It feels like every day we learn of a new data breach. We’ve seen large corporations, credit monitoring services and even cities fall victim to cyberattack. No organization or industry, including the benefit plan industry, is immune to the risk. In light of the recurring data breach headlines, plans sponsors must take note of the potential disaster of a data breach. With employees’ identities and financial futures, not to mention an employer’s reputation, at stake, cybersecurity is too important to be ignored.
Why Benefit Plans?
So why are benefit plans considered high risk for a data breach? Let’s consider the New York State Data Breach Notification Law found in Section 899-aa of the General Business Law. Under this law, protected information consists of any information concerning a “person, which because of name, number, personal mark or other identifier, can be used to identify such natural person” in conjunction with: (i) a Social Security number; (ii) driver’s license or other identification number; or (iii) account, credit or debit card number in combination with any required security code, access code or password that would permit access.”
Now let’s think about the information a plan collects about its participants. Name? Obviously. Address? Yes. Social Security number? Yes. Driver’s license or other identification number? Most likely. Financial information? Of course. Benefit plans are attractive for hackers because they centrally store every piece of protected information that a bad actor could potentially need to do serious damage to an individual’s identity. Hacking a benefit plan is not only effective, but efficient.
Plus, benefit plans have targets for hackers beyond just personally identifiable information. In one reported breach, a plan lost $2.6 million in assets when hackers used personally identifiable information to set up fake participant internet profiles to take out fraudulent loans. The hackers walked away $2.6 million richer, and the plan administrator was left to restore the plan.
Sources of Risk
When thinking about cybersecurity risks, it’s easiest to think of the bad actor sitting in a dark basement, hacking through the use of malware or spoofing or phishing emails. And yes, it’s true that what these bad actors do is primarily out of a plan sponsor’s control. But there is more to cybersecurity risk than just this.
Employees handling protected information can be a plan’s first line of defense, but can also be the plan’s greatest vulnerability. After all, there has to be someone on the receiving end of a spoofing or phishing email. Imagine the employee who receives an email purporting to be from the company’s benefits manager. The email asks for each plan participant’s Social Security numbers, date of birth, address and account balance. The employee thinks this email is a little odd, but sends the information to the manager as requested. With one click of the “send” button, plan participants’ identities and plan assets have been put at risk.
Arguably, cybersecurity training for employees, focusing on both prevention and response, can be one of the most effective parts of a cybersecurity plan.
Is Protecting Plan Information against Hackers a Fiduciary Duty?
Short answer? Not quite. But should cybersecurity be treated as a fiduciary duty?
There is no current federal regulatory scheme governing cybersecurity for retirement plans and service providers. Rather, at least at the federal level, cybersecurity laws and regulations are largely industry-specific, and there is nothing speaking directly to benefit plans. But there is some guidance that directs plan sponsors, administrators and third-party service vendors to treat cybersecurity with the same care as other fiduciary duties.
Section 404 of ERISA requires a plan’s fiduciaries to act with “the care, skill, prudence and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use.” In doing so, plan fiduciaries must act for the exclusive purpose of providing benefits to participants and their beneficiaries. The growing trend suggests that fiduciaries must protect participant data as part of their duty of loyalty and prudence.
The Department of Labor (DOL) issued some guidance indicating the importance of cybersecurity as it relates to benefit plans. In 29 C.F.R. §2520.104b-1(c), the DOL provides that plan sponsors that distribute plan information electronically are required to ensure the electronic system used for furnishing the information “[r]esults in actual receipt of transmitted information” and “[p]rotects the confidentiality of personal information relating to the individual’s accounts and benefits. A failure to comply with this regulation can be the basis of a claim for failure to provide the required disclosure, ultimately subjecting the fiduciary to civil penalties.
Further, the DOL’s Technical Release No. 2011-03, which deals with a secure, continuously available website used to communicate information about participant-directed investment alternatives under a retirement plan, explicitly includes, as a condition for utilizing the electronic media, that the plan administrator take “appropriate and necessary measures reasonably calculated to ensure that the electronic delivery system protects the confidentiality of personal information.”
The DOL is not the only entity contemplating cybersecurity. The ERISA Advisory Council (the “Advisory Council”) has been confronting the issue of cybersecurity in the context of benefit plans since at least 2011. In 2016, the Advisory Council held hearings to hear testimony from various experts and other interested parties on the issue. In January 2017, the Advisory Council published “Cybersecurity Considerations for Benefit Plans.” The report provides information to plan sponsors, fiduciaries and plan service providers on approaches for managing cybersecurity risks and recommends that plan sponsors and fiduciaries consider cybersecurity in safeguarding plan benefit data and assets when making decisions to select or retain a service provider. However, the report stops short of directly addressing whether cybersecurity monitoring is a fiduciary duty.
What Plans Can Do to Protect Personal Data
If a plan has not already, now is certainly the time to develop a data protection plan. Plans can establish strategies for data protection by considering the following:
- What data is collected?
- Why is it collected?
- Where is the data stored?
- How is data accessed? Who is allowed to access it?
- How long is the data retained? How is it destroyed or permanently protected?
By identifying these key elements of data collection, plans can better understand what protections need to be in place. For example, simply limiting what employees have access tois a way to reduce the risk of unauthorized access greatly. Likewise, having established timeframes for retention and protocols decreases the amount of data a plan must protect.
Once the data is understood, the next step is to develop the policies to govern and regulate the collection and storage of the data. Often, a plan can leverage the employer’s procedures and policies to make them functional with the needs of the plan. But the policies cannot just remain in an employee handbook or worse, hidden on a shelf. In order to be effective, these policies must be communicated to employees, and regular training sessions must be held.
Consider the employee above, who received the spoofing email asking for all participants’ W-2s. What if he knew what to look for in a spoofing email before the attempted breach? Here, proper training could save the plan—and the plan sponsor—millions of dollars.
Additionally, for the plan’s computerized systems, plans should consistently run penetration testing to determine vulnerabilities in any software or platforms as well as testing of backups and recovery plans. Testing is the only way to confirm that the plan’s systems are working and, if needed, the results of these tests can strengthen and enhance any written policies.
Inevitably—and despite even the best of trainings and testing—a breach will occur. This is why, in its repertoire of policies, a plan should have a data breach response plan. A well-understood response plan can seriously mitigate the effects of a breach. The plan should delegate responsibilities to a cross-functional team of decision-makers, including representatives from IT, HR and legal. The team should be able to work together to identify ongoing risk, mitigate or stop this risk, communicate to plan participants and beneficiaries and comply with all laws. However, as with all written policies, this will only work if practiced before a breach.
Plans are uniquely positioned in that they are also responsible for the security practices of their third-party service providers. To start, plans should review their service provider agreements and consider the extent to which the agreement should address compliance with applicable laws or relevant industry standards. The agreement may also allocate responsibilities and liabilities in the event of a breach.
Plans should evaluate their service providers by reviewing data security policies, including those relating to encryption and transmission protocols, as well as monitoring and testing compliance.
The threat of cybersecurity is not going to dissipate any time soon. As technology expands, so does the need for greater attention to personal information, especially where large amounts of personal data are stored in the same location. The risks of cyberattack on benefit plans cannot be ignored; for both employers and employees, there is simply too much at stake.