ERISA Cybersecurity: A New Frontier

As reports of cybersecurity issues in the retirement industry become more commonplace, retirement plan sponsors, administrators, and service providers should take a fresh look at their cybersecurity practices. As recent litigation has shown, ERISA’s fiduciary duty of prudence, which obligates plan fiduciaries to act “with the care, skill, prudence, and diligence” of a “prudent man” may require plan fiduciaries to take active steps to protect participants’ personal information and their plan benefits. While cybersecurity is a relatively new issue in the retirement plan space, retirement accounts, which hold an estimated $9.3 trillion in assets are an attractive target for cyber-enabled fraud. As such, federal courts are already starting to shape the intersection of ERISA and cybersecurity.

Notable Cybersecurity Cases

The recent decision of Bartnett v. Abbott Lab’ys, 2021 WL 428820 (N.D. Ill. Feb. 8, 2021) is instructive. In Bartnett, an identity thief allegedly accessed the plaintiff’s retirement account in December 2018 and added direct deposit information for a SunTrust bank account. In January 2019, the thief dialed into the plan’s customer service phone line and persuaded a customer service representative to transfer $245,000 from the plaintiff’s retirement account to the SunTrust account. Following the transfer, the plaintiff was only able to recover a portion of the stolen funds.

In her amended complaint, the plaintiff claimed that Abbott Laboratories, Abbott Corporate Benefits, the Abbott Laboratories Stock Retirement Plan, and Marlon Sullivan (“Abbott Defendants”) breached their fiduciary duties of prudence and monitoring under ERISA. Specifically, the plaintiff alleged that the Abbott Defendants breached their duties by engaging Alight Solutions, LLC (“Alight”) to serve as the plan’s third-party administrator in 2003 and again in 2015 despite Alight and its predecessor company (Aon Hewitt) being involved in prior cybersecurity-related incidents.

The Bartnett court held that plaintiff had failed to plausibly state a breach of the duty of prudence because, although she alleged that the Abbott Defendants were imprudent for engaging Alight as the plan’s third-party administrator, the cybersecurity incidents referenced in her amended complaint occurred after Alight was first offered the job in 2003. As for the plaintiff’s argument that the Abbott Defendants breached their duty of prudence by renewing Alight’s contract in 2015, the court explained that the “two incidents that occurred before Alight was rehired were limited in size and scope, did not involve significant lapses in security protocols, and no client funds were stolen.” The court added: “Aon Hewitt presumably handled tens of thousands of customer transactions that year and rehiring a plan administrator with a less-than-perfect track record does not plausibly allege imprudent conduct. That is especially so given that neither incident seemed to involve Alight's performance on behalf of the Abbott Labs Stock Retirement Plan.”

The Bartnett court similarly held that the plaintiff had failed to allege a breach of the Abbott Defendants’ duty to monitor Alight, because “none of [her allegations] speak to whether the Abbott Defendants monitored (or failed to monitor) Alight's performance vis-à-vis the Abbott Labs Stock Retirement Plan.” Indeed, the plaintiff’s allegations focused on Alight's performance as an administrator for other plans.

By contrast, in Leventhal v. MandMarblestone Grp. LLC, 2019 WL 1953247 (E.D. Pa. May 2, 2019), the district court concluded that the plaintiff had pled a plausible fiduciary breach related to cybersecurity incidents. In Leventhal, a participant in the Leventhal Sutton & Gornstein 401(k) Profit Sharing Plan allegedly withdrew money from his plan account by emailing a withdrawal request form that was intercepted by “unknown criminal(s)” who “posed electronically” as his office administrator and sent fraudulent withdrawal forms to the defendants (the alleged plan fiduciaries). The fraudulent withdrawal forms purportedly requested that the defendants send the participant’s account funds to a bank account that did not belong to plaintiff and had never been used by him.

The district court found that the plaintiffs had plausibly stated an ERISA breach of fiduciary duty claim because they alleged that they had obtained documents from the defendants showing that the defendants were aware of the “peculiar nature” and frequency of the fraudulent withdrawal forms, but failed to alert the plaintiffs or verify the requests. The district court also credited the plaintiffs’ allegations that the defendants had failed to implement “the typical procedures and safeguards” used to notify participants of strange requests and/or verify the requests.

A recent Ninth Circuit decision in the cybersecurity field, Pruchnicki v. Envision Healthcare Corp., 845 F. App’x 613 (9th Cir. 2021), may also have broader implications for ERISA matters stemming from cybersecurity issues. Although the plaintiff did not allege any ERISA claims, she alleged that she suffered four categories of injury as a result of a data breach of defendants’ systems:

1. lost time spent reviewing consumer credit reports, obtaining new credit cards, checking financial accounts, and answering an increased number of “spam” calls;
2. emotional distress, including “stress, nuisance, and annoyance” from dealing with the effects of the breach, “worry, anxiety, and hesitation” when applying for new credit cards, and concern that “damage to her creditworthiness could impact her ability to obtain credit for her business”;
3. “imminent and certainly impending injury flowing from potential fraud and identity theft”; and
4. “diminution in value of [her] personal and financial information.”

