Article
Data Security Policy is a Fiduciary Imperative
It is reasonable to assume that finance and human resources executives consider protecting their employee benefit plans (“EBP”) participant data a vital duty. Questions remain unanswered, however, about the division of responsibility between employers and their plans’ third-party service providers. The security and confidentiality of EBP data in possession of parties external to employers’ premises and systems have emerged as an intense issue with profound implications.
Emergence of the Data Security Policy Statement
The U.S. Department of Labor (“DOL”) maintains a regulation that requires employers to take appropriate measures that protect the confidentiality of personal information relating to the individual’s accounts and benefits. [For reference you may examine
ERISA Regulation Section 2520.104b-1(c)(1)(i)].
In addition, through its enforcement arm, the Employee Benefits Security Administration, the DOL issued cybersecurity guidelines in 2021 that stipulate best practices for protecting personally identifiable information (“PII”), selecting and monitoring vendors, and online security tips for employees who participate in EBPs.
Employers that sponsor EBPs must protect the privacy of plan data and follow practices that ensure that unauthorized sources do not access their plans. An EBP-specific data security policy statement (“DSP”) has emerged as a mandatory governance document for defining compliance parameters with the DOL’s defacto cybersecurity regulation.
Considerations for Developing a Data Security Policy
The primary purpose of a DSP is to provide an appropriate foundation for constructing a process workflow. The policy and the process workflow aim to protect the privacy and security of PII.
Examination of a plan’s vendors’ cybersecurity policies and procedures is paramount when developing the policy because human resources executives and plan committees rely extensively on such vendors to protect PII. Accordingly, knowing if PII is safe in their hands is vital.
Documentation of the examination process is essential and needs to be updated yearly. From an enterprise risk management perspective, there is much at stake. A security breach in a vendor’s data retention system will be deemed a breach in the affected plan’s program. There is no room for the “honor system” in managing the risks imposed by an EBP’s service providers.
Principles for Developing and Maintaining a Data Security Policy
While most employers maintain cyber and data security policies at the enterprise level, few have yet to incorporate EBP-specific provisions in those policies. Consequently, many that sponsor EBPs lack defined steps for examining their vendors and are unprepared to respond adequately to an EBSA plan audit or defend a civil lawsuit from an offended plan participant.
Four fundamental principles overlay a DSP’s development.
- Choose third-party service providers based on how they protect PII. Examine the results of independent audits of each provider’s information technology systems and cybersecurity practices.
- Review existing internal data security policies and procedures to ensure they reflect the current threat environment.
- Examine existing service agreements to confirm that they obligate the plan’s vendors to protect PII, including limitations on cross-selling services to the plan’s participants.
- Educate and train fiduciaries ongoing regarding the functionality of the systems on which their EBPs rely, as well as the processes and procedures involved with maintaining, retaining, and protecting PII.
Conclusion
While data security is an issue every accountable C-level executive, fiduciary, and service provider should consider necessary, the DSP must be customized to fit each plan’s particular needs and circumstances. There is no “one size fits all strategy.” If developing a DSP and its attendant assessment program is beyond your organization’s experience or skill set, engage an EBP risk management advisor to help you.
