Cybersecurity Guidance Welcome, but Unanswered Questions Remain

By Stephen Wilkes and Barry Salkin

It has been a few months since the Department of Labor (“DOL”) issued its long-anticipated and long-requested guidance to plan fiduciaries and service providers (and surprisingly, to plan participants, as well) on issues pertaining to cybersecurity, although in an unexpected format. Rather than proposing regulations or issuing a Field Advisory Bulletin, or perhaps an information letter that it knew would be widely circulated, DOL chose to provide a detailed list of actions for each of these three categories of persons to take.  There have been an increased number of cybersecurity investigations by DOL as well, which is somewhat surprising given the relatively short amount of time that has passed since DOL released its views on best practices.

Nature of Guidance 

The DOL ordinarily prescribes principle-based guidance, because fiduciary duties are duties of a general nature. In contrast, these tips are prescriptive and unusually detailed, such as recommending as a best practice that service providers review access privileges at least every three months, rather than as reasonably necessary, or conduct an annual penetration test. Plan fiduciaries and service providers will likely seek to comply with these recommended best practices, if only because plaintiffs’ counsel will be using these recommended best practices as a checklist for potential lawsuits. Plan sponsors may even already be doing some of these things in the capacity of a business subject to its governing state(s) cybersecurity laws. 

Judicial Deference

It is unclear what type of deference a court would give the DOL guidance. It would probably be entitled to respect based upon its persuasiveness in accordance with Skidmore v. Swift & Co., 323 U.S. 134 (1944), the lowest level of judicial deference, although a court might consider  significant portions of this guidance to be outside the scope of the DOL’s expertise.

Unresolved Issues

For those administering employee benefit plans, both pension and welfare (the focus of the guidance is on pension plans, though it could apply to welfare plans), this type of check-the-box guidance is helpful, and an agency should not be faulted for its decision to provide guidance in one format or another. The DOL is to be applauded for moving forward to answer the retirement industry’s questions.  Even so, certain issues remain open.

For context, last fall The Wagner Law Group, in addition to drafting two client alerts with respect to cybersecurity, one focusing on recent litigation involving cybersecurity breaches, wrote to the DOL requesting guidance on seven key issues relating to cybersecurity, almost none of which were addressed in the cybersecurity guidance:

  1. What personal information and/or confidential information must be safeguarded by plan administrators and other plan fiduciaries to comply with ERISA’s fiduciary standards?
  2. Is there a difference between a plan administrator’s overarching duty under ERISA Section 404 to protect a participant’s personal information (“PPI”), and the “reasonably calculated” furnishing standard in the 2020 final regulations dealing with electronic disclosures?
  3. For purposes of misappropriation of PPI, is PPI a plan asset under ordinary notions of property rights? Does the resolution of this question affect the application of ERISA Section 404 to protect PPI?
  4. What is a plan administrator’s responsibility to communicate with participants when there has been an unauthorized appropriation of PPI?
  5. What losses due to cybersecurity breaches in plans’ or the plan service providers’ systems are covered by a bond under ERISA Section 412 and implementing regulations?
  6. What identity verification responsibilities do plan fiduciaries have in instances of accidental loss of PPI and/or accidental failures to follow plan cybersecurity protocols by participants and beneficiaries?
  7. Are state cybersecurity, privacy, and consumer protection laws preempted by ERISA? Are there other state law claims that are not preempted?

If adherence to the DOL’s recommended best practices would eliminate the risk of cybersecurity breaches, the responses to the above questions might be regarded as largely of academic interest, but that is clearly not the case. If cyber attacks can occur at the most protected levels of the federal government, they can surely occur at the ABC Widget Company 401(k) plan level; and, once they occur, there may be liability, with three parties having some degree of fault--the plan participant, the plan fiduciary, and the plan service provider. 

Causation 

This presents a causation issue that is rarely litigated. ERISA Section 409(a) provides that if a fiduciary breaches his or her fiduciary duty, he or she is responsible for any loss resulting from the breach. But when does a loss result from a breach?