The Ninth Circuit affirmed the district court’s dismissal of the complaint because, although the plaintiff alleged an injury-in-fact to support Article III standing, she did not plausibly allege that she suffered any compensable damages, or out-of-pocket expenses. The Court explained that the plaintiff cited no authority recognizing lost time as a cognizable injury; failed to assert the existence of any physical injury or illness; and failed to allege that her personal information actually lost value. The Court decision may be instructive for ERISA matters, at least within the Ninth Circuit, given that, to state an ERISA fiduciary breach claim, a plaintiff must establish harm. The types of harm identified in Pruchnicki (e.g., lost time, emotional distress, diminution of value of personal information) may not be sufficient to sustain a fiduciary breach claim.

Another case at the intersection of ERISA and cybersecurity worth noting is Berman v. Estee Lauder Inc., et al., No. 4:19-cv-06489-JST (N.D. Cal. Nov. 9, 2019). In November 2019, a participant in the Estee Lauder Companies 401(k) Savings Plan asserted several ERISA claims against Estee Lauder Inc., the Estee Lauder Inc. Employee Benefits Committee, Alight, and State Street Bank & Trust Co. arising out of the alleged theft of the participant’s retirement savings through unauthorized distributions from her plan account. Such cases may multiply as cybersecurity attacks on retirement accounts persist and become more sophisticated.

Plan service providers and fiduciaries should also be cognizant of not only ERISA’s fiduciary requirements and the growing body of litigation involving participants who have suffered retirement plan losses due to cyberattacks, but also applicable state laws that regulate disclosure of personal or private information, such as North Carolina and California. Indeed, state attorneys general have been active in enforcing these laws in cyber breach matters.

Given the U.S. Department of Labor’s recent focus on cybersecurity issues (see below) and the likelihood that cybersecurity attacks on retirement accounts will persist and become more sophisticated, we expect to see an increase in the number of ERISA cases in this area.

U.S. Department of Labor Cybersecurity Guidance

On April 14, 2021, the DOL issued written guidance on cybersecurity issues with respect to plan sponsors, plan fiduciaries, recordkeepers, and plan participants. Acknowledging that “ERISA requires plan fiduciaries to take appropriate precautions to mitigate the[] risks” of internal and external cybersecurity threats to participants and assets, the DOL issued its guidance in three parts: (1) “Tips for Hiring a Service Provider with Strong Cybersecurity Practices,” (2) “Cybersecurity Program Best Practices,” and (3) “Online Security Tips.”

Tips for Hiring a Service Provider with Strong Cybersecurity Practices

The first part of the DOL’s guidance focuses on plan fiduciaries and provides a number of recommendations and suggestions to help them meet their responsibilities under ERISA. Those suggestions include:

• Comparing the plan’s service provider’s information security standards, practices and policies and audit results to standards adopted by other financial institutions, and seek providers that engage a third-party auditor to review and validate its program;
• Seeking contractual provisions that give the plan the right to review audit results;
• Evaluating the plan service provider’s track record with respect to security incidents, litigation, and legal proceedings;
• Asking the plan service provider about prior security breaches and its response to those breaches;
• Determining if the plan service provider’s insurance policies cover losses resulting from cybersecurity and identity theft breaches; and
• Ensuring the parties’ service agreement (i) requires ongoing compliance with cybersecurity and information security standards; (ii) does not include provisions that limit the service provider’s responsibility; and (iii) includes provisions that would enhance cybersecurity protection for the plan and its participants.

Although the DOL’s cybersecurity suggestions are memorialized in sub-regulatory guidance, as opposed to a formal regulation, plan sponsors and fiduciaries should keep this guidance in mind when hiring and retaining plan service providers. Accordingly, plan sponsors and fiduciaries should consider reviewing their current hiring practices and service provider contracts to see whether they meet the suggested standards. Among other things, plan sponsors and fiduciaries should carefully review any contractual language limiting the service provider’s liability and obligations in the event of a breach. And, consistent with their existing monitoring efforts, plan sponsors and fiduciaries should consider engaging in periodic third-party audits and reviews of the service provider’s track record (e.g., security incidents, litigation, etc.). Indeed, cybersecurity practices should be a focus of any Request for Proposal (RFP) and part of any ongoing reviews of service providers (e.g., RFPs should seek information about data security and data transmittal policies, insurance coverage, etc.).

