Increasing retirement plan-focused litigation has put insurance carriers and fiduciary service providers in difficult positions. In this article published in PLANSPONSOR, McDermott Partner Erin Turley said such litigation continues to be a “major focus” in the fiduciary insurance marketplace.
“It is a challenging market right now, to the point that we are looking at trying to think about ways that insurance products might be differently structured, to address what we hope will only be a short-term tightening in the market.”
Missing participants and cybersecurity are among the top challenges for retirement plan advisors, according to participants at the National Association of Plan Advisors’ 2021 NAPA 401(k) Summit in Las Vegas. During the Summit’s opening day workshop session, McDermott Partner Erin Turley said advisors should make an effort to discuss cybersecurity with clients in advance of a US Department of Labor audit.
“The plan document says X, the recordkeeping agreement says Y, and maybe the (summary plan description) says something different—if it’s even addressed in the SPD,” Turley noted. “So make sure all those documents sync and your process actually matches your documents as equally.”
On September 15, 2021, the Federal Trade Commission (FTC) voted 3–2 along party lines (with Republican commissioners dissenting) to issue a policy statement announcing an expansive interpretation of the FTC’s Health Breach Notification Rule, 16 CFR Part 318 (the Rule). According to the policy statement, the Rule applies to health apps and connected devices that are not subject to the Health Insurance Portability and Accountability Act (HIPAA) but are capable of drawing information from multiple sources—for example, through a combination of consumer inputs and application programming interfaces (APIs).
Andrew C. Liazos, partner at McDermott Will & Emery, recently moderated an American Bar Association panel on the new cybersecurity guidance for retirement plan sponsors issued by the Department of Labor (DOL). The panel slides included 10 takeaways for the new DOL guidance.
As a background, the DOL’s new guidance formalized its long-held view that retirement plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks. More specifically, the DOL expects retirement plan fiduciaries to select and monitor the cybersecurity practices of their service providers.
The DOL guidance is in three parts.
The first part provides plan fiduciaries with a framework for reviewing a vendor’s cybersecurity practices.
The second part provides a robust list of cybersecurity “best practices” for record keepers and other vendors responsible for plan-related IT systems and data. For example, the DOL recommends that all retirement plan vendors with critical participant data conduct a reliable annual third-party audit of their security controls.
The third part provides security tips for participants and beneficiaries who manage their retirement accounts online.
In January 2020, the Supreme Court decided it would not hear the issue of whether Facebook broke the law in Illinois when it instituted a photo-tagging feature that honed in on users’ faces and tagged them without their consent, and Facebook has now settled with the users for $550 million. The Illinois law is part of a patchwork of laws applicable to facial recognition technology (FRT).
McDermott’s Ashley Winton contributes to the second installment of a three-part article series on FRT. This article examines the applicable legal framework and regulatory guidance, including intellectual property rights, general privacy legislation, specific state biometric data laws and more.
Healthcare providers and insurers are still making tons of rookie mistakes on patient privacy, turning themselves into easy enforcement targets, according to Roger Severino, director of the US Department of Health and Human Services.
Severino made headlines in 2017 for expressing interest in punishing a “big, juicy, egregious” privacy breach, and seemingly followed through with a $16 million settlement stemming from Anthem Inc.’s megabreach involving 79 million patients. But, an emphasis on smaller violations makes sense in light of the OCR’s recent acknowledgement of limits on its penalty powers, said Edward G. Zacharias, a McDermott partner.
IBM estimated last year that data breaches cost companies $148 per stolen record. Given that, not surprisingly, many employers have grown increasingly concerned about the potential impact of such breaches, including breaches that may affect employer-sponsored benefit plans.
Courts have not yet formally addressed whether ERISA requires benefit plan fiduciaries to manage cybersecurity risks. However, a federal district court recently rejected a motion to dismiss filed by defendants seeking to avoid liability for fraudulent distributions from a plan caused by cyber criminals. There, the court held that the defendants were plan fiduciaries and that the plaintiffs had pled facts sufficient to allege that the defendants breached their fiduciary duties. Although this decision only relates to a motion to dismiss, the case underscores the potential for plaintiffs to assert, even in the absence of clear guidance, that plan fiduciaries are not doing enough to protect plan participants from cybersecurity risks.
As a result, with cybersecurity concerns on the rise, plan fiduciaries are continuing to enhance their focus on the best ways to protect employee data. Recently, on Law360, McDermott’s Mark E. Schreiber discussed four helpful tips for handling cybersecurity risks.
The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and data protection. The GDPR became enforceable in European Union Member States on May 25, 2018, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers. These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance—and will be for years to come.
The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment. The GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals located in the EU.
The GDPR uses other terms not familiar to US businesses but which need to be understood. Both “data controllers” and “data processors” have obligations under the GDPR, and data subjects can bring actions directly against either or both of those parties. A data controller is an organization that has control over and determines how and why to process data. A data controller is often, but not always, the organization that has the direct relationship with the data subject (the individual about whom the data pertains). A data processor is an organization that processes personal data on behalf of a data controller, typically a vendor or service provider. The GDPR defines “processing” to mean any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, storage, alteration, use, disclosure and structuring).
The GDPR also broadly defines “personal data” as any information directly or indirectly relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Organizations in the US are used to a narrower definition of personal data, which typically includes information that, if breached, would put an individual at risk of identity theft or fraud and require notice (e.g., Social Security numbers, driver’s license numbers, and financial account, credit and debit card numbers). (more…)
The Internal Revenue Service and the Security Summit partners recently issued a news release outlining the “Security Six,” a list of essential steps to protect stored employee information on networks and computers. Employee benefits professionals, including those who administer welfare and retirement plans for employees and beneficiaries, should review and implement the “Security Six” in order to protect sensitive data from cyberattacks.
Privacy and data protection continue to be an exploding area of focus for regulators in the United States and beyond. This report gives in-house counsel and others responsible for privacy and data protection an overview of some of the major developments in this area in 2013 around the globe, as well as a prediction of what is to come in 2014.