ERISA-covered plans have entered the digital world. As the amount of confidential information about plan participants that is stored in multiple information systems, and shared among plan service providers, increases, so, too, do the legal risks. The U.S. Department of Labor (DOL) has now made cybersecurity risk an enforcement priority; the courts have started to wrestle with whether participant data is a “plan asset.” Plan sponsors and service providers should brace themselves.
Just this past February, the U.S. Government Accountability Office (GAO) issued a report that highlighted the practice of, and risks related to, sharing personally identifiable information (e.g., a participant’s social security number, date of birth and username/password) (PII), and “plan asset data” (e.g., retirement account and bank account numbers) within the plan ecosystem. The plan sponsor’s own IT infrastructure may be vulnerable to attack or misuse. Where the plan sponsor outsources plan administrative responsibilities to a service provider, such as recordkeepers, third-party administrators and custodians, participant PII and plan asset data could be exploited if the service provider is hacked or lacks appropriate internal controls.
The report specifically noted that cybersecurity risk comes in many different flavors and from many different sources. The risk could, for example, be in the form of malware, ransomware, privilege abuse, data exfiltration and account takeover. The source of the risk could come from criminal syndicates, hackers and even an organization’s own employees.
Thus, the GAO report warned, “[t]he sharing and storing of this information can lead to significant cybersecurity risks for plan sponsors and their service providers, as well as plan participants.” Poor risk controls can lead to the leaking of usernames, passwords and social security numbers, which can lead to the unauthorized access of participant accounts, and, fatally, the illicit draining of a participant’s retirement savings. The misappropriation of participant PII or plan assets by virtue of a cybersecurity attack may not be expressly addressed in ERISA, but its effect on a participant may indeed result in “the great personal tragedy” Congress sought to prevent in enacting ERISA.1
The GAO ultimately made two recommendations: (1) the DOL should formally state whether cybersecurity for ERISA-covered retirement plans is a plan fiduciary responsibility under ERISA; and (2) the DOL should develop and issue guidance that identifies minimum expectations for mitigating cybersecurity risks to plans and the relevant service providers.
A mere two months later, the DOL issued a series of cybersecurity tips and best practices for plan sponsors, service providers and participants. Specifically:
- Tips for Hiring a Service Provider, to “[h]elp plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.”
- Cybersecurity Program Best Practices, to “[a]ssist plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks.”
- Online Security Tips, to “[o]ffer plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.”
Useful as the tips and practices may be, the big reveal is that the DOL indicated that ERISA’s duty of prudence encompasses “an obligation to ensure proper mitigation of cybersecurity risks.” This means that a responsible plan fiduciary, when determining whether to hire and retain a service provider, should consider the service provider’s cybersecurity risk controls, and should document such consideration as part of its overall evaluation of the service provider.
The upshot of the DOL’s April 2021 cybersecurity tips and best practices is that it puts employers on notice that both the DOL takes this seriously and that plaintiffs could attempt to use this new guidance as a basis for fiduciary duty breach claims. Moreover, service providers can expect detailed questions on cybersecurity in RFPs and RFIs. Plan sponsors will seek more transparency, whereas service providers may be reluctant to divulge too much on their cybersecurity defenses to guard against inadvertently offering up the keys to the castle. The balance of the two will become market practice.
The DOL is ramping up enforcement in this area. Plan sponsors should also gird for class-action lawsuits with allegations of breaches of ERISA’s duty of prudence when participant PII or plan asset data is misused. For these reasons, employers and plan service providers should carefully consider the DOL guidance.
A related string of litigation also poses a risk to plan sponsors and service providers. These suits argue that participant PII and plan asset data constitute “plan assets,” and that using such data for marketing purposes amounts to a breach of fiduciary duties. Some of these suits have targeted both the plan’s sponsor and recordkeeper. So far, the courts have rejected these claims.
