Recent cyber-attacks on health insurers have heightened awareness that sensitive participant and beneficiary information may not be adequately secure. There will undoubtedly be other attacks on databases maintained by service providers to employee benefit plans, which raises an important question for Employee Retirement Income Security Act of 1974 (ERISA) fiduciaries: what should be done now to protect participant and beneficiary information entrusted to service providers against future attacks and unauthorized disclosure? While the extent of a fiduciary’s responsibility to protect personal identifiable information of participants and beneficiaries is unclear, the fiduciary provisions of ERISA can be interpreted to impose a general duty to protect this information when it is part of a plan’s administration. In addition, plan fiduciaries also may have obligations under other federal and state laws governing data privacy and security that are not preempted by ERISA. This article addresses the nature of the problem, identifies the types of data breaches that can occur with employee benefit plans, provides an overview of relevant law that may apply, and sets forth practical steps that can be taken by plan fiduciaries with service providers to address privacy and security concerns.
Click here to read the full article from Benefits Law Journal.