The Employee Retirement Income Security Act of 1974, as amended (ERISA), protects plan participant benefits and account balances by imposing high standards of care on the plan’s fiduciaries. Fiduciaries who do not follow these standards—most notably, the protection of participant personal and plan information—may be personally liable to restore losses to the plan. Recent technological advancements, especially in the area of cybersecurity, however, have only now become the focus of most ERISA fiduciaries. Due to the increasing frequency and sophistication of cyber-related threats to employee benefit plans, their trustees and third-party plan administrators and the potential financial repercussions, compliance with ERISA fiduciary standards will require implementation of a prudent cyber risk management strategy.
This advisory is the third in a series of advisories dedicated to understanding cybersecurity issues in the context of ERISA benefit programs.1
ERISA Fiduciary Duties
ERISA sets forth the duties and standards of conduct for those individuals and entities that exercise discretion or control over the management and administration of employee benefit plans and their assets, that is, fiduciaries. Fiduciaries typically encompass an employee benefit plan’s trustees, administrators, investment managers and investment committee members. These standards of conduct require fiduciaries to (1) act solely in the interest of plan participants and their beneficiaries and with the exclusive purpose of providing benefits to them, (2) carry out their duties prudently, (3) follow the plan documents, unless inconsistent with ERISA, (4) diversify plan investments and (5) pay only reasonable plan expenses. As discussed in further detail below, the duty to act prudently is one of a fiduciary’s central responsibilities.
As ERISA imposes stringent penalties—most notably, personal liability—on fiduciaries who breach their duties, it is critical that fiduciaries clearly understand, and comply with, their duties under ERISA. However, in the context of cybersecurity, the lack of clarity surrounding such ERISA fiduciary duties can cause fiduciaries to breach their duties inadvertently.
Following is a discussion of ERISA fiduciary duties relating to cybersecurity and health and retirement plans, as well as best practices that ERISA fiduciaries should follow to maximize their compliance with such duties and to insulate their exposure to potential liability.
Health and Retirement Plans
ERISA group health plans with more than fifty participants or that are administered by a third party are subject to the regulations of the Department of Health & Human Services (HHS) concerning the privacy and security of protected health information (PHI) promulgated under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health or “HITECH” Act (together, HIPAA). As HIPAA-covered entities, these group health plans are required by the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of PHI maintained in electronic formats, protect against any reasonably anticipated threats or hazards to the security or integrity of that electronic PHI and uses or disclosures of that information that are not permitted under the HIPAA rules, and ensure compliance by its workforce. To comply with the HIPAA Security Rule, a covered entity, and each of its business associates, must perform a thorough and complete assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic PHI and implement administrative, physical, and technical safeguards that reasonably and appropriately address that risk analysis. However, according to a recent fact sheet on ransomware and HIPAA published by HHS, entities are encouraged to implement additional and more stringent measures above what they determine to be required by the HIPAA Security Rule standards. For example, although there is not a HIPAA Security Rule standard that specifically requires entities to update the firmware2 of network devices, entities—as part of their risk analysis and risk management process—should identify and address the risks to electronic PHI of using network devices running on obsolete firmware, especially when firmware updates are available to remediate known security vulnerabilities.
While the HIPAA rules thus contain specific requirements for addressing cybersecurity and group health plans, no equivalent law or set of regulations exists that governs cybersecurity and retirement plans. In addition, the Department of Labor is yet to issue formal guidance.
At the heart of the matter is the question of whether or not the responsibility to address cybersecurity issues is a fiduciary function. As discussed in our first client advisory, due to the perennial nature of cyberattacks, it may be difficult to argue that a prudent fiduciary would not consider and react to cyber risks. For this reason, retirement plan administrators and other fiduciaries should be cautioned against viewing protection of plan assets and participant information solely as the responsibility of external plan trustees and third party administrators. The agreements governing the provision of trustee and plan administrative services typically do not protect the plan fiduciaries even where the cybersecurity breach is on the service provider’s systems. In addition, as discussed below, ERISA fiduciaries cannot assume that their state privacy law duties will be preempted by ERISA.