IBM estimated last year that data breaches cost companies $148 per stolen record. Given that, not surprisingly, many employers have grown increasingly concerned about the potential impact of such breaches, including breaches that may affect employer-sponsored benefit plans.
Courts have not yet formally addressed whether ERISA requires benefit plan fiduciaries to manage cybersecurity risks. However, a federal district court recently rejected a motion to dismiss filed by defendants seeking to avoid liability for fraudulent distributions from a plan caused by cyber criminals. There, the court held that the defendants were plan fiduciaries and that the plaintiffs had pled facts sufficient to allege that the defendants breached their fiduciary duties. Although this decision only relates to a motion to dismiss, the case underscores the potential for plaintiffs to assert, even in the absence of clear guidance, that plan fiduciaries are not doing enough to protect plan participants from cybersecurity risks.
As a result, with cybersecurity concerns on the rise, plan fiduciaries are continuing to enhance their focus on the best ways to protect employee data. Recently, on Law360, McDermott’s Mark E. Schreiber discussed four helpful tips for handling cybersecurity risks.