In one case,2 plaintiffs brought an action against the plan sponsor and recordkeeper alleging that participant data (e.g., names, contact info, investment history, etc.) constituted “plan assets,” and, therefore, the recordkeeper’s purported sharing of this information with affiliates to cross-sell non-plan retail financial products to participants amounted to violations of ERISA. In granting the recordkeeper’s motion to dismiss, the court ruled that “participant data does not meet the statutory definition of ‘plan assets’….”
In a similar case,3 plaintiffs brought suit against the plan administrator alleging, inter alia, breach of fiduciary duty over the plan’s recordkeeper access to participant information (e.g., investment choice, account size, etc.) and use of that data to market products to the participants. In granting the motion to dismiss, the court stated, “[p]laintiffs cite no case in which a court has held that such information is a plan asset for purposes of ERISA….[t]his Court does not intend to be the first.” Moreover, the court rejected the argument that “releasing confidential information or allowing someone to use confidential information constitutes a breach of fiduciary duty under ERISA.”
Cybersecurity is quickly becoming an important risk area for ERISA plan sponsors. Protection of participant PII and plan asset data against privilege abuse, account takeovers and other vulnerabilities to a participant’s information and account raises the specter for DOL enforcement action and litigation. Service providers should anticipate a greater focus on their cybersecurity measures by plan sponsors and expect that such measures could be an important basis to be hired and retained as a plan service provider. Both employers and plan service providers should also consider whether it is complying with other applicable privacy laws (to the extent such laws are not preempted by ERISA).
1 Nachman Corp. v. PBGC, 446 U.S. 359, 374, 100 S. Ct. 1723, 1733, 64 L. Ed. 2d 354, 366 (1980).
2 Harmon v. Shell Oil Co., No. 3:20-cv-00021, 2021 BL 126207 (S.D. Tex. Mar. 30, 2021).
3 Divane v. Northwestern Univ., No. 16 C 8157, 2018 BL 186065 (N.D. Ill. May 25, 2018), aff’d, 953 F.3d 980 (7th Cir. 2020).
The Employee Benefits Security Administration is charged with protecting the benefits of about 154 million participants in employer-sponsored...
Legislation is afoot that would amend ERISA to expressly permit fiduciaries to account for environmental, social and governance (ESG) factors as part of their fiduciary duties. The proposed legislation, the Financial Factors in Selecting Retirement Plan Investments Act, was introduced by Senator Tina Smith (D-MN). It expressly permits, but does not compel, fiduciaries to “consider” ESG and similar factors when selecting investments or strategies on behalf of an ERISA-covered retirement plan. The legislation also permits fiduciaries to consider “collateral” factors “as tie-breakers when competing investments can reasonably be expected to serve the plan’s economic interest equally well with respect to expected return and risk over the appropriate time horizon.” Under either scenario, the fiduciary need not “maintain any greater documentation, substantiation, or other justification” when considering the ESG or similar factors. Notably, the bill provides that an investment selected based on ESG or similar factors (including such factors used as a tie-breaker) may be a permissible default investment option (a “qualified default investment alternative” (QDIA)) for a plan that uses a default investment option as part of its menu. Lastly, the US Department of Labor’s (DOL) 2020 Financial Factors rule would cease to have force or effect upon the enactment of the legislation.
Meanwhile, President Joe Biden just issued an Executive Order on Climate-Related Financial Risk, in which he directed the DOL to consider proposing by September 2021 a rule that would suspend, revise or rescind the Financial Factors and proxy voting rules promulgated under the Trump Administration. The Executive Order further directed the DOL to consider taking any other action under ERISA “to protect the life savings and pensions of United States workers and families from the threats of climate-related financial risk.”
