PLANADVISER - November/December 2017 - 63

fiduciary fitness
Cybersecurity and Benefit Plans
It is undetermined whether participants' private data is protected
In 2010, in its annual technical session with the Joint
Committee on Employee Benefits (JCEB), the Department of
Labor (DOL) was asked the following: " In an era of enhanced
privacy protections, some participants have complained
that personally identifiable information [PII] releases have
occurred under state privacy laws. ... Does the DOL agree
that state privacy laws regarding PII releases are not applicable
to plan administration communications from authorized
third-party service providers? "
The DOL's response was that it had insufficient information
to answer the question. It indicated that " without
specific statutory language and a description of how the
statute relates to [a specific] ERISA [Employee Retirement
Income Security Act]-covered employee benefit plan, staff
was unable to determine whether a particular state privacy
statute is pre-empted by ERISA. " Seven years later, ERISA preemption
of state data privacy laws is still an unresolved issue.
Further, assuming that a state data protection statute
is pre-empted, it is unclear what types of action a plan
participant could maintain-i.e., keep going to conclusion.
For example, some recent district court cases have held
that data security is not a benefit as that term is used under
ERISA. As a result, a participant cannot bring an action
under ERISA Section 50(a)(1)(B) to recover benefits due him
under the terms of the plan or to clarify his rights to future
benefits under the terms of the plan, but in In Re: Premera
Blue Cross Customer Data Security Breach Litigation, an Oregon
district court indicated that a plaintiff could maintain an
action to enforce his rights if he could establish that his
health benefit contract covered data security promises,
what the contours of those promises were and whether
those contractual provisions were breached. Note, however,
that here, too, there is contrary authority.
Another unresolved issue is whether private participant
data is a plan asset under ERISA's fiduciary duty provisions.
While ERISA does not provide a general definition of " plan
asset, " courts have followed the position of the DOL that
notions of ordinary property rights address that question,
but that analysis is of limited help with respect to private
participant plan data.
Notwithstanding this uncertain legal background,
cybersecurity is an issue that sponsors of retirement plans
should address. One starting point would be to piggyback
upon the arrangements entered into by health plans. Health
plan sponsors enter into business associate agreements
with third-party administrators (TPAs) and other service
providers to protect participants' private information and
allocate responsibility for notifications and mitigation in the
event of a breach.
In the same vein, it would be appropriate to see how the
plan sponsor is dealing with cybersecurity issues outside of
the benefits plan context. More corporate boards are now
paying attention to cybersecurity issues as part of their oversight
function, and a company's chief technology officer may
be reporting to the board or to the audit and risk committee
on a regular basis. Data security policies or a cybersecurity
program may already be in place. Another area to examine is
cyber insurance; this differs from plan fiduciaries' traditional
third-party insurance, which is triggered by litigation. Cyber
insurance can be first-party insurance.
In its 2016 report " Cybersecurity Considerations for
Benefit Plans, " the ERISA Advisory Council includes a
detailed cybersecurity risk management strategy-also
the starting point under the security policies of the Health
Insurance Portability and Accountability Act (HIPAA). The
plan sponsor must understand what data it has, where
this is stored, who is accessing it, and how, and whether
the access is properly controlled. For example, a best practice
may be to ensure that account access is limited to key
personnel.
After information concerning the data is obtained, the
relevant fiduciary, possibly with the aid of a consulting
expert, can assess any threats to the data. If the plan is a
large one with sufficient resources, it may request a third
party to perform a penetration analysis to determine the
system's vulnerabilities. This is more than a technology
exercise, because a frequent source of breach is negligence
or carelessness by an employee. Once the risks are identified,
measures should be taken to reduce them. Because
even the most sophisticated of risk management analyses
will not provide 100% assurance against a breach, a policy
for addressing breaches should be established.
Additionally, contracts with vendors having access to
participant data should be reviewed. These contracts should
have appropriate representations and warranties with
respect to data protection, including the service provider's
cyber insurance, and an agreement by the service provider
to regularly have its controls reviewed by outside parties.
Marcia Wagner is an expert in a variety of employee benefits and
executive compensation areas, including qualified and nonqualified
retirement plans, and welfare benefit arrangements. She is a summa
cum laude graduate of Cornell University and Harvard Law School and
has practiced law for 30 years. Wagner is a frequent lecturer and has
authored numerous books and articles.
planadviser.com november-december 2017 | 63

http://www.planadviser.com

PLANADVISER - November/December 2017

Table of Contents for the Digital Edition of PLANADVISER - November/December 2017

