Podcast: The Evolving Regulatory Landscape for ERISA Plan Fiduciaries—Cybersecurity Concerns for Plan Sponsors
In this second episode of our Ropes & Gray podcast series addressing emerging issues for fiduciaries of 401(k) and 403(b) plans to consider as part of their litigation risk management strategy, ERISA & benefits partner Josh Lichtenstein and benefits principal David Kirchner discuss the importance of implementing a robust cybersecurity program for benefit plans to ensure that participant and beneficiary information and plan assets are properly protected.
Josh Lichtenstein: Hello, and thank you for joining us today on this Ropes & Gray podcast. I’m Josh Lichtenstein, an ERISA partner based in our New York office, and I am joined by David Kirchner, a principal in our benefits consulting group, based in Boston. In the first episode of this podcast series on 401(k) and 403(b) plan litigation risk management, we discussed the DOL’s final rules concerning ESG investing and proxy voting, and what impact the Biden administration might have on the fates of these two important rules. On that note, we actually just received some guidance from the Department of Labor on March 10, 2021, where it issued a statement saying that it will not enforce either of those recent rules, including with respect to the selection of 401(k) default investment options. In addition, the Department said that it plans to revisit both of these rules, so while uncertainty remains, for now, concerns over compliance with those rules can be relaxed at least with regards to DOL examinations. Today, we will be turning to another area that has received considerable attention recently—the cybersecurity and privacy protocols for retirement plans.
Now, cybersecurity is a concern everywhere in our modern lives. Day-to-day, we all receive constant reminders to regularly change our passwords and to look out for scam calls and phishing emails. For retirement plan participants and beneficiaries, there is a potential treasure trove of information that could be misappropriated by the wrong parties if it is not properly protected. If you think about it, during every single pay period, personal information about each plan participant (including very sensitive information like social security numbers and addresses) is being shared between their retirement plan recordkeepers and the plan sponsors. And this can prompt questions such as: How is that data being sent? Who is seeing the data? And what actually happens to the data after it is uploaded to the recordkeeper’s system? At each point along this chain there is the risk that personal data can be stolen or misused. There are also worries about less nefarious but still invasive uses of data, like service providers using participant information to cross-sell their products and services to retirement plan participants, even though there is no direct connection to your retirement plan. Even if this practice is not per se illegal, it can raise questions about whether participant information should be viewed as a plan asset that should be protected under ERISA or whether it is not entitled to those protections under ERISA’s fiduciary standards.
Now, David, I know that you see these issues firsthand when you’re talking to the recordkeepers and other vendors on behalf of our clients. So, I’d like to begin by talking about how the DOL has been looking at them—do you have any thoughts on that?
David Kirchner: Thanks, Josh. It’s nice to be joining you again for another episode of this podcast series. While cybersecurity and privacy concerns have been addressed by federal and state regulators in other contexts, such as health information or consumer protection like HIPAA, or more recently, the California Consumer Privacy Act, the DOL has been primarily concerned about the measures ERISA plan sponsors and fiduciaries are taking to protect their retirement plans’ participants and beneficiaries’ information.
As a historical point, cybersecurity is not an entirely new frontier for the Department of Labor. Back in 2011, the DOL’s ERISA Advisory Council first examined privacy and security issues effecting employee benefit plans, and it revisited the topic in 2016. The 2016 Council focused on outlining cyber risk management strategies that can be scaled based on the plan sponsor and size, as well as the plan type and its available resources. After conducting two days of hearings, the 2016 Council formulated and drafted a document entitled “Employee Benefit Plans: Considerations for Navigating Cybersecurity Risks” and a white paper report to raise awareness with plan sponsors, fiduciaries and service providers regarding the development of cybersecurity risk management programs for benefit plans. The 2016 Council asked the Department of Labor to provide guidance on how to evaluate cybersecurity risks and to require retirement plan sponsors to be familiar with the various security frameworks used to protect data. The 2016 Council also asked the Department of Labor to recommend that plan sponsors use third-party risk management, which would entail:
- taking inventory of all third-party service providers such as recordkeepers, trustees, administrators, and investment managers, who have been involved with the plan participants and/or asset data;
- understanding whether those service providers outsource activities to other third-party providers; and
- requesting (i) information on each provider’s security procedures and how they impact the retirement plan, and (ii) an industry recognized certification or audit of their cybersecurity systems.
