(How) could the E-Delivery Rule open the door to cyber security/participant data suits?
The Department of Labor (DOL) has simplified the delivery of retirement plan information to participants through its new Electronic Disclosure Rule (the E-Delivery Rule). Although the E-Delivery Rule promises to expand greatly the use of electronic delivery, retirement plans still retain a fiduciary duty to protect participants’ personal information from cybertheft. Thus, retirement plans taking advantage of the new rule may face increased exposure to ERISA fiduciary breach claims alleging inadequate cybersecurity measures. This article discusses the DOL’s E-Delivery Rule and the fiduciary considerations applicable to plans that rely on the new rule.
The DOL’s E-Delivery Rule
The DOL’s E-Delivery Rule allows retirement plan administrators to satisfy their information disclosure requirements under ERISA by distributing documents to employees electronically under a “notice-and-access” method. (When the Rule uses the term “plan administrator,” it refers to the fiduciary with the responsibility for managing the plan and providing information to participants. Since that fiduciary is typically the plan committee, we use that term in this article.) The rule allows plan committees to do so in one of two ways:
1. Internet Website. The E-Delivery Rule allows plan committees to furnish retirement plan documents electronically by making the documents available on an Internet website. When using this method, the plan committee must distribute a “notice of internet availability” to the email address or “smart” device number provided to the plan by the participant (or assigned to the participant by the employer, such as a work email address). The notice of internet availability informs a participant that a retirement plan document has been made available on a designated website. The notice must lead a participant directly to the document itself or to a login page that enables access to a link to the document when a participant logs in.
2. E-Mail. Alternatively, the E-Delivery Rule allows plan committees to email retirement plan documents directly to participants. When using this method, the plan committee sends an email to the participant’s email address (described above) and includes the document either in the body of the email or as an attachment.
Prior to make use of the new E-Delivery Rule, plan committees must send paper notifications to individuals informing them that their retirement plan documents will be delivered to them electronically unless they opt out of electronic delivery.
The Price of Simplification
The DOL estimates that the E-Delivery Rule will save retirement plans approximately $3.2 billion over the next ten years. The Rule will undoubtedly expand considerably the use of electronic delivery in distributing retirement plan information, greatly reducing the production and mailing costs associated with paper disclosures. The rule also offers a seemingly simpler alternative to the “actual consent” and “wired at work” e-delivery safe harbors, which continue to remain available to plans. That is, by defaulting employees to electronic delivery regardless of their job duties, plan committees using the new e-delivery safe harbor no longer need to obtain employees’ affirmative consent to e-delivery, nor do they need to analyze the extent to which employees use computers to perform their jobs.
Still, such simplicity comes with a price. Plan committees and service providers have already been sensitized to issues related to the use of plan participant data through multiple class action litigation cases, the issue here is different and more significant. Some plaintiffs’ lawyers are now alleging that participant data is a “plan asset,” and plan service providers facilitating e-delivery are precluded from using the data without paying a price for it.
The new E-Delivery Rule takes the issue of participant data a step further by reminding plan committees (in coordination with plan service providers) of the added duty to “take measures reasonably calculated to protect the security and privacy of covered individuals’ information.” As the DOL described in the preamble to the final E-Delivery Rule:
“As with all agencies facing heightened cybersecurity concerns, the Department recognizes that increased electronic disclosures may expose covered participants’ information to intentional or unintentional data breach. Paragraph (e)(3) of the proposal requires the plan administrator to take measures reasonably calculated to ensure that the website protects the confidentiality of personal information relating to any covered individual. As required under ERISA section 404, the Department expects that many plan administrators, or their service or investment providers, already have secure systems in place to protect covered individuals’ personal information. Such systems should reduce covered individuals’ exposure to data breaches.” [emphasis added]
This is consistent with existing regulations that require a plan committee to protect the confidentiality of personal participant information where plan disclosures are provided through electronic media. ERISA Regulation Section 2520.104b-1(c)(1)(i)(B) says a plan committee:
“[Must take] appropriate and necessary measures reasonably calculated to ensure that the system for furnishing documents…protects the confidentiality of personal information relating to the individual’s accounts and benefits (e.g., incorporating into the system measures designed to preclude unauthorized receipt of or access to such information by individuals other than the individual for whom the information is intended.” [emphasis added]
In other words, as part of their fiduciary duty to act in the interest of participants, the plan committee must take measures to ensure data protection. This means making sure that the plan sponsor’s and plan’s electronic data storage arrangements are secure. It means providing education to participants to help them keep their information safe. And it extends to the duty to prudently select and monitor service providers to “ensure that [their] systems for furnishing documents” are secure.