The Next Step
2017 PLANADVISER National Conference
2017 Practice Benchmarking Survey
Aggressive Plan Design
Professional Groups
The Value of Fixed Income
PLANADVISER - November/December 2017 - C1
PLANADVISER - November/December 2017 - FC1
PLANADVISER - November/December 2017 - FC2
PLANADVISER - November/December 2017 - C2
PLANADVISER - November/December 2017 - 1
PLANADVISER - November/December 2017 - 2
PLANADVISER - November/December 2017 - 3
PLANADVISER - November/December 2017 - 4
PLANADVISER - November/December 2017 - 5
PLANADVISER - November/December 2017 - 6
PLANADVISER - November/December 2017 - 7
PLANADVISER - November/December 2017 - 8
PLANADVISER - November/December 2017 - 9
PLANADVISER - November/December 2017 - 10
PLANADVISER - November/December 2017 - 11
PLANADVISER - November/December 2017 - 12
PLANADVISER - November/December 2017 - 13
PLANADVISER - November/December 2017 - 14
PLANADVISER - November/December 2017 - 15
PLANADVISER - November/December 2017 - 16
PLANADVISER - November/December 2017 - 17
PLANADVISER - November/December 2017 - 18
PLANADVISER - November/December 2017 - 19
PLANADVISER - November/December 2017 - 20
PLANADVISER - November/December 2017 - 21
PLANADVISER - November/December 2017 - 22
PLANADVISER - November/December 2017 - 23
PLANADVISER - November/December 2017 - 24
PLANADVISER - November/December 2017 - 25
PLANADVISER - November/December 2017 - 26
PLANADVISER - November/December 2017 - 27
PLANADVISER - November/December 2017 - 28
PLANADVISER - November/December 2017 - 29
PLANADVISER - November/December 2017 - The Next Step
PLANADVISER - November/December 2017 - 31
PLANADVISER - November/December 2017 - 32
PLANADVISER - November/December 2017 - 33
PLANADVISER - November/December 2017 - 2017 PLANADVISER National Conference
PLANADVISER - November/December 2017 - 35
PLANADVISER - November/December 2017 - 36
PLANADVISER - November/December 2017 - 37
PLANADVISER - November/December 2017 - 38
PLANADVISER - November/December 2017 - 39
PLANADVISER - November/December 2017 - 40
PLANADVISER - November/December 2017 - 41
PLANADVISER - November/December 2017 - 42
PLANADVISER - November/December 2017 - 43
PLANADVISER - November/December 2017 - 44
PLANADVISER - November/December 2017 - 45
PLANADVISER - November/December 2017 - 2017 Practice Benchmarking Survey
PLANADVISER - November/December 2017 - 47
PLANADVISER - November/December 2017 - 48
PLANADVISER - November/December 2017 - 49
PLANADVISER - November/December 2017 - 50
PLANADVISER - November/December 2017 - 51
PLANADVISER - November/December 2017 - 52
PLANADVISER - November/December 2017 - 53
PLANADVISER - November/December 2017 - Aggressive Plan Design
PLANADVISER - November/December 2017 - 55
PLANADVISER - November/December 2017 - 56
PLANADVISER - November/December 2017 - Professional Groups
PLANADVISER - November/December 2017 - 58
PLANADVISER - November/December 2017 - 59
PLANADVISER - November/December 2017 - The Value of Fixed Income
PLANADVISER - November/December 2017 - 61
PLANADVISER - November/December 2017 - 62
PLANADVISER - November/December 2017 - 63
PLANADVISER - November/December 2017 - 64
PLANADVISER - November/December 2017 - C3
PLANADVISER - November/December 2017 - C4
https://www.planadviserdigital.com/planadviser/winter_2023
https://www.planadviserdigital.com/planadviser/fall_2023
https://www.planadviserdigital.com/planadviser/summer_2023
https://www.planadviserdigital.com/planadviser/industryleader_2023
https://www.planadviserdigital.com/planadviser/spring_2023
https://www.planadviserdigital.com/planadviser/november_december_2022
https://www.planadviserdigital.com/planadviser/september_october_2022
https://www.planadviserdigital.com/planadviser/july_august_2022
https://www.planadviserdigital.com/planadviser/may_june_2022
https://www.planadviserdigital.com/planadviser/industry_leader_awards_2022
https://www.planadviserdigital.com/planadviser/march_april_2022
https://www.planadviserdigital.com/planadviser/january_february_2022
https://www.planadviserdigital.com/planadviser/november_december_2021
https://www.planadviserdigital.com/planadviser/september_october_2021
https://www.planadviserdigital.com/planadviser/july_august_2021
https://www.planadviserdigital.com/planadviser/may_june_2021
https://www.planadviserdigital.com/planadviser/march_april_2021
https://www.planadviserdigital.com/planadviser/january_february_2021
https://www.planadviserdigital.com/planadviser/november_december_2020
https://www.planadviserdigital.com/planadviser/september_october_2020
https://www.planadviserdigital.com/planadviser/july_august_2020
https://www.planadviserdigital.com/planadviser/may_june_2020
https://www.planadviserdigital.com/planadviser/march_april_2020
https://www.planadviserdigital.com/planadviser/january_february_2020
https://www.planadviserdigital.com/planadviser/november_december_2019
https://www.planadviserdigital.com/planadviser/september_october_2019
https://www.planadviserdigital.com/planadviser/july_august_2019
https://www.planadviserdigital.com/planadviser/may_june_2019
https://www.planadviserdigital.com/planadviser/march_april_2019
https://www.planadviserdigital.com/planadviser/january_february_2019
https://www.planadviserdigital.com/planadviser/november_december_2018
https://www.planadviserdigital.com/planadviser/september_october_2018
https://www.planadviserdigital.com/planadviser/july_august_2018
https://www.planadviserdigital.com/planadviser/may_june_2018
https://www.planadviserdigital.com/planadviser/march_april_2018
https://www.planadviserdigital.com/planadviser/january_february_2018
https://www.planadviserdigital.com/planadviser/november_december_2017
https://www.planadviserdigital.com/planadviser/september_october_2017
https://www.planadviserdigital.com/planadviser/july_august_2017
https://www.nxtbookmedia.com