Cybersecurity and ERISA Fiduciary Responsibilities for Retirement Plans

Thomson Reuters Practical Law July 2020

Michelle Capezza and Christopher Lech, attorneys in the firm’s New York office, co-authored “Cybersecurity and ERISA Fiduciary Responsibilities for Retirement Plans,” a Practice Note published by Thomson Reuters Practical Law.

Following is an excerpt (see below to download the full version in PDF format):

ERISA imposes specific duties and obligations on employers, individuals involved with retirement plans and other entities, including special rules applicable to those falling within the definition of a “fiduciary” in ERISA Section 3(21) (29 U.S.C. § 1002(21)).

Data and personally identifiable information (PII) have become increasingly more vulnerable to attack as it travels on employer and third-party systems. This has been partially due to the recent advancements in plan administration, technology, online enrollment and electronic access to account information, electronic delivery of disclosures including benefit statements, as well as benefit plan transaction processing (including self-certifications of distributions). In today’s world, most transactions involving retirement plans are conducted electronically, including maintaining and sharing data and information across multiple platforms.

Recent cybersecurity breaches and fraudulent distributions involving retirement plans have raised the question of whether cybersecurity of plan participant information and data is a fiduciary duty under ERISA.

Fiduciaries of employee benefit plans, which are governed by ERISA, are held to a high standard of care to ensure that the plan is operated and maintained in the best interest of plan participants and beneficiaries. The extent to which ERISA fiduciary responsibility applies to the protection of plan participant and beneficiary data and PII is not statutorily explicit under current law. That duty may be implicitly required and probably in the foreseeable future may legally be required.