While plan fiduciaries have always been responsible for protecting the data used to administer a retirement plan, today’s environment of frequent data breaches and the associated bad publicity make security even more critical. Plan sponsors need to understand not only the processes and safeguards in place at their vendors and other third parties that may involve employee data— pension plan data, defined contribution plan data, and/or health and welfare plan data—but also their internal company controls.
Health plans have long had definitive guidance regarding the obligation to protect individually identifiable health information under the Health Insurance Portability and Accountability Act (HIPAA), but no explicit data security guidance addressed specifically to retirement plans has ever been issued. Nonetheless, there has been an uptick in cybersecurity-related activity associated with Department of Labor audits, and we expect that this activity will only increase in the future.
From the fiduciary perspective, it is important that plan sponsors examine their plans’ data security safeguards. At the risk of stating the obvious, it is not acceptable for plan fiduciaries to simply rely on unverified statements made by their recordkeepers or third-party vendors (including payroll vendors) that participant data is secure. Rather, plan fiduciaries should be proactive in reviewing the data security safeguards in place—both within the plan sponsor organization and within third parties that have access to or control of the data.
This review should entail, among other things, conducting an assessment and gap analysis of existing data security safeguards, and testing those safeguards and related controls to ensure that they are operating appropriately. The outcome of this assessment should also entail a proactive plan for addressing any identified deficiencies in controls and a process for addressing any real or potential breaches involving participant data.
In our view, plan fiduciaries need to establish a fiduciary process to evaluate existing data security safeguards that may apply to retirement plan data—data that is compiled for both defined benefit and defined contribution plans.
As part of this fiduciary process, we suggest that plan fiduciaries consider the following steps:
- Inventory. At the outset, it is important for plan fiduciaries to understand who has access to participants’ plan data and how such data is viewed, transmitted, or otherwise stored or retained—both within the employer’s HR and benefits organization, as well as with third parties (e.g., plan recordkeepers).
- Gap assessment. Following the inventory, it is critical that plan fiduciaries conduct a gap assessment. This assessment should involve assessing existing safeguards—administrative, physical, and technical. In conducting the gap assessment, plan fiduciaries should be careful not to simply respond by saying that data security is handled by their IT department or that they rely on vendor agreements or statements made by third-party vendors. Just as it is insufficient for fiduciaries to assume that plan assets are invested prudently, they should not simply assume that their plan data is adequately protected.
- Evaluation of findings and existing controls. While plan sponsors may have significant safeguards in place to protect their financial and customer data, plan fiduciaries should confirm that those safeguards are appropriate with respect to plan data.
- Documentation of process and steps taken. Following completion of the review, plan fiduciaries should document the process they followed to demonstrate their prudence in monitoring data security safeguards. This review should entail identifying the need for any updates to existing safeguards, and should include an audit of recordkeeping contracts to confirm frequency of data security reviews and possible responses to data breaches or attempted breaches involving participant data.
ERISA plan fiduciaries have a special role when it comes to protecting plan-related data and must act in the best interests of plan participants. That means independently assessing whether plan data is adequately protected and not relying solely on the representations of the employer’s IT department or third-party recordkeepers. While the scope of a data security assessment and gap analysis may be scaled to the particular plan, it is critical for plan fiduciaries to establish a written record documenting the examination of their data security safeguards and the provision of appropriate data security training to those who may have access to participant data. The object of the data security fiduciary review is to permit fiduciaries to develop the necessary record to support the prudence of existing safeguards and mitigate the risk of a data breach involving participant records.
Aon has a comprehensive data security team that can assist with the review and testing of data security safeguards that apply (or should apply) to employee benefit plans. We would be pleased to discuss how plan sponsors and fiduciaries should move forward to examine such safeguards in an effort to mitigate improper or unauthorized disclosures and ultimately establish a record of prudent plan administration.