By Stephen Wilkes and Livia Quan Aber
We previously discussed cybersecurity best practices and provided the latest updates on recent ERISA cybertheft lawsuits here and here. With the proliferation of storage and dissemination of participant personal information in communications between plans and participants and service providers, the occurrence of cyber breaches has increased exponentially. Lawmakers have also recognized this risk and in 2019 asked the Government Accountability Office (GAO) to examine the cybersecurity of the U.S. retirement system. Days ago, the Securities and Exchange Commission issued a Risk Alert describing the increase in cyber attacks against registered investment advisers and broker dealers that result in the loss of customer assets or unauthorized access to customer information in some cases.
The only known position of the U.S. Department of Labor (“DOL”) on the protection of electronic participant personal data appears in its electronic disclosure regulations. The DOL took similar positions in both the 2002 and the 2020 final regulations on electronic disclosures, which require the plan administrator to take measures “reasonably calculated” to protect the confidentiality of participant personal information. In the preamble to the 2020 final regulations the DOL provides a safe harbor for the electronic furnishing of required participant disclosures, and emphasizes that plan fiduciaries have an overarching fiduciary duty to protect all participant personal information under the prudence standard of ERISA section 404. See our Law Alert on this topic here.
There is more to employee benefit plan cybersecurity than best practices. A number of legal questions remain unanswered and there is an acute need for comprehensive guidance from the DOL. These questions include: what is the specific personal and/or confidential participant information that must be safeguarded by plan fiduciaries; what standard of care applies to the protection of participant personal information; what is the plan administrator’s responsibility with respect to disclosing to participants the unauthorized appropriation of participant information; and whether state cybersecurity, privacy, consumer protection or other laws are pre-empted by ERISA.
The Wagner Law Group recently submitted a letter to the DOL requesting it to issue comprehensive cybersecurity guidance addressing seven specific questions. You can read our letter here. Please contact us to see how we can assist in navigating cybersecurity protocols, procedures and practices.