Cybersecurity and Employee Benefit Plan Fiduciary Duties: Going Beyond HIPAA

April 26, 2016

By: Lisa A. Christensen

It seems as though we hear about new cybersecurity issues every day -- from traditional hacking incidents to the increasingly sophisticated phishing, malicious apps and websites, social engineering, and ransomware attacks.  Employee benefit plan sponsors likely have a fiduciary duty to ensure participant information and plan assets are protected from the growing number of cyber threats (to the extent possible, given the ever-changing cybersecurity landscape), AND, perhaps more importantly, that there is a plan in place to respond to a data breach and mitigate any associated damages. For many years now, health plan sponsors have been subject to a variety of privacy and security rules under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”).  Health plan sponsors are (among other things) required to enter into contracts with TPAs and other service providers called “business associate agreements” that spell out the parties’ obligations under HIPAA in connection with the plan’s HIPAA-protected information or “PHI.” Notwithstanding HIPAA’s broad scope, it is important to note that HIPAA only establishes the floor (i.e., the bare minimum requirements) when it comes to privacy and security of PHI.  Health plan sponsors also should consider including references to state data breach notification laws and cyber liability insurance in business associate agreements (or related services agreements) in addition to the HIPAA minimums. Although HIPAA does not extend to retirement plans, and retirement plan sponsors are not required to enter into specific agreements with TPAs governing the privacy and security of participants’ personally identifiable information or “PII,” ERISA’s fiduciary duties nonetheless likely apply.  Although the DOL has yet to weigh in on fiduciary duties raised by cybersecurity issues, retirement plan sponsors should consider including both “HIPAA-like” and expanded cybersecurity provisions in contracts with TPAs that govern the privacy and security of participants’ PII and plan assets.  Examples include, but are not limited to, provisions that:  (1) address the TPA’s data security policies and procedures; (2) restrict the use of and access to PII; (3) explain the TPA’s obligations in the event of a data breach or security incident (i.e., investigation, notification of the plan sponsor and participants, mitigation, remediation, etc.); (4) specify liability for cybersecurity incidents, including the requirement to maintain adequate cyber liability insurance; and (5) provide for the ability to terminate the applicable services agreement, without additional or early termination fees, in the event of a data breach or other security incident, at the discretion of the plan sponsor. Finally, in recognition of the fact that participant information also needs to be protected while in the hands of the plan sponsors (including from their employees as well as external cyber threats), plan sponsors should include any plan-related PHI or PII in their organizational cybersecurity efforts.