The U.S. Department of Labor (DOL) Employee Benefits Security Administration has posted new guidance on its website regarding cybersecurity and the use of participant data, and ERISA plan administrators need to pay attention.

The DOL news release states that the DOL seeks to protect $9.3 trillion in U.S. defined benefit plans and defined contribution plans. While the focus is on retirement plans, the guidance is written broadly enough to cover all ERISA plans.

The guidance provides that "ERISA-covered plans hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber-criminals." The guidance sets forth Cybersecurity Program Best Practices for recordkeepers and other service providers to follow. The 12 practices that are set forth are similar to the Health Insurance Portability and Accountability Act privacy and security requirements for healthcare plan protected health information:

  1. Have a formal, well-documented cybersecurity program.
  2. Conduct prudent annual risk assessments.
  3. Have a reliable annual third-party audit of security controls.
  4. Clearly define and assign information security roles and responsibilities.
  5. Have strong access control procedures.
  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
  7. Conduct periodic cybersecurity awareness training.
  8. Implement and manage a secure system development life cycle program.
  9. Have an effective business resiliency program addressing business continuity, disaster recovery and incident response.
  10. Encrypt sensitive data, stored and in transit.
  11. Implement strong technical controls in accordance with best security practices.
  12. Appropriately respond to any past cybersecurity incidents.

The DOL guidance also includes recommendations for plan administrators in the form of Tips for Hiring a Service Provider with Strong Cybersecurity Practices. The guidance recommends that certain provisions regarding these practices be set forth in service provider contracts and provides that these practices are "for plan fiduciaries making prudent decisions on the service providers they should hire." The guidance outlines five areas of inquiry and provides that the plan administrator should "make sure that the contract requires ongoing compliance with cybersecurity and information standards – and beware contract provisions that limit the service provider's responsibility for IT security breaches." The guidance also indicates that the plan administrator should try to include five enumerated provisions in the contract.

One of these is "Clear Provisions on the Use and Sharing of Information and Confidentiality. The contract should spell out the service provider's obligation to keep private information private, prevent the use or disclosure of confidential information without written permission, and meet a standard of care to protect confidential information against unauthorized access, loss, disclosure, modification or misuse." This provision appears to focus on the use and sharing of participant data by the service provider rather than on cybersecurity and seems to run contrary to existing case law, including a decision from a few weeks ago, Harmon v. Shell Oil Co., 2021 WL 1232694 (S.D. Tex. Mar. 30, 2021).

In Harmon, the plaintiffs alleged that participant data constituted plan assets, which made Fidelity Investments (the plan recordkeeper) a fiduciary; that Fidelity Investments breached its fiduciary duties by sharing the participant data among its affiliates; and that plan administrator Shell Oil's transfer of participant information to Fidelity Investments combined with the affiliates' use of the data constituted prohibited transactions. The court considered the DOL's definition of "plan assets" in 29 C.F.R. § 2510.3-101(a)(2). The definition includes plan investments, and beyond that, "the assets of a plan generally are to be identified on the basis of ordinary notions of property rights under non-ERISA law." In dismissing all of the claims, the court found that no court "has ever held that releasing or allowing someone to use confidential information constitutes a breach of fiduciary duty under ERISA." The court cited Divane v. Northwestern University, 2018 WL 2388118 (N.D. Ill. May 25, 2018), aff'd, 953 F.3d 980 (7th Cir. 2020), and two other district court cases. At least one other case in which plaintiffs have made similar plan asset claims is pending.

The DOL guidance on cybersecurity and the best practices recommendations does not have the authority of federal agency regulations. The Administrative Procedure Act (APA) governs the process by which federal agencies develop and issue regulations. The APA sets forth requirements for publishing notices of proposed and final rulemaking in the Federal Register, and provides opportunities for the public to comment on notices of proposed rulemaking, with a delayed effective date. When an agency issues guidance in a different manner, such as by posting on a website, this is generally called "sub-regulatory guidance." This type of guidance can be challenging, especially if it is relied upon by the agency in investigations. For example, the use of participant data to market other products and services is built into many service providers' business models, and this guidance is not binding on service providers. Further guidance on why a contract should require written consent would be helpful, especially in light of recent litigation and in light of the increase in fees this could presumably cause. Likewise, the level of risk a service provider has assumed, including any limits on liability, is part of the service provider's business model and pricing.

To be clear, protection of plan assets and participant data from misuse by cybersecurity thieves is critical. The protection and safekeeping of plan assets is a key component of fiduciary responsibility under ERISA, and no one wants their plan participants to become victims of identity theft. At least two lawsuits have been filed by 401(k) plan participants alleging that their balances were stolen. Plan administrators need to take steps to protect participants and benefits, and to protect themselves. But while the largest employers may have the leverage to demand to review a service provider's insurance policies or to negotiate changes to a service provider's standard contract, many employers will not have the leverage to make such demands or to negotiate meaningful changes to standard contracts. The DOL best practice "guidance" thus raises a number of practical questions for plan administrators. In the event of a cybersecurity breach or a DOL investigation, how are you going to demonstrate that you followed Tips for Hiring a Service Provider with Strong Cybersecurity Practices? How much weight should you place on your recordkeeper's willingness or unwillingness to implement the DOL's cybersecurity best practices in the absence of a regulatory obligation to do so? How should you balance any costs of enhanced cybersecurity procedures or restrictions on the use of participant data against your fiduciary duty to monitor service provider fees? If you have any issues or questions about DOL cybersecurity best practices and their applicability to your benefit plans, please reach out to a member of BakerHostetler's Employee Benefits team or your BakerHostetler attorney.

The DOL new release and links to the guidance, including Online Security Tips for plan participants, located here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.