Summary
The U.S. Department of Labor (DOL) updated its 2021 cybersecurity guidance to clarify that it applies to all employee benefit plans. The DOL guidance confirms that plan fiduciaries, including health and welfare plan fiduciaries, have an obligation to evaluate the cybersecurity procedures of plan record-keepers and other service providers.
The Bottom Line
While the updates to the DOL’s cybersecurity guidance were limited, they suggest that the DOL views cybersecurity as a top priority, making it more likely that the DOL will target data privacy and security issues when auditing and investigating health and welfare plans, as it already has with retirement plans.
Attorneys in Ballard Spahr’s Employee Benefits and Executive Compensation Group and Privacy and Data Security Group can help employers, plan fiduciaries, and plan service providers navigate the DOL’s cybersecurity guidance.
In 2021, the U.S. Department of Labor (DOL) issued cybersecurity guidance to advise plan sponsors, fiduciaries, service providers, and participants on ways to safeguard plan data, personal information, and plan assets. Since then, DOL investigators have included cybersecurity-related questions and investigations in their audits of Employee Retirement Income Security Act of 1974 (ERISA) plans. However, because the guidance is aimed mostly at retirement plans, it left the impression that its terms did not extend to health and welfare plans. In response to this confusion, the DOL recently published Compliance Assistance Release No. 2024-01, which clarifies that the 2021 guidance applies to all employee benefit plans, including health and welfare plans.
As a reminder, the 2021 guidance consists of three parts:
- Tips for Hiring Service Providers. This provides practical guidance to plan sponsors and fiduciaries who are selecting and negotiating contractual terms with plan service providers.
- Cybersecurity Program Best Practices. This guidance confirms that responsible plan fiduciaries have an obligation under ERISA to ensure the proper mitigation of cybersecurity risks. It identifies best practices for service providers responsible for plan-related IT systems and data. Such best practices track the National Institute of Standards and Technology (NIST) cybersecurity framework as well as FTC and other regulatory guidance and guide plan fiduciaries in making prudent decisions regarding the hiring and retention of plan service providers.
- Online Security Tips. This guidance is directed to plan participants, and consists of best practices to help ensure the security of participants’ online data.
Please refer to our 2021 Client Alert for additional details regarding the DOL’s 2021 cybersecurity guidance.