Plan fiduciaries have numerous responsibilities under the law when administering programs and handling participant funds and benefits, including the responsibility to make sure the technology they choose to use is secure. A cybersecurity breach, especially one that exposes personal identification information (PII) or leads to a loss of funds, can create significant liability for the plan.
Who is Legally Liable?
Employee benefit plans are governed by ERISA and its accompanying regulations. While cybersecurity isn’t specifically listed as a fiduciary responsibility, plans are required to protect both plan assets and participant data through their duties of prudence and loyalty. Since the methods for doing so have changed since the 1970s when ERISA was first enacted, regulations have adapted to consider new technology. It is likely that regulations and court decisions will soon reflect data security and computer security very specifically in a fiduciary’s obligations.
What Should You Do?
Regardless of liability, no one wants to be in a position where they were the ones whose plan data was compromised. Fiduciaries should pay attention to the current state of security technology, work with advisors, and design procedures to ensure there are double-checks to ensure transactions are appropriate.
Consulting with security experts and benefit plan attorneys to develop a fiduciary cybersecurity legal compliance paradigm is the first step in bringing a system up to date. Fiduciaries should also take a periodic deep dive into their set up to ensure the systems their service providers are using are also secure and in line with security goals. Not only should the systems be secure, but comprehensive agreements need to be in place between the different parties to allow audits and to pass liability to the party where a breach occurs. These agreements should highlight specifically the security obligations the service provider has to the plan and provide for a variety of remedies in the event of a breach.
No system is completely secure and the breach is just as often with the humans and the processes as it is with the technology. It’s important to not just address the system and its protocols, but the people and the data handling processes in place. Changing your password monthly is only as useful a protection method as people not putting their new password on a sticky note or somewhere else less secure.
Gloss