Most companies’ stock plans are administered with the help of third-party service providers, which collect, receive, transmit or otherwise store vast quantities of employees’ personally identifiable information (PII), including Social Security numbers, dates of birth, addresses, next of kin, marital status, etc. Some current contracts with service providers do not contain specific requirements for how the service providers must secure and maintain the privacy of the company’s PII, which may mean that the company has no oversight as to what its service providers are doing with the information. Other agreements may address the issue of security, not the issue of who would be responsible for the costs and damages of a breach (or worse, place that responsibility on the company).  

If you haven’t done so recently, you might want to review (and update) your agreements with service providers to ensure that those companies (and your own company) have appropriate data privacy and security protections. Some companies have created a standard data privacy and security template agreement for all compensation and employee benefit plan agreements. Such a template agreement could include, among other items, requirements related to access and security controls, encryption, storage of PII on removable devices, audit rights and notification and indemnification provisions in the event of a data breach, and would be tailored to the specific risks and requirements of the company’s plans (employee retirement, 401(k) and group health benefit plans are similarly at risk.) 

Additionally, a number of state laws (including Massachusetts, Maryland, and Nevada) require proactive action with respect to vetting and/or monitoring service providers that handle PII. The California Senate’s rejection of an amendment that would have removed employees from the definition of “consumer” under the California Consumer Privacy Act (CCPA) reminds us that, unfortunately, stock plan professionals need to worry about cybersecurity risks in addition to all the other legal issues about which we generally post blogs. The CCPA goes into effect on January 1, 2020

Finally, in its Statement and Guidance on Public Company Cybersecurity Disclosures, the SEC helpfully reminds us that the ’34 Act requires a company’s CEO and CFO to make certifications regarding the design and effectiveness of disclosure controls and procedures, including the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.