A second regulation, ERISA Regulation Section 2520.107-1(b), emphasizes the last point. The regulation provides:
“The record maintenance and retention requirements of sections 107 and 209 of ERISA are satisfied when using electronic media if:
(1) The electronic recordkeeping system has reasonable controls to ensure the integrity, accuracy, authenticity and reliability of the records kept in electronic form;
(2) The electronic records are maintained in reasonable order and in a safe and accessible place….
(5) Adequate records management practices are established and implemented (for example, … providing a secure storage environment, … observing a quality assurance program evidenced by regular evaluations of the electronic recordkeeping system including periodic checks of electronically maintained or retained records….” [emphasis added]
In the preamble to the E-Delivery Rule, the DOL emphasizes that a plan committee’s responsibility to protect participants’ personal information is a fiduciary duty under ERISA. That, in turn, means that retirement plans taking advantage of the new e-delivery safe harbor may face increased exposure to ERISA fiduciary breach claims alleging inadequate cybersecurity protections. For example, cybercriminals might successfully attack an e-delivery website (which may or may not be maintained by the plan sponsor), gaining unauthorized access to participant data. In seeking the simplicity of the new e-delivery safe harbor, plan committees need to be aware of added complexity in the form of ERISA fiduciary responsibility and potential liability.
What Plan Committees Can Do
The preamble to the E-Delivery Rule reminds plan committees of two important obligations: to “take measures reasonably calculated to ensure that the website protects the confidentiality of personal information relating to any covered individual” and to take “measures reasonably calculated to protect the confidentiality of personal information relating to the covered individual.” Other than reminding committees of their fiduciary obligation to maintain secure systems and protect participant information, which includes the obligation to conduct periodic monitoring of the systems, the duty is not well defined. At the very least, committees should ensure that their own and their service providers’ systems meet current commercial standards.
Given this lack of specifics, what can committees do? Here are some of the steps we believe are appropriate:
- Consult with experts (whether internal to the plan sponsor or outside consultants) to verify that they have up-to-date systems and procedures in place to protect data stored in their own electronic systems. If not, take steps to improve the systems.
- Obtain information from existing or potential service providers – particularly the plan recordkeeper – to make sure these outside systems provide up-to-date protection for plan and participant data, including current and stored data and information in transit, i.e., notices and reports sent to participants. It may be necessary to consult with experts to conduct a review of service provider information systems. These steps are in keeping with the ERISA prudent selection and monitoring obligation imposed on fiduciaries.
- Obtain periodic updates from service providers (ideally every six months) on steps they are taking to improve and test the security of their systems. Also, request information on any breaches of their systems that have occurred.
- Review any cybertheft guarantees that the providers offer and, to the extent the guarantee indicates steps that participants must take to obtain the benefits of the guarantee, provide education to participants on how to fulfill those steps. In addition, committees should look into providing training to participants on how to protect themselves from cyber theft.
- Consider obtaining cyber liability insurance to provide a source of payment in case of a breach and losses incurred by participants.
This is not an exhaustive list, but should give plan committees a start on meeting the fiduciary obligation that goes along with taking advantage of the new E-Delivery Rule.
Retirement plan stakeholders have long lobbied the DOL to modernize and simplify its rules concerning electronic delivery of retirement plan information. While the E-Delivery Rule advances that goal, it heightens fiduciary complexity for plans that choose to rely on it. The DOL has made clear that plans have a fiduciary duty to protect the confidentiality of participants’ personal information. As a result, plans relying on the new safe harbor must assess the security of their (and as part of the prudent selection and monitoring process, their service providers’) e-delivery procedures, repairing any vulnerabilities that might place participant data at risk. Plans should conduct such assessments regularly and document both their findings and the actions taken to address any security risks.
Fred Reish, Bruce Ashton and Stephen Pennartz, Faegre Drinker Biddle & Reath LLP