The Fiduciary Duty for Cybersecurity
Monday, February 12, 2018
cyberthreat, risk, security, fiduciary, DOL, reasonable,calculated
Print Mail Download i

Computer hacking seems to be a daily fact of life. Since most plan information is stored electronically, hacking presents a vulnerability that fiduciaries can’t ignore. For example, if hackers were to gain access to participant social security numbers or account balances, they could steal the money or a participant’s identity. And the plan would be liable.

This is a fiduciary issue because of a DOL regulation that says fiduciaries need to protect participant information by taking

“[A]ppropriate and necessary measures reasonably calculated to ensure that the system for furnishing documents … protects the confidentiality of personal information relating to the individual's accounts and benefits (e.g., incorporating into the system measures designed to preclude unauthorized receipt of or access to such information by individuals other than the individual for whom the information is intended).” (ERISA Regulation Section 2520.104b-1(c)(1)(i)).

In other words, plan fiduciaries have to take steps to protect participant information; the steps must be “appropriate and necessary”; and the protections need to be incorporated into the “system” being used to communicate with the participants. The regulation says the steps must only be “reasonably calculated” to protect the data. So, while fiduciaries need to take cyber protection seriously, the DOL recognizes that they probably can’t achieve perfection.

This is all well and good, but the “system” where the data is maintained is most likely the plan recordkeeper’s. What can a plan fiduciary do? Remember that another important duty is the fiduciary obligation to prudently select and monitor service providers. In selecting or deciding to retain the recordkeeper (and others that either have, or have access to, participant data), fiduciaries need to find out how they protect the data. Make sure the recordkeeper (or other service provider) has cybersecurity policies in place, then review these cybersecurity policies for comprehensiveness and periodically monitor whether the service provider is complying with the policies. 

© 2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.

Current Legal Analysis

More from Faegre Drinker

SCOTUS Denies Certiorari in Cases Concerning FCA Liability Requirement, Objective Falsity Circuit Split Remains Intact
by: Commercial Litigation Practice Group
Groundbreaking Fourth Circuit Decision Upholds Private Plaintiff’s Successful Effort to Unwind a Consummated Merger
by: Kathy L. Osborn , Emily E. Chow
Travel Bans and Quarantine Hotels: Traveling to the U.K. During COVID-19
by: Hodon Anastasi
TCPA Plaintiff Argues he wasn’t Injured in Attempt to Dodge Federal Jurisdiction
by: Marsha J. Indych , Renée M. Dudek
Silver Lining: COVID-19 Engagements Allow More Time for Premarital Financial Planning
by: Jaime A. Quick
Biden EPA Makes First Moves to Address PFAS in Drinking Water
by: Bonnie Allyn Barnett , Brandon W. Kirkham
Predicting the Enforcement Priorities of the Biden DOJ
by: Thomas J. Kelly , Daniel E. Pulliam
New York City Council Imposes Stricter Discipline Requirements on Fast Food Employers
by: Gerald T. Hathaway
Disclosure of Binding Arbitration Not Required In Consumer Warranties, Says Florida Supreme Court
by: Traci T. McKee , Lexi C. Fuson
FCC Order Causes Confusion Regarding Consent Required for Informational Calls to Residential Landlines
by: Matthew M. Morrissey

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins