What happens if a retirement plan incurs a data breach
Until relatively recently, retirement plans have not made the news as targets of data breaches. This is somewhat surprising given the wealth of participants’ personal data stored online by these plans. This past summer, however, two plans experienced cybersecurity incidents, one involving theft and the other involving ransomware.
In response, the ERISA Advisory Council recommended that the Department of Labor inform the employee benefits community as to cybersecurity risks and potential approaches for managing those risks. There is a dearth of law on the subject of ERISA and cybersecurity. In fact, the ERISA Advisory Council is silent on the subject and no court has yet decided if and to what extent managing cybersecurity risk is a fiduciary function.
In this article, we examine the incidents mentioned above and the Council’s recommendations.
Fraudulent loans obtained from Chicago Deferred Compensation Plan
The Chicago Deferred Compensation Plan is a Section 457(b) defined contribution plan with roughly $3.6 billion in assets. In June, press reports indicated that $2.6 million was taken from the plan in the form of unapproved loans from 58 participant accounts. Within five days, the funds were restored, apparently by the company that administered the plan. Participants’ personal information was used to set up web profiles that allowed loans to be taken from their accounts. The matter remains under investigation.
Ransomware hits UFCW local 655 Food Employers Joint Pension Plan
This July, hackers made a ransomware demand on the United Food and Commercial Workers Union Local 655 Food Employers Joint Pension Plan. The plan is a multi-employer defined benefit plan that had assets of approximately $569 million at the end of 2015.
Ransomware is malicious software that infiltrates a device or potentially an entire information technology network. The software uses tools to encrypt or “lock” the data located on the device or network to prevent access unless what is, in effect, a monetary ransom is paid to the attacker. Typically the ransom is paid in untraceable electronic currency, called bitcoins, for a “key” to unlock and retrieve the data.
The unidentified hacker who took control of one of the Local 655 plan’s servers demanded three bitcoins, worth about $2,000, in order for the server to work again. The ransom was not paid and the plan used a backup server to recreate the information that had been on the locked server.
Possible data that may have been accessed during the attack included participants’ names, dates of birth, Social Security numbers and bank account information. As a precaution, the union offered credit monitoring and identity protection services to its members for 12 months without cost.
Also see: “Whatever happened to that old retirement plan?”
ERISA Advisory Council addresses benefit plan cybersecurity
The Council was created under ERISA and is tasked with advising the Secretary of Labor and submitting recommendations regarding the Secretary's functions under ERISA. The Council consists of 15 members appointed by the Secretary. Benefit plan cybersecurity has been studied by the Council since 2011. In 2015 and earlier this year, hearings were held. The Council has made available its current issue statement on cybersecurity as well as the prepared statements of witnesses at this year’s hearings.
The Council’s final 2016 report is not expected to be released for several months. On Nov. 10, it did release an executive summary provided to the Secretary, in which it made the following recommendations:
First, make the Council’s report and its appendices available via the DOL’s website as soon as administratively feasible to provide plan sponsors, fiduciaries and service providers with useful information on developing and maintaining a robust cyber risk management program for benefit plans.
Second, provide information to the employee benefit plan community of plan sponsors, fiduciaries and service providers to educate them on cybersecurity risks and potential approaches for managing these risks.
The summary notes that the Council has drafted a sample document titled Employee Benefit Plans: Considerations for Managing Cybersecurity Risks for the DOL as an illustration. When the Council’s final report is posted, we will report on it and the sample document in a WorkCite.
Apart from protecting online data, plan administrators are seriously concerned about the following issues. First, is cybersecurity a fiduciary responsibility under ERISA? If so, in some cases plan fiduciaries may have personal liability under ERISA for the consequences resulting from data breaches.
Second, are state cybersecurity laws and regulations pre-empted by ERISA? If not, in the event of a data breach, administrators of plans with participants residing in multiple states will have a daunting task in determining which laws and regulations apply.
Regrettably, the Council indicated in its issue statement that although it was aware of these matters, it did not intend to address them within the scope of its study. So far, no guidance has come from the DOL itself on either fiduciary responsibility or pre-emption.