Is Cybersecurity a Fiduciary Duty?

By John Iekel • July 21, 2017 • 0 Comments

Fiduciary duties and functions have been discussed… just a little… over the last few years. But a recent blog entry suggests that cybersecurity should be added to them.

Ariel Gaknoki argues that it should in “Fiduciary Obligations to Safeguard Plan Participants’ Data,” an entry appearing in Trucker Huss’ blog. “There have been numerous instances of high-profile cybercrime cases over the past couple of years,” she says, which spurred “lively discussions in the ERISA community about the potential threat this type of crime poses to plan assets and personal data of plan participants and beneficiaries.”

And yet, Gaknoki writes, even though cybercrime is listed as one of the FBI’s top priorities, cybersecurity “in the context of maintaining privacy and security around employee benefit plans, remain largely unaddressed.”

Gaknoki writes that the threat hacking poses of theft of identity and plan assets “emphasize the importance of reviewing, identifying and overhauling the less than rigorous cybersecurity policies and procedures most entities possessing PII have in place today” and “warrant examination of the responsibilities of benefit plan fiduciaries with respect to cybersecurity.”

The main concerns that cyberattacks raise for employee benefit plans, says Gaknoki, include:

  • unauthorized collection of personal identity and personal identifiable information (PII);

  • theft of money from bank accounts, investment funds, and retirement accounts; and

  • infiltration of plan administration, service provider and broker systems.

Gaknoki posits that since benefit data includes participants’ names, Social Security numbers, account information and PII, “it is increasingly important for ERISA plan fiduciaries to acknowledge and act on their inherent responsibilities to secure online plan data from cyberattacks.” Failure to do so, she says, “would almost certainly be counter to the prudence standard by which ERISA fiduciaries are required to abide.”

Not only that, Gaknoki argues, choosing and monitoring a plan’s service provider is a key fiduciary responsibility, and plan fiduciaries are liable if they don’t act prudently when they choose them. And she warns that Department of Labor (DOL) Interpretive Bulletin 96-1, which addresses designation of those who provide investment education or investment advice, “has been interpreted more broadly to establish the requirement of prudence in service provider selections,” including the selection of a service provider that maintains electronic plan data. “Accordingly, ERISA plan fiduciaries should consider cybersecurity when selecting service providers,” she argues.

Unfortunately, says Gaknoki, while the DOL’s ERISA Advisory Council in 2011 and 2016 examined cybersecurity considerations as they relate to pension and welfare benefit, the DOL has not issued direct guidance on cybersecurity considerations in carrying this function out. One result of this, she argues, is a lag in fiduciaries’ adoption of cybersecurity measures.

Gaknoki argues that plans should not wait for the DOL to issue guidance. But they should not assume it’s easy to do, she warns, saying, “Guarding against cybersecurity breaches is a complex process, and involves instituting systems that not only detect and eliminate the source of the breach, but also measure the damage done, recover any data lost, and restore the integrity of the system.”
Steps a plan fiduciary can take include the following, Gaknoki suggests:

  • purchase “cyber liability” insurance;

  • vet third-party administrators’ cybersecurity programs and ask them to provide information on their security systems and risks;

  • review and amend agreements with service providers to ensure contracts mandate that data is protected and liability is allocated;

  • monitor third parties and employees that have access to plan data; and

  • become better informed on cloud computing and remote data storage.

Plan fiduciaries should act “as soon as reasonably possible to develop effective practices and procedures for combatting data breaches that put PII at risk,” Gaknoki says. And she adds a pointed warning: “The consequences of a data breach are severe and will be even more so for plan fiduciaries if their failure to address cybersecurity issues is determined to be a fiduciary breach.”