recommendations. These include advice on multi-factor authentication, additional guidance on the qualifications for data security personnel, and recommendations on insurance provisions in service provider contracts.
Practical Implications and Takeaways
Sponsors of ERISA plans might consider the following steps to reduce cybersecurity risks and protect against allegations that cybersecurity measures implicated by fiduciaries are inadequate to protect participants:
- Review and, if necessary, enhance vetting programs for service providers to their plans;
- Review contracts with plan service providers to ensure sufficient data security protocols have been memorialized;
- Provide plan committee members with training on cybersecurity topics to ensure they can adequately negotiate and monitor service provider security measures;
- Audit plan service providers to ensure they are living up to their promised cybersecurity commitments; and
- Identify minimum cybersecurity protocols and insurance coverage provisions that will be accepted by plan service providers before entertaining bids or negotiations from vendors.
Negotiating, interpreting, and auditing fiduciary practices can be a complicated task for even the most experienced plan sponsors and plan committees. This is especially true in an area that develops as rapidly as data security. Plan sponsors should therefore consult with experienced legal counsel should any questions arise.
Footnotes
1. 2024 Data Breach Investigations Report, Verizon Business.
2. See 45 C.F.R. 164 Subpart C.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.