Should the legislation pass, it could provide fiduciaries limited additional comfort that the incorporation of ESG factors in their investment decision-making complies with ERISA’s fiduciary duties. The trend is toward incorporating ESG factors into an investment process for their effect on investment performance, and existing guidance, including the Financial Factors rule, should already provide fiduciaries enough of a roadmap to do so in accordance with ERISA. The legislation also seeks to dial back the documentation requirements of the Financial Factors rule, which may indeed ease some of the angst over foot faults and the resulting liability exposure. Though the DOL removed all references to “ESG” in the final Financial Factors rule, some argued the rule’s aggressive proposal, coupled with the Trump Administration’s overall stance on climate change, was designed to curb ERISA fiduciaries’ appetite for ESG. Yet, carefully documenting important decisions is already a well-established requirement and technique used by fiduciaries to mitigate their fiduciary duty risk.
It is a big deal that, with a rescission of the Financial Factors rule, fiduciaries would seemingly no longer have to comb through a fund’s prospectus and marketing materials for references to non-pecuniary factors, nor would the fiduciary need to scrutinize a fund manager’s use of screens or ratings. These requirements obviously present legal risk to a fiduciary and, therefore, may deter some fiduciaries from considering ESG products. But they also may serve as useful guideposts for fiduciaries trying to avoid selecting a greenwashed fund. An unintended consequence of the legislation could be that stripping out specific actions a fiduciary must take to navigate the intricate ESG landscape perhaps deters more plan sponsors from adding ESG to their plans than if the guideposts (and associated legal risks) remained.
It is also a big deal that the proposed legislation would allow a fund, which incorporates ESG factors for non-investment performance reasons, to serve as QDIA. The Financial Factors rule outright prohibited such a result. This change will likely give some plan sponsors comfort in selecting an ESG-themed QDIA that does not base ESG decisions on risk and return criteria, for example. However, the zealous litigation routinely brought against defined contribution plan sponsors over the selection of investment options has largely resulted in playing it safe. Plan sponsors know they will be second-guessed. This change, therefore, is unlikely to dramatically increase the adoption of ESG by ERISA plans, which continue to lag other institutional investors on that score.
The Executive Order is worth watching. The DOL may opt to impose affirmative obligations on fiduciaries to mitigate climate change risk to the plan. The imposition of any such obligation will likely be litigated.
In sum, ESG is and will remain entirely relevant to ERISA fiduciaries. Under ERISA and existing guidance, fiduciaries may take ESG factors into account when investing plan assets or selecting investment options for a plan lineup. With ESG top of mind for the current Congress and White House, ERISA fiduciaries should continue to evaluate whether taking ESG into account is prudent under the circumstances.
As we await even more fiduciary-related rules and guidance from the U.S. Department of Labor (DOL) over the coming months, we take stock of some lower-profile spring updates worth noting. We begin with the DOL’s recent cybersecurity guidance, the first of its kind, as cybersecurity becomes an increasingly important issue for plan sponsors and service providers. We conclude with some new DOL guidance related to locating missing plan participants.
On April 14, the DOL released a batch of guidance that attempts to clarify best practices for maintaining cybersecurity. The first of the guidance, aimed at plan sponsors and other fiduciaries, offers tips for hiring third-party service providers and ensuring they maintain strong cybersecurity practices. The second batch of guidance offers cybersecurity best practices for plan recordkeepers and plan fiduciaries. A final release offered tips for plan participants who access their account information online but will not be discussed here. These are the first cybersecurity guidance provided by the DOL.
The following tips offered by the DOL are designed to help fiduciaries meet their obligations under ERISA in prudently selecting and monitoring service providers:
- Ask about the service provider’s information security standards, practices, policies, and audit results and compare them to industry standards.
- Ask the service provider how it validates its practices and what levels of security standards it has met and implemented. Consider looking at contract provisions that confer rights to review audit results demonstrating compliance with the standards.
- Evaluate the track record of the service provider, including litigation brought against the service provider.
- Ask if the service provider has experienced security breaches and, if so, what happened, how the provider responded, and how it was resolved.
- Inquire if the service provider has insurance that would cover losses caused by cybersecurity and identity theft breaches.
