Share
In April 2021, Employee Benefits Security Administration division of the United States Department of Labor (“DOL”) issued cybersecurity related guidance intended to assist business owners and plan fiduciaries to prudently select and monitor recordkeepers, including:
- Cybersecurity Program Best Practices (directed to service providers responsible for plan related IT systems and data and plan fiduciaries)
- Tips for Hiring a Service Provider with Strong Cybersecurity Practices (directed to plan fiduciaries), and
- Online Security Tips (directed to participants).
While the guidance does not have the force of regulations it sets forth DOL’s position that plan fiduciaries have a duty to take precautions to mitigate cybersecurity risks. Since April 2021, DOL investigations of ERISA plan sponsors have included questions regarding the plan sponsor’s cybersecurity oversight of the plan’s vendors and the plan sponsor’s own internal cybersecurity protocols to protect participants’ confidential information.
The recent decision in Walsh v Alight Solutions, LLC, 2022 WL 3334450 (7th Cir. 2022) regarding the enforcement of a DOL investigative subpoena was triggered by alleged cybersecurity breaches involving retirement accounts of ERISA plan participants for which Alight Solutions, LLC’s (“Alight Solutions”) provides third party administrative services. Regardless of whether there are actual cybersecurity concerns at Alright Solutions, the DOL broad investigation of a third party administrator (Alight maintained that the subpoena “would require production of virtually every document concerning its ERISA business” and that “thousands of hours of work would be required to respond”) should be a red alert for the importance of good monitoring protocols for all plan vendors. Lapses in cybersecurity (or other operational issues) at a third party administrator may cause the DOL to open investigations of the third party administrator’s clients. If a client’s monitoring and internal cybersecurity protocols and practices are consistent with the April 2021 guidance, the client is likely to withstand DOL scrutiny.
The Alight decision is a reminder that plan sponsors need to (i) adopt good monitoring protocols for its retirement and health plan vendors, and (ii) do an internal audit regarding all systems used to maintain confidential employee/participant data that is shared with these vendors through electronic transmission. The members of our Employee Benefits Section are happy to assist you with the development or review of your cybersecurity monitoring and internal procedures regarding your employee benefit plans. Please contact Sharon Freilich, George Kasper, or Zachary Zeid.
Related Practices & Industries
This blog/web site presents general information only. The information you obtain at this site is not, nor is it intended to be, legal advice, and you should not consider or rely on it as such. You should consult an attorney for individual advice regarding your own situation. This website is not an offer to represent you. You should not act, or refrain from acting, based upon any information at this website. Neither our presentation of such information nor your receipt of it creates nor will create an attorney-client relationship with any reader of this blog. Any links from another site to the blog are beyond the control of Pullman & Comley, LLC and do not convey their approval, support or any relationship to any site or organization. Any description of a result obtained for a client in the past is not intended to be, and is not, a guarantee or promise the firm can or will achieve a similar outcome.
About Our Labor, Employment and Employee Benefits Law Blog
Alerts, commentary, and insights from the attorneys of Pullman & Comley’s Labor, Employment Law and Employee Benefits practice on such workplace topics as labor and employment law, counseling and training, litigation, union issues, as well as employee benefits and ERISA matters.