Benefit Plans' Responsibilities re Anthem Data Breach

Anthem, Inc., one of the country's largest health insurance companies, announced on February 5, 2015 that approximately 80 million customers have had their account information stolen. Such information included names, birthdays, medical IDs, Social Security numbers, street addresses, e-mail addresses and employment information, including income data.

Anthem president and CEO Joseph Swedish stated that "Anthem was the target of a very sophisticated external cyber attack."

Anthem has indicated that it will notify each individual whose information has been accessed and will provide free credit monitoring and identity protection. Anthem is referring customers to the following dedicated Web site for further information: http://www.anthemfacts.com/faq

In the meantime, are there any steps that employers should be taking with respect to their group health plans and their employees' information?

With respect to fully insured plans, Anthem has the obligation to notify participants and is completely liable for the breach. Anthem may communicate general information to plan sponsors (e.g., steps being taken to address the breach). Some employers may want to send additional communications to employees to ease their fears.

For self-insured plans, Anthem, as a business associate, must notify the plan sponsor regarding the scope of the breach (i.e., identify those participants who have been affected). Because Anthem will communicate directly with the participants, the plan sponsor does not need to notify them of the breach. Some employers, however, may want to send an additional communication to affected employees to ease their fears. In accordance with servicing agreements and the business associate agreements, Anthem should be liable for the breach.

In the coming days and weeks, Anthem should communicate directly with plan sponsors to tell them how it plans to proceed, when employee communications will be sent, what information will be in the communications, steps that will be taken to mitigate harm and steps that will be taken to prevent future breaches.

Even though Anthem has indicated that it will provide free credit monitoring and identity protection, affected employees should be reminded to be vigilant and to monitor their credit reports, credit cards, etc. Also, depending on the length of the identity protection provided by Anthem, affected employees should consider purchasing identity theft protection (e.g., Identity Guard, Life Lock, TrustediD, and IdentityForce) for a longer period. Finally, affected employees should, during the coming weeks, check Anthem's website regularly for additional information.

The Wagner Law Group is expert in security and privacy matters and this case demonstrates the need to be not just vigilant, but also to have policies and protocols in place to mitigate likelihood of breach and to minimize the effect and downside if a breach were to occur.

Q&As from Marcia Wagner on Impact of New Actuarial Tables

On October 27, 2014, the Society of Actuaries ("SOA") issued the final version of new mortality tables (RP-2014) for use by defined benefit pension plans. The new tables were accompanied by new mortality improvement scales (MP-2014) that project the rates at which future mortality is expected to decrease.

What will the general impact of these new mortality assumptions be once they are implemented by defined benefit plans?

The new assumptions, which are based on a study that began in 2009, confirm the intuitive observation that life expectancies in the United States have been increasing. This makes sense, because fewer people smoke and medical care has improved. As a result, the assumptions underlying the new mortality tables show that in comparison with the existing tables in RP-2000, the age-65 life expectancy for males has increased from 19.6 years to 21.6 years. For age-65 females, the corresponding increase has been from 21.4 years to 23.8 years. The respective percentage increases for males and females are 10.4% and 11.3%.

As life expectancy increases, so does the cost of pension annuity payments. The SOA predicts that retirement liabilities could increase from 4% to 8%, while some actuarial firms estimate that overall cost increases will be at the high end of this range.

What specific plan calculations are affected by RP-2014?

Tax rules require the use of specified mortality assumptions to calculate plan funding, as well as lump sum conversions. 

In the case of funding, IRS regulations currently provide for sex-based mortality assumptions developed from the tables in RP-2000 and adjusted for mortality improvement in accordance with the improvement scales that preceded MP-2014. IRS Notice 2013-49 contains tables based on the old mortality tables (RP-2000) that incorporate these old-style adjustments and can be used in calculating a plan's minimum required contribution for 2014 and 2015. Therefore, the earliest the IRS will require use of the new tables is a valuation date in 2016. When the new assumptions go into effect in 2016 or later, required plan contributions are likely to increase and funding ratios will go down. Of course, the magnitude of these changes will be affected by the age, sex and other characteristics of a particular plan's participants.

The tax code mandates that the present value of certain pension benefits must not be less than the accrued benefit's present value using applicable interest rates and an approved mortality table. This includes the calculation of lump sums. However, for this purpose and in contrast to funding requirements, a unisex blend of male and female mortality assumptions is used. Notice 2013-49 specifies the unisex tables to be used for 2014 and 2015. When these tables are replaced, the longer life expectancy assumptions reflected in the new tables will mean larger lump sums. Plan sponsors will have an incentive to encourage lump sums before RP-2014 becomes effective for tax purposes.

Are there any other consequences to the issuance of RP-2014?

There certainly are, starting with financial reporting. In valuing pension obligations, company auditors look to the plan sponsor's best estimate with respect to mortality assumptions. So the issue becomes whether RP-2014 represents a best estimate and is, therefore, to be favored over older tables. Since the SOA believes that the new tables are needed to accurately measure pension obligations, there will be pressure from auditors for their immediate adoption for accounting purposes, notwithstanding the timing issues that would be involved if used for 2014 year-end measurements.

The updated mortality assumptions are also relevant with respect to meeting plan obligations to disclose to participants the relative value of optional forms of benefit. Plan sponsors should ensure that the assumptions used for this purpose remain reasonable in light of the SOA's research on longevity trends.

Many defined benefit plan sponsors have adopted a de-risking investment strategy involving increased allocations of plan assets to fixed income as the plan's funded status, determined on the basis of accounting liabilities, improves. If RP-2014 causes the plan's funded status to drop, plan sponsors may need to reevaluate scheduled allocations to fixed income.

An increase in funding liabilities can also result in higher PBGC variable rate premiums.

When will the IRS adopt the new mortality assumptions?

The conventional wisdom is that the IRS will mandate use of the RP-2014 mortality tables for 2016 after the expiration of the term set in Notice 2013-49. Certain large corporate and public plans would be entitled to use plan-specific tables, even after 2015, due to their size.

This view on timing may be oversimplifying things, because the IRS cannot require use of the new tables merely by issuing a notice and will have to implement the changes by amending its regulations. The regulatory process, including publication of proposed regulations and a period for public comment could delay adoption of the new mortality table until 2017 or 2018.

The IRS is under a statutory obligation to review applicable mortality rates for qualified plan funding purposes at least every 10 years, but this does not mean that adoption of the latest SOA tables are required and there are countervailing factors that may apply. For example, the methodology and data of the SOA study that resulted in the new assumptions was criticized by other actuarial groups, such as the Academy of Actuaries, which suggested that the SOA's new tables might overstate life expectancy. This debate could be rejoined when proposed regulations adopting the new assumptions are opened to public comment.

Further, the end result of the SOA's conclusions regarding improved life expectancy is to increase required contributions, thereby contradicting the objective of recent legislation, such as the Highway and Transportation Funding Act of 2014 which sought to reduce contribution requirements. This raises the possibility that Congress could act to delay the impact of updated mortality assumptions on pension funding. It is important to realize that the SOA's final report and updated tables do not constitute new rules and regulations.