Skip to main content

You are here

Advertisement

Cybersecurity and Privacy: a Fiduciary Concern

Everyone is well aware of the need for cybersecurity and protecting the privacy of data. But there is an additional concern for retirement plan fiduciaries — they are important to fulfilling fiduciary duty.

In a recent posting on the ML Benebits blog, Matthew Hawes and Patrick Rehfield argue that retirement plan fiduciaries need to be aware of their obligations to protect sensitive data and personal information. And that includes the plan information controlled by any vendors they work with, as well.

Hawes and Rehfield point out that retirement plans store extensive personal and financial data about participants and beneficiaries, and that that information may reside in physical and electronic files for years or even decades. And many parties have access to these records, including:

  • human resources personnel;
  • benefits department personnel;
  • participants;
  • beneficiaries;
  • recordkeepers;
  • trustees;
  • consultants; and
  • vendors.
This information, they say, “presents an attractive, and often undersecured and easily exploitable, opportunity for criminals intent on stealing identities or on the outright theft of plan assets and benefit payments.”

Hawes and Rehfield note that HIPAA may be the law of the land, but there are no equivalent laws and regulations concerning retirement plans.

Still, they caution, under ERISA, a fiduciary must discharge his or her duties only in the interest of plan participants and beneficiaries and must adhere to a prudent expert standard of care. “Under this standard, it is not difficult to conclude that a retirement plan fiduciary who does not take certain precautions with regard to the protection of PII [personal identifiable information] may be in breach of his or her fiduciary duty,” they say, adding, “although a breach of an ERISA fiduciary duty does not trigger clear statutory penalties like those applicable under HIPAA and HITECH, under ERISA, fiduciaries are personally liable for their fiduciary breaches.”


In addition, Hawes and Rehfield point out, 47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have some kind of breach notification law on the books. Further, they point out, it is unclear whether ERISA preempts such laws.