USDOL Offers Guidance on Data Security for Plan Fiduciaries and Service Providers

Moore & Van Allen PLLC
Contact

Moore & Van Allen PLLC

The Employee Benefits Security Administration of the United States Department of Labor (“EBSA”)  recently published guidance regarding cybersecurity best practices for recordkeepers and service providers responsible for plan related information technology systems and data for ERISA-covered plans, including 401k and other pension plans.

The EBSA counseled that a plan’s service providers should implement the following practices:

  1. Have a formal, well documented cybersecurity program.
  2. Conduct prudent annual risk assessments.
  3. Have a reliable annual third-party audit of security controls.
  4. Clearly define and assign information security roles and responsibilities.
  5. Have strong access control procedures.
  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
  7. Conduct periodic cybersecurity awareness training.
  8. Implement and manage a secure System Development Life Cycle (SDLC) program.
  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  10. Encrypt sensitive data, stored and in transit.
  11. Implement strong technical controls in accordance with best security practices.
  12. Appropriately respond to any past cybersecurity incidents.

https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best-practices.pdf The guidance provides more granular detail on each practice, including background checks for IT personnel, training for employees, access controls such as multi-factor authentication, and annual review and updating of the cybersecurity program with involvement by senior leadership.  

The EBSA also issued “tips” to help plan fiduciaries and business owners make “prudent decisions” in hiring service providers for such plans.  https://www.dol.gov/agencies/ebsa/key-topics/retirement-benefits/cybersecurity The tips will look familiar to data security professionals. They include recommendations for due diligence in reviewing a service provider’s infosec standards, policies, practice and cyber insurance coverage, as well as baking security compliance and confidentiality requirements into vendor contracts. 

Although not legally binding, the guidance could serve as a touchpoint for the EBSA, plaintiffs’ counsel or the courts in determining whether plan fiduciaries met their obligations under applicable law, similar to how the FTC pointed to its own guidance in pursuing Wyndham and LabMD after those companies experienced a data breach. Certainly, it will be more difficult for plan fiduciaries to argue that they met their duty of prudence under ERISA if they ignore the EBSA guidance. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Moore & Van Allen PLLC | Attorney Advertising

Written by:

Moore & Van Allen PLLC
Contact
more
less

Moore & Van Allen PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.