Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
Is the cybersecurity of employee benefit plans the employer’s problem?
Unfortunately, U.S. employee benefit plans are prime targets for criminals all over the world. Hackers break into employee benefit accounts and take sensitive data, such as Social Security numbers, and even steal retirement account funds. In some cases, plan participants have lost their life savings.
As an employer, you might think, that’s terrible, but how is cybersecurity for benefits plans my problem? The bank that manages our retirement plans is subject to robust financial regulations on cybersecurity – not the employer. The health insurance company that manages our employee health plans is regulated under HIPAA, which has its own cybersecurity requirements. In short, cybersecurity is the problem of our plans’ service providers.
Yes, but it’s also the employer’s problem.
The Department of Labor now takes the position that employers have a fiduciary duty to ensure adequate cybersecurity, including for plan data and assets held by service providers. The DOL has issued detailed guidance on:
- How to vet service providers on cybersecurity
- Cybersecurity provisions to include in service agreements
In addition, most employers have sensitive personal data about plan participants themselves. The DOL’s guidance also includes recommendations on cybersecurity measures to protect that information.
If your employee benefit plans are audited, the DOL is very likely to ask about your compliance with this guidance. In the more than 1,000 ERISA audits that the DOL conducts annually, cybersecurity questions have become routine.
Finally, when plan participants’ sensitive data is breached or their funds stolen, they increasingly sue the employer for breaching its fiduciary duty to protect them. This can result in expensive class action lawsuits against employers.
So, what can you do to protect your employees and reduce the risks of lawsuits and penalties?
Ensure adequate cybersecurity by carefully vetting plan service providers, require cybersecurity provisions in service agreements, and safeguard any plan data held by the employer.
For resources on how to do this, please check out Littler’s web page on cybersecurity for ERISA plans. We have prepared a detailed toolkit incorporating DOL guidance and industry standards to protect your employees and your company.