- Include ongoing compliance with cybersecurity and information security standards as a part of the service provider’s contractual commitments. If possible, include terms that will enhance these protections, such as:
a. Require the service provider to obtain an annual audit from a third-party to evaluate the service provider’s compliance with information security policies and procedures.
b. Clearly stated provisions outlining the service provider’s obligations and restrictions on the use and sharing of information.
c. Require notification of any cybersecurity breaches.
d. Specific requirement to meet all federal, state and local laws, regulations, directives and requirements related to record retention, destruction, privacy, and security.
e. Required insurance to cover losses related to cybersecurity losses. This may include professional liability, errors and omissions liability, cyber liability, and/or privacy breach insurance.
In the second batch of guidance, the DOL offered best practices for plan recordkeepers and other service providers responsible for plan-related data. The list also includes the best practices for a plan fiduciary hiring one of these service providers. These best practices include:
- Have a formal, well-documented cybersecurity program. DOL highlighted 18 specific areas an effective policy would cover, including data governance and classification, access controls and identity management, business continuity and disaster recovery, configuration management, asset management, and risk assessment.
- Conduct prudent annual risk assessments. The scope, methodology, and frequency of assessments should be codified.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities. This includes clearly defining the roles of upper management, especially the Chief Information Security Officer (CISO).
- Have strong access control procedures which cover both authentication and authorization.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Perform cybersecurity awareness training at least annually.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents. This would include notifying law enforcement, informing insurers, investigations, providing plan participants with information to assist in preventing or reducing their loss, honoring contractual terms, such as notification requirements, and fixing the problems which caused the breach.
Earlier this year, the DOL provided a set of best practices for fiduciaries of defined benefit and defined contribution plans to locate missing participants and beneficiaries. Some “red flags” that a plan’s current approach may be insufficient for locating a missing or non-responsive participant include a large number of missing or non-responsive participants; missing, incomplete or inaccurate contact and other pertinent information (email, social security numbers, addresses, etc.), and the absence of adequate policies and procedures for handling returned mail marked “return to sender,” “wrong address” and the like.
The DOL’s list of best practices (copied below) are those that “have proven effective at minimizing and mitigating the problem of missing or non-responsive participants.” These practices are non-exhaustive, and some may be more appropriate for a particular plan than others. Ultimately, “[r]esponsible plan fiduciaries should consider what practices will yield the best results in a cost-effective manner for their plan’s particular participant population.”
1. Maintaining accurate census information for the plan’s participant population
- Contacting participants, both current and retired, and beneficiaries on a periodic basis to confirm or update their contact information. Relevant contact information could include home and business addresses, telephone numbers (including cell phone numbers), social media contact information, and next of kin/emergency contact information. Well-run plans regularly reconfirm that the information in their possession is accurate.
- Including contact information change requests in plan communications along with a reminder to advise the plan of any changes in contact information.
- Flagging undeliverable mail/email and uncashed checks for follow-up.
- Maintaining and monitoring an online platform for the plan that participants can use to update contact information for themselves and their spouses/beneficiaries, if any, and incorporating such updates into the plan’s census information.
- Providing prompts for participants and beneficiaries to confirm contact information upon login to online platforms.
- Regularly requesting updates to contact information for beneficiaries, if any.
- Regularly auditing census information and correcting data errors.
- In the case of a change in record keepers or a business merger or acquisition by the plan sponsor, addressing the transfer of appropriate plan information (including participant and beneficiary contact information) and relevant employment records (e.g., next of kin information and emergency contacts). [DOL] has found that in the context of an acquisition, merger, or divestiture, well-run plans make missing participant searches of plan, related plan (e.g., health plan) and employer records (e.g., payroll records) part of the collection and transfer of records.
2. Implementing effective communication strategies
- Using plain language and offering non-English language assistance when and where appropriate.
- Stating upfront and prominently what the communication is about – e.g., eligibility to start payment of pension benefits, a request for updated contact information, etc.