There is no clear guidance under ERISA. The First and Eleventh Circuits have held that proximate cause is the standard, although other cases hold that the securities law concept of loss causation (a proximate cause concept) does not apply in the ERISA context. The Third Circuit appears to require that the breach be both a cause in fact and a substantial contributing factor in bringing about the loss. Language from other Circuits, while suggestive of proximate cause, is imprecise. Decisions from the Second, Fifth, Seventh, and Tenth Circuits indicate that some causal connection is necessary, but do not elaborate on how strong the connection must be. In State Street Bank and Trust Co. Fixed Income Funds Investment Litigation, the Southern District of New York suggested that a “substantial nexus requirement” wast the appropriate standard. However, no case specifically holds that “but for” causation, a much lower hurdle than proximate cause, would suffice.

Regardless of whether the plaintiff or the plan fiduciary bears the burden of proof on this issue, the absence of a “but for” causation standard may be relevant where some negligent action of a plan participant was a contributing factor to the loss. That is, even if a plaintiff can establish that had either the plan fiduciary or the service provider taken some action, those two defendants will argue that it was plaintiff’s negligence that was the proximate cause of the loss, so that even if one of the other parties may have breached their fiduciary duty, no loss resulted from that breach. The DOL is understandably reluctant to have a plan participant bear the burden of a preventable loss, and a court may be sympathetic as well, but this example illustrates the type of cybersecurity issue not addressed by the DOL.

Who Should Bear The Loss

Aside from the question of causation, there is an issue as to which party should bear the costs of a cybersecurity breach. This can be particularly troublesome if the plan fiduciary has taken all measures that it reasonably could to prevent the loss and the service provider’s cybersecurity measures are state-of-the-art, and the participant’s negligence was the sole cause of the cybersecurity breach. In a litigation context, a plan participant would not concede that the fiduciary or service provider had taken every measure that could have been taken or that, while they may have taken every step that a reasonable fiduciary or service provider would have taken, the measures were not properly or adequately implemented. 

Assume that the participant’s negligence was the sole cause of the fiduciary breach. This is not solely a legal question but one of economic efficiency, best addressed in terms of the least-cost avoider, and more broadly on policy grounds such as whether a participant’s negligence with respect to a cybersecurity breach should have such draconian consequences, since there are fewer measures that a participant can take to protect himself or herself from such loss.

For purposes of this alert, however, the focus will be on the legal implications. Practitioners are familiar with three-party relationships under ERISA, but the paradigm situations in those relationships-settlor, trustee, and beneficiary- are different. Thus, scholars have explained that in the private trust situation , a settlor’s welfare is maximized if the beneficiaries capture all of the benefits flowing from the trust. For that reason, the duty of loyalty requires the trustee to act in the exclusive interest of beneficiaries. And, because neither the settlor nor the beneficiaries might be able or suitable to monitor the actions of the trustee, here the law imposes strict fiduciary duties restricting the ability of a trustee to engage in conduct that might impair the interests of the beneficiaries and thus frustrate the intention of the settlor.

There may be limited instances in which a plan beneficiary can be responsible for a loss to a plan, but those instances would likely involve fraudulent conduct rather than negligent activity.

Agency issues frequently arise under ERISA and employment law, particularly in the context of collective bargaining agreements. Those arrangements involve three parties--principal, agent, and third party. There are limited circumstances in which a loss will be allocated to a third party, but they involve the allocation of loss, resulting from the negligence or misunderstanding of an agent between a principal and an agent, rather than potentially among three parties.

It is hornbook law under ERISA that whether a fiduciary has acted in a prudent fashion is a matter of process, not substantive outcome. Thus, plan fiduciaries are not responsible for investment losses if the decisions to select and monitor the investment were prudent. Title I of ERISA is not a strict liability statute, and it would be difficult to reconcile that substantial body of case law with allocation to an ERISA fiduciary of the loss solely attributable to a plan participant’s negligence. The same analysis could apply to a plan service provider, if, despite its generally ministerial duties, its conduct with respect to the withdrawal of funds from a participant’s account was fiduciary in nature. To the extent a state law claim against a service provider was not preempted as an impermissible alternative remedy, the common law of torts would generally not impose strict liability in this context. The practical solution to this dilemma may be the purchase of insurance to cover this type of loss, although cybersecurity insurance is relatively expensive and may have a high deductible.

Conclusion

These are not the only issues that the DOL cybersecurity guidance does not address, with the issue of the plan asset status of participant data being perhaps the most important. But absent further DOL guidance, these and similar questions will be for the courts to decide.