Cybersecurity Concerns for ERISA Fiduciaries

Pension plans and welfare plans store personal data on participants and beneficiaries that may be of great interest to cyber attackers. Not only does the plan sponsor have access to personal confidential data. but so too do the participant and beneficiary, the third party service provider and other vendors. What cyber attackers are seeking is not just theft of plan assets, but personal data and individuals’ identities, which may be of higher value than plan assets.

In 2011, the Department of Labor’s ERISA Advisory Council began looking at cybersecurity issues in the context of maintaining privacy and security of information in employee benefit plans. The ERISA Advisory Council identified identity theft and loss of plan assets as major concerns and recommended that DOL provide guidance.

The guidance has yet to be issued, and there currently is no comprehensive federal law governing cybersecurity, but there are many federal and state laws that address the issue in various ways. HIPAA regulations may also be useful as a guide.

Guidance from the DOL will undoubtedly be driven first by a determination as to whether cybersecurity is deemed to be a fiduciary function. In the meantime plan fiduciaries can consider establishing prudent procedures for handling and securing personal identifiable information, including securing personal identifiable information “at rest” (data stored on computers, on storage devices or being used by the data owner) and information in motion (data transmitted across a network, such as email).