- Encouraging contact through plan/plan sponsor websites and toll-free numbers.
- Building steps into the employer and plan onboarding and enrollment processes for new employees, and exit processes for separating or retiring employees, to confirm or update contact information, confirm information needed to determine when benefits are due and to correctly calculate the amount of benefits owed, and advise employees of the importance of ensuring that the plan has accurate contact information at all times.
- Communicating information about how the plan can help eligible employees consolidate accounts from prior employer plans or rollover IRAs.
- Clearly marking envelopes and correspondence with the original plan or sponsor name for participants who separated before the plan or sponsor name changed, for example, during a corporate merger, and indicating that the communication relates to pension benefit rights.
3. Missing participant searches
- Checking related plan and employer records for participant, beneficiary and next of kin/emergency contact information. While the plan may not possess current contact information, it is possible that the employer’s payroll records or the records maintained by another of the employer’s plans, such as a group health plan, may have more up-to-date information. If there are privacy concerns, the person engaged in the search can request that the employer or other plan fiduciary forward a letter from the plan to the missing participant or beneficiary.
- Checking with designated plan beneficiaries (e.g., spouse, children) and the employee’s emergency contacts (in the employer’s records) for updated contact information; if there are privacy concerns, asking the designated beneficiary or emergency contact to forward a letter to the missing participant or beneficiary.
- Using free online search engines, public record databases (such as those for licenses, mortgages and real estate taxes), obituaries, and social media to locate individuals.
- Using a commercial locator service, a credit-reporting agency, or a proprietary internet search tool to locate individuals.
- Attempting contact via United States Postal Service (USPS) certified mail, or private delivery service with similar tracking features if less expensive than USPS certified mail, to the last known mailing address.
- Attempting contact via other available means such as email addresses, telephone and text numbers, and social media.
- If participants are non-responsive over a period of time, using death searches (e.g., Social Security Death Index) as a check and, to the extent such search confirms a participant’s death, redirecting communications to beneficiaries.
- Reaching out to the colleagues of missing participants by, for example, contacting employees who worked in the same office (e.g., a small employer with one or two locations) or by publishing a list of “missing” participants on the company’s intranet, in email notices to existing employees, or in communications with other retirees who are already receiving benefits. Similarly, for unionized employees, some have reached out to the union’s local offices and through union member communications to find missing retirees.
- Registering missing participants on public and private pension registries with privacy and cybersecurity protections (e.g., National Registry of Unclaimed Retirement Benefits), and publicizing the registry through emails, newsletters, and other communications to existing employees, union members, and retirees.
- Searching regularly using some or all of the above steps.
4. Documenting procedures and actions
- Reducing the plan’s policies and procedures to writing to ensure they are clear and result in consistent practices.
- Documenting key decisions and the steps and actions taken to implement the policies.
- For plans that use third party record keepers to maintain plan records and handle participant communications, ensuring the record keeper is performing agreed-upon services, and working with the record keeper to identify and correct shortcomings in the plan’s recordkeeping and communication practices, including establishing procedures for obtaining relevant information held by the employer.
Just yesterday, the U.S. Department of Labor (“DOL”) released a set of Frequently Asked Questions (“FAQs”) designed to clarify certain aspects of Prohibited Transaction Exemption 2020-02, Improving Investment Advice for Workers & Retirees (PTE 2020-02). The exemption enables investment advice fiduciaries to ERISA plans and IRAs to receive a wide range of compensation (e.g., commissions, 12b-1 fees, revenue sharing, etc.) as a result of the advice without running afoul of the applicable prohibited transaction rules. As described by the DOL, “[t]he exemption offers a compliance option to investment advisers, broker-dealers, banks, and insurance companies (financial institutions) and their employees, agents, and representatives (investment professionals) that is broader and more flexible than pre-existing prohibited transaction exemptions.” We summarize some of the key takeaways from the FAQs below:
- PTE 2020-02 is in effect (February 16, 2021). There was some confusion over this due to a memorandum from Ronald Klain, Chief of Staff to the President, regarding a regulatory freeze. The (new) DOL, however, was pleased enough with PTE 2020-02, a Trump-era rulemaking, that it waved it through. The transition period for parties to devise mechanisms to comply with the provisions in the exemption remains in place until December 20, 2021.
