It seems as though we hear about new cybersecurity issues every day — from traditional hacking incidents to the increasingly sophisticated phishing, malicious apps and websites, social engineering, and ransomware attacks. Employee-benefit plan sponsors likely have a fiduciary duty to ensure participant information and plan assets are protected from the growing number of cyber threats […]
It seems as though we hear about new cybersecurity issues every day — from traditional hacking incidents to the increasingly sophisticated phishing, malicious apps and websites, social engineering, and ransomware attacks. Employee-benefit plan sponsors likely have a fiduciary duty to ensure participant information and plan assets are protected from the growing number of cyber threats (to the extent possible, given the ever-changing cybersecurity landscape), and, perhaps more importantly, that there is a plan in place to respond to a data breach and mitigate any associated damages.
For many years now, health-plan sponsors have been subject to a variety of privacy and security rules under the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). Health-plan sponsors are (among other things) required to enter into contracts with third-party administrators (TPAs) and other service providers called “business associate agreements” that spell out the parties’ obligations under HIPAA in connection with the plan’s HIPAA-protected information (PHI.)
Notwithstanding HIPAA’s broad scope, it is important to note that HIPAA only establishes the floor (i.e., the bare minimum requirements) regarding privacy and security of PHI. Health-plan sponsors also should consider including references to state data-breach notification laws and cyber-liability insurance in business-associate agreements (or related services agreements) in addition to the HIPAA minimums.
Although HIPAA does not extend to retirement plans, and retirement-plan sponsors are not required to enter into specific agreements with TPAs governing the privacy and security of participants’ personally identifiable information (PII), ERISA’s fiduciary duties nonetheless likely apply. Although the Department of Labor has yet to weigh in on fiduciary duties raised by cybersecurity issues, retirement-plan sponsors should consider including both “HIPAA-like” and expanded cybersecurity provisions in contracts with TPAs that govern the privacy and security of participants’ PII and plan assets.
Examples include, but are not limited to, provisions that: (1) address the TPA’s data-security policies and procedures; (2) restrict the use of and access to PII; (3) explain the TPA’s obligations in the event of a data breach or security incident (i.e., investigation, notification of the plan sponsor and participants, mitigation, remediation, etc.); (4) specify liability for cybersecurity incidents, including the requirement to maintain adequate cyber-liability insurance; and (5) provide for the ability to terminate the applicable services agreement, without additional or early termination fees, in the event of a data breach or other security incident, at the discretion of the plan sponsor.
Finally, in recognition of the fact that participant information also needs to be protected while in the hands of the plan sponsors (including from their employees as well as external cyber threats), plan sponsors should include any plan-related HIPAA-protected information or participants’ personally identifiable information in their organizational cybersecurity efforts.
Lisa Christensen is senior counsel at Syracuse–based Bond Schoeneck & King, PLLC. Her practice includes handling legal matters in health and welfare benefit-plan administration, retirement and executive compensation, and the employee-benefit plan implications of mergers and acquisitions. This viewpoint article is drawn from the firm’s New York Labor & Employment Law Report blog. Contact Christensen at lchristensen@bsk.com or call (315) 218-8279.
