June 17, 2021

T-Break

Let'S Talk Law

DOL’s New Cybersecurity Guidance – Employment and HR


United States:

DOL’s New Cybersecurity Guidance


To print this article, all you need is to be registered or login on Mondaq.com.

On April 14, 2021, the United States Department of Labor (the
“DOL”) issued for the first time guidance to retirement
plan sponsors, fiduciaries, record keepers, service providers and
plan participants guidance on cybersecurity issues. The DOL’s
press release includes three pieces of
guidance, including: (1) Tips for Hiring Service Providers; (2)
Cybersecurity Program Best Practices; and (3) Online Security
Tips.

The Employee Benefits Security Administration, a sub-agency of
the DOL (the “EBSA”) long ago stated that addressing
cybersecurity has been on the agency’s “to do” list
and even published a report in 2016 reflecting the need for such
guidance, which we previously covered here.

The Employee Retirement Income Security Act of 1974, as amended
(“ERISA”), includes fiduciary standards that require a
retirement plan to be administered in accordance with a standard of
care for a prudent person who is familiar with such matters. Common
sense dictates that ERISA fiduciaries administer their plans in
accordance with industry standards for cybersecurity, safeguard
plan assets and ensure that appropriate controls are in place to
avoid financial losses to plans that may result from a
cybersecurity breach. However, the legal issues concerning who is
responsible (plan participant, plan sponsor or record keeper)
remain open questions in many jurisdictions.

Accordingly, the DOL’s guidance (while long overdue) is
welcome advice stressing just how critical it is for ERISA
fiduciaries to focus on cybersecurity issues in selecting,
contracting and monitoring the performance of record keepers and
other plan service provides to protect plan participants. The
guidance also specifically emphasizes how important it is for ERISA
fiduciaries to address cybersecurity when performing due diligence
in negotiating service provider agreements and in ongoing
monitoring of service provider compliance with cybersecurity
policies and procedures to ensure that any breaches are promptly
reported, investigated and addressed.

The three pieces of guidance are summarized below:

1. Tips for Hiring Service Providers

To assist business owners and plan sponsors in  meeting
their responsibilities under ERISA to prudently select and monitor
service providers, the DOL provides the following tips
(summarized):

  • Ask about the service provider’s information security
    standards, practices and policies and audit results, and compare
    them to the industry standards adopted by other financial
    institutions.

  • Ask the service provider how it validates its practices and
    what levels of security standards it has met and implemented. Look
    for contract provisions that give you the right to review audit
    results demonstrating compliance with the standard.

  • Evaluate the service provider’s track record in the
    industry, including public information regarding information
    security incidents, other litigation and legal proceedings related
    to vendor’s service.

  • Ask whether the service provider has experienced past security
    breaches, what happened and how the service provider
    responded.

  • Determine if the service provider has any insurance policies
    that would cover losses caused by cybersecurity and identify theft
    breaches.

  • Ensure that service contracts require ongoing compliance with
    cybersecurity and information security standards and beware of
    provisions that limit a provider’s responsibility for IT
    security breaches. Particular attention should be paid to contract
    terms relating to:

    • Sharing of information and confidentiality

    • Cybersecurity breach notification

    • Record retention/destruction, privacy and information security,
      and

    • Insurance

2. Cybersecurity Program Best Practices

The DOL guidance recites that, because ERISA covered plans often
hold millions of dollars in plan assets and maintain personal data
on plan participants, responsible plan ERISA fiduciaries have an
obligation to ensure proper mitigation of cybersecurity
risks.  Accordingly, the agency recommends the following best
practices for use by record keepers, other service providers
responsible for plan related IT systems and data and for plan ERISA
fiduciaries making prudent decisions on the service providers they
hire. Plan service providers should maintain, adopt or conduct the
following (summarized):

  • Formal well-documented cybersecurity program

  • Prudent annual risk assessment

  • Reliable annual third party audit of security controls

  • Clearly defined and assigned information security roles and
    responsibilities

  • Strong access control procedures

  • Assets or data stored in a cloud or managed by a third party
    service provider are subject to appropriate security reviews and
    independent security assessment

  • Cybersecurity awareness training conducted at least annually
    for all personnel and updated to reflect risks identified by the
    most recent risk assessment

  • Secure system development life cycle program

  • Business resiliency program which effectively addresses
    business continuity disaster recovery and incident response

  • Encryption of sensitive data stored and in transit

  • Strong technical controls implementing best security
    practices

  • Responsiveness to cybersecurity incidents or breaches

3. On-line Security Tips for Participants

Participants are encourage to reduce the risk of fraud and loss
to their retirement accounts by following these basic rules
(summarized):

  • Register, set up and routinely monitor your online
    accounts

  • Use strong and unique passwords

  • Use multi-factor authentication

  • Keep personal contact information current

  • Close or delete unused accounts

  • Be wary of free Wi-Fi

  • Beware of phishing attacks

  • Use antivirus software and keep app and software current

  • Know how to report identity theft and cybersecurity
    incidents

Observations: While the guidance is welcome
advice, many questions remain unanswered regarding the application
of ERISA to data security. For example:

  • Is data maintained by a retirement plan a plan asset?

  • Is the employer (as plan sponsor) responsible for the data
    breach, or is the third party administrator service provider
    responsible?

  • Does ERISA, a federal law, preempt state cybersecurity (data
    privacy) laws?

  • Does the DOL expect plan sponsors or ERISA fiduciaries to
    communicate on-line security tips to plan participants and
    beneficiaries, and if so, how often?

In light of this recent guidance, plan sponsors and ERISA
fiduciaries should begin reviewing their practices, procedures and
cybersecurity protocols, as well as those of their service
providers to ensure they are meeting the best practices set forth
in this recently published DOL guidance.

Originally published April 27, 2021

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Employment and HR from United States

New York State Enacts Groundbreaking HERO Act

Lewis Brisbois Bisgaard & Smith LLP

New York, N.Y. (May 13, 2021) – After a year’s worth of various executive orders addressing worker safety issues arising from the COVID-19 pandemic…