Over the last few years, the DOL has become much more active in this space, although we haven’t seen formal rulemaking activity. For instance, we have learned of instances of agency investigators questioning sponsors about their cybersecurity and privacy protocols during routine audits and asking questions about the retirement plan service providers who have access to participants’ personally identifiable information. Some of these questions include:
- Does the plan sponsor monitor the cybersecurity controls of its service providers? How often? Is the monitoring documented?
- What are the service provider’s processes and systems for dealing with cybersecurity threats and protection of personally identifiable information?
- Does the service provider have policies on storing personally identifiable information, including where it is stored, how long it is stored, and how it is eliminated?
Other questions include:
- Are all personnel who come in contact with personally identifiable information trained on adequate protection of that information?
- Has the service provider experienced any security breaches? and
- Does the service provider carry cybersecurity insurance?
And, of course, we have also started seeing cybersecurity-related claims bubble up in the 401(k) and 403(b) plan litigation arena. To that end, Josh, could you provide some examples of what you’ve seen recently where plaintiffs’ firms have targeted plan sponsors and vendors in regards to their cybersecurity protocols?
Josh Lichtenstein: Yes, I’d be happy to, David. And of course, it’s a great point that in addition to the DOL’s views on this topic and some new emerging viewpoints there, we are starting to see this creep into lawsuits. So within the broad umbrella of 401(k) and 403(b) plan litigation, there have been multiple examples of cybersecurity-related claims being brought against plan sponsors and their service providers over the last year or so, sort of a mini-trend that’s emerging within the broader landscape of these lawsuits. These types of claims generally fall into two categories.
The first category of claims involves allegations that participant account information has been used to make fraudulent plan account distributions without the participant’s authorization or consent. For instance, in:
- Bartnett v. Abbott Laboratories—The plaintiff brought a claim against Abbott and Alight Solutions (as service provider serving as the plan administrator) to recover $245,000 that was taken from the plaintiff’s retirement account through an alleged unauthorized series of distributions by somebody impersonating the plaintiff and fraudulently accessing their online account. These allegations were recently dismissed against Abbott Labs because the plaintiff focused on failures by Alight for other plans they were plan administrator for, instead of actually focusing on the Abbott Labs plan. As the opinion noted, the court could not reasonably infer that the Abbott Labs defendants breached their duty to monitor under ERISA based on incidents that did not involve them (even if Abbott Labs defendants knew about these incidents with other clients of Alight). Rather, the duty to monitor requires the fiduciaries to keep track of how the administrators were performing for their own plan, not the plans of other plan sponsors. But, the news hasn’t looked quite as promising for Alight as the plaintiff’s case remains ongoing, the parties are now engaged in discovery. And so I think this case can be thought of as standing for the proposition that plan sponsors absolutely have a duty to monitor how their service providers are handling personal information, but that duty extends to how the information’s being handled for their own plan, not just how the service provider is performing in general in the market.
In a separate case:
- Berman v. Estee Lauder—The plaintiff brought claims against Estee Lauder and its recordkeeper (which was also Alight Solutions) alleging the plan had allowed the plaintiff’s $99,000 401(k) account to be fraudulently distributed to various bank accounts without the plaintiff’s authorization. The plaintiff alleged the defendants breached their fiduciary duties of loyalty and prudence by (i) causing or allowing the plan to make unauthorized distributions; (ii) failing to confirm that there was proper authorization for the distributions with the plan participant before making them; (iii) failing to provide timely notice of distributions to the plan participant by telephone or email; (iv) failing to identify and halt suspicious distribution requests, such as requests for multiple distributions to accounts in different banks; (v) failing to establish distribution processes to safeguard plan assets against unauthorized withdrawals; and also for (vi) failing to monitor other fiduciaries’ distribution processes, protocols, and activities; and any related acts and omissions. The parties eventually settled, so we didn’t get to see how it fully played out in court, but again, I think this is an example of how that duty to monitor can become very important to the plan sponsor.
