PLANSPONSOR - April/May 2021 - 39

INSIDE ANGLE
A DOL Download
Cybersecurity guidance for plan sponsors, providers and participants
P
lan data and cybersecurity have, recently been two of the
most closely watched areas of the benefits space. On both
fronts, the regulated community continues to grapple with
important but largely unanswered questions about the status of
data as a " plan asset " under the Employee Retirement Income
Security Act (ERISA). While the legal landscape is still largely
uncharted, sponsors should be aware of new developments.
In March, a federal district court in Texas issued a decision
regarding the status of participant data as a plan asset under
ERISA. In Harmon v. Shell Oil, the plaintiffs alleged that a plan's
recordkeeper breached its fiduciary duties by sharing demographic,
financial and other participant information with its affiliates
in order to solicit non-plan services and financial products.
As a threshold matter, the court had to first consider whether the
recordkeeper acted as a fiduciary under ERISA.
Generally, under long-standing principles, recordkeepers
are not considered fiduciaries under ERISA. However, under the
plaintiffs' theory, the recordkeeper acted as a fiduciary because it
had control over participant data, which, they alleged, was a plan
asset under ERISA. The court disagreed and concluded that participant
data did not constitute a plan asset. In a relatively short but
impactful analysis, the court noted that regulations issued by the
Department of Labor (DOL) were silent as to whether participant
data constituted plan assets. Further, the court agreed with the
analysis in the 2018 decision in litigation against Northwestern
University, where an earlier court concluded that although participant
data had " some value, " it did not constitute a plan asset under
" ordinary notions of property rights. "
While the decision in the Harmon litigation is certainly
helpful for service providers and others in the regulated community,
it is likely not the final say. Given the growing focus on,
interest in, and utilization of participant data, it's reasonable to
expect that the question of its status as a plan asset will continue
to be litigated.
DOL Guidance
Switching gears, in April, the DOL issued cybersecurity guidance,
which has three components. Importantly, the guidance
did not go through notice and comment and lacks the force of
law. Nevertheless, from a plan sponsor perspective, there is a
relevant piece: the DOL's " tips " for considering cybersecurity
when selecting service providers. The tips include suggested
questions and considerations when evaluating service provider
cybersecurity practices. In this regard, the tips suggest asking
service providers about their cybersecurity standards and policies,
past security incidents and insurance coverage. The tips
also recommend sponsors consider the service provider's " track
record " in the industry, including publicly reported security incidents
and related litigation.
Further, the tips include suggested contract terms that plan
sponsors should " try " to obtain in their service provider agreements.
Such terms include requiring that the service provider
undergo a third-party cybersecurity audit and obtaining " clear "
terms regarding the use of participant data, notification about any
breaches, compliance with federal, state and local privacy laws,
and a description of record retention practices.
The DOL also issued a second piece of the cybersecurity
guidance as a " best practices " document geared toward service
providers. It describes various features that providers should
include as part of their overall cybersecurity programs, such as
periodic information security assessments, required training for
personnel, use of data encryption, and business continuity planning.
The best practices piece is quite extensive and could eventually
be used as a guide for DOL audits of plan service providers.
The last piece of the cybersecurity guidance describes " online
security tips " for plan participants. As a general point, these tips
encourage participants to establish an online account for their
retirement plan to prevent cybercriminals from assuming their
identity. The tips also advise participants to routinely monitor
their online account, employ a strong password and use multifactor
authentication to reduce cybersecurity risks.
With the DOL's cybersecurity guidance finally out, the next
question is whether, and how, the agency will examine compliance
in its enforcement activities. As the regulated community may be
aware, the DOL has already commenced examining cybersecurity
practices in its investigations, though not yet with the same intensity
as other focus areas, such as missing participants. However,
given the growing importance of cybersecurity, it's likely that
the DOL may soon prioritize cybersecurity from an enforcement
perspective, particularly now that its guidance is out.
Steve Saxon is a partner with Groom Law Group, Chartered,
and George Sepsakos is a principal with Groom. Offices for
Groom are in Washington, D.C.
PLANSPONSOR.COM April - May 2021 39
http://www.PLANSPONSOR.COM
PLANSPONSOR - April/May 2021

Table of Contents for the Digital Edition of PLANSPONSOR - April/May 2021
