In April, the Department of Labor, specifically the Employee Benefits Security Administration, issued cybersecurity guidance to assist in protecting “the retirement benefits of America’s workers.” This guidance falls neatly in line with pre-existing laws and is intended to help address the traumatic uptick in cybersecurity problems relating to personnel benefits and financial records as well as the Biden administration’s focus on infrastructure and improving US data security. In terms of the need for legal compliance, the DOL points out that ERISA requires that “plan fiduciaries … take appropriate precautions to mitigate … [cybersecurity] risk.”
The DOL guidance does not stray into technical requirements such as you might see from OCR/ONC with HIPAA/HITECH but instead reiterates some of the core principles of basic cybersecurity expectations. The guidance is in three separate sections:
The best practices document echoes several of the things that are already part of any HIPAA or standard cybersecurity compliance programs including a documented cybersecurity program as well as conducting annual risk assessments to determine whether the program is working.
Annual risk assessments have long been an issue in terms of OCR enforcement with the majority of HIPAA cases involving a failure to have security guidelines and regular security assessments in place.
Best practices also focus on the common issues of identifying those who are in charge of cybersecurity as well as employee training. The DOL directs fiduciaries to take action including data mapping to fully understand the assets, information utilized, and how access to systems is acquired as a way to identify and mitigate risk.
The DOL also sets forth a list of 18 policies to formalize in your organization ranging from access controls and identity management to encryption, a full assessment of physical security and environmental controls, and cyber controls. The guidance also strongly suggests an annual third-party audit of security controls to help avoid confirmation bias in your programs. Employee training remains a critical step in any best practice compliance program.
DOL tips for hiring a service provider include asking about contract information security standards, audit results, and appropriate cybersecurity insurance policies that will cover losses. The guidance also offers a clear directive that anyone contracting with third parties requires, “ongoing compliance with cybersecurity and information security standards.” It further instructs companies to avoid contracts that limit third-party liability for cybersecurity breaches.
Given the reference to ERISA in these guidelines and the fact that we have pre-existing regulations pursuant to HIPAA/HITECH, the FCC and FTC, Red-Flag Rules, and individualized state regulations, it is likely that any complaint which is raised regarding a breach of this type will rely on a combination of laws in relation to liability.
Even if you don’t manage ERISA-based benefits, this is one more indication that you need to be cautious about your privacy and security measures. Employers should implement well-thought-out plans and provide industry-appropriate security, whether it is encryption and multi-factor authentication or simply improving your employee training program.