December 12, 2017

Cybersecurity and Benefit Plans

It is undetermined whether participants’ private data is protected

Reported by Marcia Wagner

In 2010, in its annual technical session with the Joint Committee on Employee Benefits (JCEB), the Department of Labor (DOL) was asked the following: “In an era of enhanced privacy protections, some participants have complained that personally identifiable information [PII] releases have occurred under state privacy laws. … Does the DOL agree that state privacy laws regarding PII releases are not applicable to plan administration communications from authorized third-party service providers?”

The DOL’s response was that it had insufficient information to answer the question. It indicated that “without specific statutory language and a description of how the statute relates to [a specific] ERISA [Employee Retirement Income Security Act]-covered employee benefit plan, staff was unable to determine whether a particular state privacy statute is pre-empted by ERISA.” Seven years later, ERISA pre-emption of state data privacy laws is still an unresolved issue.

Further, assuming that a state data protection statute is pre-empted, it is unclear what types of action a plan participant could maintain—i.e., keep going to conclusion. For example, some recent district court cases have held that data security is not a benefit as that term is used under ERISA. As a result, a participant cannot bring an action under ERISA Section 50(a)(1)(B) to recover benefits due him under the terms of the plan or to clarify his rights to future benefits under the terms of the plan, but in In Re: Premera Blue Cross Customer Data Security Breach Litigation, an Oregon district court indicated that a plaintiff could maintain an action to enforce his rights if he could establish that his health benefit contract covered data security promises, what the contours of those promises were and whether those contractual provisions were breached. Note, however, that here, too, there is contrary authority.

Another unresolved issue is whether private participant data is a plan asset under ERISA’s fiduciary duty provisions. While ERISA does not provide a general definition of “plan asset,” courts have followed the position of the DOL that notions of ordinary property rights address that question, but that analysis is of limited help with respect to private participant plan data.

Notwithstanding this uncertain legal background, cybersecurity is an issue that sponsors of retirement plans should address. One starting point would be to piggyback upon the arrangements entered into by health plans. Health plan sponsors enter into business associate agreements with third-party administrators (TPAs) and other service providers to protect participants’ private information and allocate responsibility for notifications and mitigation in the event of a breach.

In the same vein, it would be appropriate to see how the plan sponsor is dealing with cybersecurity issues outside of the benefits plan context. More corporate boards are now paying attention to cybersecurity issues as part of their oversight function, and a company’s chief technology officer may be reporting to the board or to the audit and risk committee on a regular basis. Data security policies or a cybersecurity program may already be in place. Another area to examine is cyber insurance; this differs from plan fiduciaries’ traditional third-party insurance, which is triggered by litigation. Cyber insurance can be first-party insurance.

In its 2016 report “Cybersecurity Considerations for Benefit Plans,” the ERISA Advisory Council includes a detailed cybersecurity risk management strategy—also the starting point under the security policies of the Health Insurance Portability and Accountability Act (HIPAA). The plan sponsor must understand what data it has, where this is stored, who is accessing it, and how, and whether the access is properly controlled. For example, a best practice may be to ensure that account access is limited to key personnel.

After information concerning the data is obtained, the relevant fiduciary, possibly with the aid of a consulting expert, can assess any threats to the data. If the plan is a large one with sufficient resources, it may request a third party to perform a penetration analysis to determine the system’s vulnerabilities. This is more than a technology exercise, because a frequent source of breach is negligence or carelessness by an employee. Once the risks are identified, measures should be taken to reduce them. Because even the most sophisticated of risk management analyses will not provide 100% assurance against a breach, a policy for addressing breaches should be established.

Additionally, contracts with vendors having access to participant data should be reviewed. These contracts should have appropriate representations and warranties with respect to data protection, including the service provider’s cyber insurance, and an agreement by the service provider to regularly have its controls reviewed by outside parties.

Marcia Wagner is an expert in a variety of employee benefits and executive compensation areas, including qualified and nonqualified retirement plans, and welfare benefit arrangements. She is a summa cum laude graduate of Cornell University and Harvard Law School and has practiced law for 30 years. Wagner is a frequent lecturer and has authored numerous books and articles.