Although the Employee Benefits Security Administration’s guidelines outline fiduciary best practices, there is no comprehensive federal regulatory structure governing cybersecurity for retirement plans.
Furthermore, the Employee Retirement Income Security Act (“ERISA”) does not contain any language that stipulates how to protect plan participants’ electronic data. The lack of any decision by the U.S. courts whether managing cybersecurity risk is a fiduciary function adds to the difficulty in developing a compliance framework. It is clear, however, that retirement plan data is at risk of theft and employers bear accountability for the consequences.
The primary purpose of a data security policy is to provide an appropriate foundation on which a process workflow can be constructed.
The primary purpose of a data security policy (“DSP”) is to provide an appropriate foundation on which a process workflow can be constructed. The goal of the policy and the process workflow is to protect the privacy and security of a retirement plan participants’ PII.
When developing the policy, serious attention needs to be given to the activities of a plan’s third-party vendors. Because human resources executives rely extensively on such vendors to protect PII.
Accordingly, it’s vital to know if they can be trusted with PII. Examining the data security policies of an ERISA plan’s vendors is a critical part of developing the DSP for a plan. The examination process should be well documented and be updated on an annual basis.
From an enterprise risk management perspective there is much at stake. A security breach in a vendor’s data retention system will be deemed a breach in the affected plan’s program. There is no room for the “honor system” in managing the risks imposed by third-party service providers.
Given the importance of PII, plan fiduciaries should take notice of the growing risk to PII security that plan vendors represent. Solutions to PII data security should be well defined in a DSP.