As I noted before, a second category of claims also exists and these target the practices of service providers using their access to participant information (such as ages, length of employment, their contact information, the amount of assets in the account, and what investment choices they’ve made) to cross-sell other products and services to plan participants, which are not related to the plan, without the participants’ affirmative consent. For example, in:
- Cassell v. Vanderbilt University—Vanderbilt agreed to pay $14.5 million in damages to resolve a variety of claims, including one based on the use of participant data by Fidelity (serving as the plan’s recordkeeper). As part of the settlement, the fiduciaries agreed that after conducting an RFP for a recordkeeper, regardless of their decision to keep or replace the existing recordkeeper, they will “contractually prohibit the recordkeeper from using information about plan participants acquired in the course of providing recordkeeping services to the plan for purposes of marketing or selling products or services unrelated to the plan to plan participants unless a request for such products or services is initiated by the plan participant.”
Another case dealing with this issue is:
- Harmon v. Shell Oil Company—In this case, the plaintiffs have alleged that the Shell plan fiduciaries allowed the recordkeeper (who also happens to be Fidelity) to use participants’ highly confidential data, including social security numbers, financial assets, investment choices, and years of investment history in order to aggressively market lucrative non-plan retail financial products and services, which allegedly enriched the recordkeeper at the expense of participants’ retirement security.
So David, I think this shows the importance of being aware of what your vendors are doing and monitoring them. So what steps do you think that plan sponsors can take with their vendors in order to protect themselves from these types of claims?
David Kirchner: I think from our perspective, Josh, each plan sponsor should conduct a thorough and prudent vetting process of its own cybersecurity protocols as well as those of its retirement plan’s service provider when considering that provider. For instance, when we are going through an RFP process with our clients, we work with the sponsors to make sure they are asking detailed questions about vendors’ cybersecurity measures. Separately, for a retirement plan’s current vendors, if the sponsor has not requested and reviewed the vendor’s privacy protocols in some time—or ever for that matter—we suggest you should do so now. At minimum, the sponsor should request that the current recordkeeper provide their SOC audit results and outline all privacy protocols and make sure that they align with the plan sponsor’ protocols. This should all be done in writing. It is also helpful if there is evidence that the plan sponsor has reviewed these measures—perhaps in the context of a retirement or investment committee meeting so that they are included in the meeting minutes.
Plan fiduciaries should educate or proactively require their vendors to educate participants on an ongoing basis to let them know that they can take an active role in protecting their retirement assets. Remind participants not to share their log-in credentials or their personal information with anyone, and to use complicated passwords, which should be changed periodically.
Finally, a critically important step that plan sponsors and fiduciaries can take is making sure its insurance policy covers cybersecurity breaches and inquiring about the insurance coverage of its third-party service providers. If its policy does not cover these types of risks, sponsors may want to consider purchasing separate cyber-insurance coverage. In the 2016 Council’s report, it noted that “cyber insurance is a key component of cyber risk management, which can provide strong market incentives to pursue greater security.” The 2016 Council also recommended that plan sponsors and fiduciaries understand what cyber insurance does and does not provide and how it coordinates with other types of insurance coverage, so that they can appropriately consider whether to incorporate cyber insurance into their cyber risk management strategy for the plans.
Josh Lichtenstein: Those are excellent suggestions, David. It also seems apparent, based on what we’ve been discussing, that the DOL is working on some sort of guidance package to address cybersecurity issues as they relate to plan sponsors and third-party service providers. Last October, a senior career official at the Department of Labor (Tim Hauser, who’s the Deputy Assistant Secretary for the National Office Operations at EBSA), indicated at a conference that he expects to see more focus in the Department’s investigations on the adequacy of various cybersecurity programs, especially for large plans in terms of making sure that the service providers they hire are observing and following good cybersecurity practices. And we don’t expect this focus to shift or be diminished by the Biden administration—we expect these efforts to continue, and we expect this focus to remain a pretty high priority.
Well, we have run out of time for today. Thank you so much David for joining me and sharing some valuable insights in this conversation. I’ve found this to be very helpful, and I’m sure our listeners will as well. For more information on the topics that we discussed, please visit our website at www.ropesgray.com. And of course, if we can help you navigate any of the topics we discussed today, please don't hesitate to get in touch. You can subscribe and listen to this series wherever you regularly listen to podcasts, including on Apple, Google and Spotify. Finally, stay tuned for future episodes in this series where we will be discussing important topics, such as the recent Intel retirement plan decision that addressed the prudence question of including certain alternative assets on a defined contribution plan investment lineup, as well as the burgeoning pooled employer plan (or PEP) market. Thank you again for listening, and take care.