In a time when some of the largest institutions have been hacked (including the federal government), it’s not surprising that our industry has already experienced issues with cybersecurity. But is there a fiduciary duty to safeguard that information – and if so, how far does it go?
In a recent blog post, Drinker Biddle’s Bruce Ashton says that this is, in fact, a fiduciary issue – because of a DOL regulation that says fiduciaries need to protect participant information by taking:
“[A]ppropriate and necessary measures reasonably calculated to ensure that the system for furnishing documents … protects the confidentiality of personal information relating to the individual's accounts and benefits (e.g., incorporating into the system measures designed to preclude unauthorized receipt of or access to such information by individuals other than the individual for whom the information is intended).” (ERISA Reg. Section 2520.104b-1(c)(1)(i))
In other words, Ashton explains, “plan fiduciaries have to take steps to protect participant information;" the steps must be “appropriate and necessary,” and the protections "need to be incorporated into the 'system' being used to communicate with the participants." Those steps must be “reasonably calculated” to protect the data – so, according to Ashton, while fiduciaries need to take cyber protection seriously, the DOL recognizes that they probably can’t achieve perfection.
Plan fiduciaries shouldn’t draw too much comfort from the reality that the data in question is likely on a recordkeeper’s platform. Ashton reminds the reader that another important duty is the fiduciary obligation to prudently select and monitor service providers, and that in selecting or deciding to retain the recordkeeper (and others that either have, or have access to, participant data), fiduciaries need to find out how they protect the data.
He closes by cautioning that fiduciaries should make sure the recordkeeper (or other service provider) has cybersecurity policies in place, then review these cybersecurity policies for comprehensiveness and periodically monitor whether the service provider is complying with the policies.
And, as always, when lacking particular expertise, look to engage the services of someone who is.
