Employee benefit plan data stored online may include participants’ names and Social Security numbers, account information and protected health information (PHI), all of which are inviting targets for hackers. Highly-publicized data breaches in recent years have called attention to the obligations of benefit plan administrators (typically the employers sponsoring the plans) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to safeguard PHI.
These data breaches are also causing benefit plan administrators and other fiduciaries under the Employee Retirement Income Security Act of 1974 (ERISA) to consider whether their ERISA responsibilities include securing online plan data from cyberattacks, especially as to 401(k) and other benefit plans that are not subject to HIPAA. Although definitive guidance has not been provided, fiduciaries would be well-advised to proceed on the assumption that cybersecurity is an ERISA issue.
The Cybersecurity ERISA Regulatory Gap
When ERISA was enacted, the predecessor to today’s Internet was in its formative years. Although online storage of benefit plan data has been the norm for some time, Congress has not amended ERISA to address cybersecurity. Moreover, the Department of Labor (DOL), which is charged with enforcing ERISA, has not formally addressed cybersecurity in the ERISA context.
In 2011, the ERISA Advisory Council, established to advise the Secretary of Labor, recommended that the DOL issue guidance on the obligation of plan fiduciaries to secure and keep private the personal identifiable information of plan participants and beneficiaries. In a recent release, the current council indicated that its goal is to offer the DOL draft materials that will help plan sponsors understand, evaluate and protect benefit plan data and assets from cybersecurity risks.
Responsibilities of ERISA Fiduciaries
Under Section 404(a) of ERISA, a benefit plan’s fiduciaries must discharge their duties as to the plan solely in the interest of its participants and beneficiaries and for the exclusive purpose of providing benefits to participants and their beneficiaries and for defraying reasonable plan administrative expenses. These duties must be carried out:
with the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims[.]
As the court stated in Donovan v. Bierwirth, 680 F.2d 263, 272, n. 8 (2d Cir. 1982), “[t]he fiduciary obligations of the trustees to the participants and beneficiaries of the plan are those of trustees of an express trust – the highest known to the law.”
How far does a fiduciary’s Section 404(a) responsibility extend? In the investment sphere, the poor performance of a plan asset is not necessarily a breach of fiduciary responsibility. In DeBruyne v. Equitable Life Assur. Soc. of U.S., 920 F.2d 457 (7th Cir. 1990), plaintiffs were participants in a retirement plan whose investment options included a “Balanced Fund.” Following “Black Monday,” October 19, 1987, when the stock market suffered a cataclysmic decline, the Balanced Fund’s portfolio substantially decreased in value. The following year, plaintiffs sued the plan’s investment manager, charging the manager in one count of the complaint with violating Section 404(a). In affirming the district court’s judgment for the manager, the court of appeals stated in part as follows:
As the district court correctly noted, the ultimate outcome of an investment is not proof of imprudence. * * * We cannot say that [the investment manager] was imprudent merely because the Balanced Fund lost money; such a pronouncement would convert the Balanced Fund into an account with a guaranteed return and would immunize plaintiffs from assuming any of the risk of loss associated with their investment. “The fiduciary duty of care,” as the district court so cogently stated it, “requires prudence, not prescience.” * * * [Citations omitted; emphasis added.]
Id. at 465.
Similarly, if a plan fiduciary’s duties under Section 404(a) include securing plan data against cyberattacks, a data breach may not necessarily be a breach of fiduciary responsibility. If the fiduciary could demonstrate that it had taken appropriate steps to secure such data, this might be an adequate defense, given that there is no absolute shield against such an attack. The question, of course, is what steps would be “appropriate.” Even if the DOL does provide guidance, we would not expect to see a list of specific cybersecurity safeguards that, if implemented by a plan fiduciary, would enable it to avoid ERISA liability in the event of a data breach.
Consequences of Linking Cybersecurity to ERISA Fiduciary Responsibility
Linking cybersecurity to ERISA fiduciary responsibility has significant consequences:
- ERISA Section 409 (i) imposes personal liability on a plan fiduciary to make good any losses to the plan resulting from each breach of the responsibilities imposed on it by ERISA and (ii) makes the fiduciary subject to such other equitable or remedial relief as the court may deem appropriate, including removal of the fiduciary.
- ERISA Section 502(a)(2) affords a cause of action to the DOL, or a plan participant, beneficiary or fiduciary, for appropriate relief under Section 409.
Judicial Consideration of Unauthorized Data Disclosure as an ERISA Fiduciary Breach
Some courts have considered whether unauthorized disclosure of benefit plan information is a breach of ERISA fiduciary responsibility. For example, in Rose v. HealthComp, Inc., No. 1:15-cv-00619-SAB, 2015 U.S. Dist. LEXIS 104706 (E.D. Cal. 2015), defendant provided third-party administrative services under a self-insured group health plan that covered plaintiff, who was determined by her doctors to need a liver transplant. Defendant reported to the employer a year later that plaintiff’s need for such a transplant had increased and shortly thereafter plaintiff was fired. Plaintiff thereafter brought suit in a California court against defendant for invasion of privacy and unfair business practices in violation of California law, alleging that she was not told that her medical information would be shared with her employer.
The defendant in Rose removed the case to a federal district court on the ground that plaintiff’s state-law claims were preempted by ERISA. Plaintiff moved to remand to the California court on the basis that there was no preemption, and defendant countered that plaintiff’s allegations were related to the plan, as she had asserted that the medical information was disclosed in the performance of its third-party administrator duties under the plan. In the course of its analysis as to whether the state-law cause of action was completely preempted by Section 502(a), the district court stated as follows:
Plaintiff alleges that Defendant received private health information while performing case management duties under the health plan and improperly disclosed them to her employer. In effect, Plaintiff is alleging that by providing personal medical information to her employer Defendant did not act solely in the interest of the employees and their beneficiaries. By providing this information, Defendant acted in the competing interest of the employer, to provide the employer with notice that the employee would likely be incurring high medical costs so the employee could be terminated. * * * Plaintiff’s privacy and unfair business practice cause of action could be brought as a breach of fiduciary duty claim under § 502. [Emphasis added.]
Id. at *17-18. Although Rose involved intentional misconduct by a fiduciary, the court’s reasoning could likewise apply in assessing whether a fiduciary violated Section 404(a) if its neglect of cybersecurity precautions opened the door to a data breach.
Selection of Plan Service Providers
An administrator of a 401(k) plan may have appointed a third party, such as a recordkeeper, that will maintain participant data in the cloud. This enables participants to access their accounts to change investment elections, increase or decrease contributions and perform other transactions without involving the employer.
A plan fiduciary must be mindful of its obligations under Section 404(a) in selecting such a service provider. In an information letter issued to Theodore Konshak on Dec. 1, 1997, available at https://www.dol.gov/ebsa/regs/ILs/il120197.html, the DOL stated in part as follows:
In selecting a service provider * * *, the responsible plan fiduciary must engage in an objective process designed to elicit information necessary to assess the qualifications of the service provider, the quality of the work product, and the reasonableness of the fees charged in light of the services provided. In addition, such process should be designed to avoid self-dealing, conflicts of interest or other improper influence. What constitutes an appropriate method of selecting a service provider, however, will depend upon the particular facts and circumstances. Soliciting bids among service providers at the outset is a means by which the fiduciary can obtain the necessary information relevant to the decision-making process. Whether such a process is appropriate in subsequent years may depend, among other things, upon the fiduciary’s knowledge of a service provider’s work product, the cost and quality of services previously provided by the service provider, the fiduciary’s knowledge of prevailing rates for the services, as well as the cost to the plan of conducting a particular selection process. Regardless of the method used, however, the fiduciary must be able to demonstrate compliance with ERISA’s fiduciary standards.
If the DOL were updating the information letter today, the enumerated selection factors might well include an assessment of the proposed service provider’s cybersecurity measures for any participant data to be maintained online.
Given the severe consequences of a data breach, no plan fiduciary should wait until the DOL issues ERISA guidance before addressing cybersecurity issues. Instead, fiduciaries should assume that the security of participant data stored online is their responsibility under ERISA and act accordingly.
In future posts, we will consider such issues as the interaction of ERISA and other federal laws as they relate to data privacy and security, whether ERISA preempts state privacy laws and what criteria, including independent audits, should be used to assessing service providers’ cybersecurity arrangements.