- The DOL hinted at further sub-regulatory guidance and/or returning to the fiduciary investment advice regulation. No promises were made or timetables offered.
- The DOL reiterated that a “single, discrete instance of advice to roll over assets from an employee benefit plan to an IRA” would generally not give rise to investment advice under ERISA. But, such communication could constitute investment advice if it were part of an ongoing relationship or the beginning of an intended future ongoing relationship that an individual has with the investment advice provider.
- The DOL reminded the industry that boilerplate, fine print disclaimers that investment advice is not being provided generally won’t cut it. This echoes sentiment the DOL expressed in 2020. However, “[w]ritten statements disclaiming a “mutual” understanding or forbidding reliance on the advice as “a primary basis for investment decisions” may be considered in determining whether a mutual understanding exists, but such statements will not be determinative.” Ultimately, whether there is a “mutual” understanding that investment advice is being provided is based on the totality of the facts and circumstances.
- The DOL reiterated that PTE 2020-02 provides relief for rollover recommendations that result in a prohibited transaction, so long as the exemption’s conditions are satisfied.
- Investment professionals and financial institutions can provide investment advice, despite having a financial interest in the transaction, as long as the advice meets the best interest standard. Under this standard, the advice must be based on the interests of the customer, rather than the competing financial interest of the investment professional or financial institution. Investment professionals may receive payments for their advice within this framework.
- Prior to engaging in a transaction under the exemption, a financial institution must give the retirement investor a written description of its material conflicts of interest arising out of the services and any investment recommendation. The disclosure should allow a reasonable person to assess the scope and severity of the financial institution’s and investment professional’s conflicts of interest. The DOL cautioned that the disclosure should be more than simply having the retirement investor “check the box” to confirm that they know of the conflicts.
- Financial institutions and their investment professionals need to consider and document their analysis of why a rollover recommendation is in a retirement investor’s best interest. For recommendations to roll over assets from an employee benefit plan to an IRA, the DOL listed the following “relevant” non-exhaustive factors to consider: (1) the alternatives to a rollover, including leaving the money in the investor’s employer’s plan, if permitted; (2) the fees and expenses associated with both the plan and the IRA; (3) whether the employer pays for some or all of the plan’s administrative expenses; and (4) the different levels of services and investments available under the plan and the IRA. The DOL also elaborated on what other factors would be part of a prudent analysis.
- The DOL reminded financial institutions that they “must take special care in developing and monitoring compensation systems to ensure that their investment professionals satisfy the fundamental obligation to provide advice that is in the retirement investor’s best interest.” With carefully considered compensation structures, financial institutions can avoid structures that a reasonable person would view as creating incentives for investment professionals to place their interests ahead of the interest of the retirement investor. Thus, quotas, bonuses, prizes and performance standards are likely out. On the flip side, a financial institution could provide level compensation for recommendations to invest in assets that fall within reasonably defined investment categories (e.g., mutual funds), and provide heightened supervision as between investment categories (e.g., between mutual funds and fixed annuities), to the extent that it is not possible for the institution to eliminate conflicts of interest between these categories. The DOL also reminded financial institutions that the exemption requires they address and mitigate firm-wide conflicts.
- Unlike the 2016 rulemaking, PTE 2020-02 does not impose contract or warranty requirements on the financial institutions or investment professionals responsible for compliance. Nor does the exemption expand an investors’ ability to enforce their rights in court or create any new legal claims beyond those in Title I of ERISA and the Code.
Financial institutions seeking additional information about their obligations under PTE 2020-02 may consider our initial analysis on PTE 2020-02 and its related rulemaking.