Further Thoughts on the DOL’s Informal Guidance on Cybersecurity

by Jon Schultze, Susan Rees and Barry Salkin

As described in our May 3, 2021 Alert, the Department of Labor’s (“DOL’s") informal guidance left many unanswered questions on cyber breaches involving the theft of assets in a participant’s account, as well as the simple misappropriation of confidential participant information. Of interest is that the DOL has been especially careful to warn plan fiduciaries about prudent selection and ongoing monitoring of any service provider who will have access to participant information and assets, noting that plans often rely on such service providers to create the electronic systems used to maintain participant data and to conduct electronic transactions involving plan assets.

From a plan sponsor’s perspective, one difficulty with achieving full compliance with the DOL guidance is that much of the required actions are controlled by their service providers, often serving under outdated contracts. For example, one of the requested items on a DOL audit is “all” documents and communications from service providers relating to their cybersecurity capabilities and procedures. Although it may seem new and difficult to obtain this information and to include it in their contract negotiations, plan sponsors may be aided by the DOL’s making it clear that service providers are not immune from DOL scrutiny, and that the DOL will step in if it appears that a service provider may be responsible for a cyber breach involving an ERISA plan.

Moreover, just supplying the information, or even following the best practices guidance, does not answer the bigger question of the allocation of responsibility between a plan sponsor and a service provider. We may have some hints that the DOL considers that a recordkeeper or other service provider that creates and operates the electronic systems may be largely responsible when the system fails to prevent the misappropriation of plan data or assets. In one plan audit, the DOL asks a plan administrator whether their recordkeeper carries cybersecurity insurance, and in its Tips for Hiring a Service Provider the DOL was even more pointed in its advice to plan sponsors: “Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third party hijacking a plan participants’ account)”, and also suggests, “When you contract with a service provider ... beware contract provisions that limit the service provider’s responsibility for IT security breaches.”

This seems like wishful thinking. Even if a service provider fully implements all of the DOL’s best practices, it is likely the service provider will also include language in its agreement to cap its liability in some fashion, either by a low dollar cap on liability for a cybersecurity breach or a provision indicating that it has no responsibility for a cybersecurity loss if the loss was the plan sponsor’s fault or the participant’s fault. While these caps on liability may not apply in the event of a finding of gross negligence, willful misconduct or intentional wrongdoing, as a practical matter, plan sponsors should take cold comfort from exceptions to exclusionary language of that nature.

Further, the concern of service providers in this regard is understandable because there can be no assurance that a state-of-the-art cybersecurity system cannot be overcome by an expert hacker, and courts have not discouraged claims of liability against service providers as well as plans even where the responsibility may be difficult if not impossible to prove. Nonetheless, it would be appropriate for the relevant plan fiduciary to benchmark contractual provisions limiting liability either in general or for cybersecurity breaches in particular, so that its acceptance of contract language limiting a service provider’s liability is done on a fully informed basis.

If you have any questions about your service provider contracts, The Wagner Law Group can help. Lately we have been reviewing and revising many service provider contracts to better align their terms with best practices and current guidance from the DOL.

*          *          *          *          *

This is part of our ongoing series of alerts on cybersecurity. Follow us for updates in the case law and DOL guidance. Our attorneys are available to assist you in addressing cybersecurity related questions. Please contact Jon Schultze, Susan Rees, Barry Salkin or Dan Brandenburg.

Part I of our series of alerts on the DOL's Cybersecurity guidance may be found by clicking here.