Future plaintiffs may rely on the DOL’s recent guidance in arguing that there is a duty to safeguard plan assets against unauthorized withdrawals and that plan fiduciaries also have a duty to take sufficient steps to properly select and monitor a service provider’s cybersecurity policies. On the flip side, plan fiduciaries who undertake those steps may have a stronger defense against such actions. Moreover, those steps should be accurately and thoroughly reflected in fiduciary committee minutes and materials to document a prudent process and thereby minimize risk of fiduciary liability.

Cybersecurity Program Best Practices

The second part of the DOL’s guidance provides recommendations for plan service providers to assist them in developing and maintaining an effective cybersecurity program. Though these best practices are directed towards service providers, the DOL also emphasizes that “[r]esponsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks,” which includes making “prudent decisions on the service providers they should hire.” The DOL’s recommendations include, among other things:

• Have a formal, well-documented cybersecurity program that is reviewed annually, approved by senior leadership, explained effectively to users, and reviewed by an independent auditor;
• Conduct and document prudent annual risk assessments;
• Have strong access control procedures, including with respect to authentication and authorization;
• Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments;
• Conduct periodic cybersecurity awareness training, at least annually for all personnel and updated to reflect risks identified by the most recent risk assessment;
• Implement strong technical controls in accordance with best security practices, including routine data backup and patch management, up-to-date hardware, software, firmware and antivirus software, and network segregation.

Plan service providers should consider incorporating language into their service contracts designed to comply with the DOL’s recommended best practices. Moreover, as discussed above, the recent ERISA matters based on cyberattacks have generally involved cyber criminals posing as participants, often calling into the recordkeeper’s service center to obtain participant data. As such, having an effective customer call center authentication (CCCA) process is important. Customer service representatives should be trained to ask callers to verify items such as their date of birth, home address, and other personal identifying information. A more sophisticated CCCA process may involve tokens associated with a caller’s phone or carrier, or a multi-factor authentication system that can understand the characteristics of certain sounds that can be translated into a voice print.

Plan fiduciaries should monitor whether service providers have such practices in place. This is especially important in the wake of any breach. Indeed, cybersecurity breaches often involve service providers who handle day-to-day administration for retirement plans. For example, after a recent data breach at a UK pensions provider by an “unknown third party” during a three-day period in December 2020, resulting in the personal information of 30,000 customers being posted on the Internet, the company blamed the data breach on one of its service providers. When faced with such a breach, an organization may be inclined to terminate its service provider. While there may be grounds to terminate the relationship (e.g., the provider may have failed to comply with the parties’ contract or applicable law), there may also be compelling reasons to retain the provider (e.g., there is a dependable relationship and the provider’s unique products or services are critical to the organization). Plan sponsors and administrators should consider different factors in making such a consequential decision to determine whether it is in the best interest of the plan and its participants. They should also carefully evaluate and document (and revise as appropriate) their measures and processes in the wake of any breach.

Online Security Tips

Finally, the DOL offered “Online Security Tips” to plan participants to help reduce their own risk of retirement account fraud and loss. Those tips include (1) routinely monitoring their plan accounts; (2) using strong and unique passwords; (3) using multi-factor authentication, if available; (4) keeping personal contact information current; (5) closing or deleting unused accounts; (6) being careful when using free Wi-Fi; (7) being aware of potential phishing attacks; (8) using anti-virus software; and (9) knowing how to report identity theft and cybersecurity incidents.

Although the Online Security Tips are directed toward participants, plan sponsors and fiduciaries should consider providing (and documenting) education on cybersecurity issues to their participants. For instance, they could provide clear guidance in the summary plan description, regularly issue “best practices” notices to participants, and organize educational seminars. Not only is cybersecurity education important to help participants protect their own financial wellbeing, taking active steps to help participants understand potential cybersecurity and data privacy risks may reduce the risk of litigation against the plan sponsor and the plan’s fiduciaries and help them defend against future claims.

Additional Considerations

While the DOL’s guidance is instructive, certain key legal issues remain unaddressed. For instance—what is the difference, if any, between a plan administrator’s ERISA § 404 duty to safeguard a participant’s personal information, and the “reasonably calculated” furnishing standard in the 2020 final regulations dealing with electronic disclosures? Does ERISA preempt state cybersecurity, data privacy, or consumer protection laws? And what exactly is a plan administrator’s legal obligation to communicate with participants when there has been a breach? Hopefully, these currently unanswered questions will be addressed in the coming years.

* * * *

Cybersecurity is not only important with respect to corporate governance, but it has also become an area of critical importance to plan sponsors, plan administrators and plan participants as well. Plan sponsors and fiduciaries are well-advised to follow the growing body of litigation involving participants who have suffered retirement plan losses due to cyberattacks, and to (re-)evaluate their cybersecurity programs, protocols, and contracts against the DOL’s recent three-part guidance.