Protecting Your Retirement from Data Thieves

Scholar offers a proactive approach to regulating ERISA fiduciary responsibilities.

Data thieves are relentless. In 2016, they generated more than 350 million new variations of data theft software programs. These criminals often seek private medical data to steal identities, commit insurance fraud, or obtain prescription drugs for resale on the black market.

Managers of retirement plans are prime targets for hackers because they retain highly sensitive participant data for millions of Americans, including medical records and social security numbers. In his article, Gregg Moran, an attorney who specializes in employee benefits and data privacy, argues that the U.S. Department of Labor should regulate fiduciaries’ data security practices to protect plan participant records. He recommends this regulation because the consequences resulting from data theft can be dire.

The federal Employee Retirement Income Security Act (ERISA) sets standards that protect retirement savings from mismanagement and abuse and require the provision of plan information to participants. Although the Labor Department has rulemaking authority to prescribe regulations it deems “necessary or appropriate” to enforce ERISA, it currently does not regulate fiduciary data security practices.

Moran proposes a regulation that would require fiduciaries to adopt certain policies and procedures, such as implementing up-to-date practices to vet new service providers and monitoring existing service providers, while giving them discretion to shape their own security measures.

The Labor Department should outline general practices and procedures for the implementation of data security practices by fiduciaries, Moran says. These standards would be precise enough to curtail risky business practices, but broad enough to both withstand technological advances as businesses evolve and allow finetuning to meet fiduciary needs. He also emphasizes that fiduciaries must have discretion to reject certain policies, even when Labor Department regulators have suggested them. He aims to avoid creating unnecessary cost barriers that could prevent plan implementation or stifle innovation.

Moran also recommends that the Labor Department require fiduciaries to keep detailed records verifying that they have made an honest effort to create data security policies protecting participant data. He stresses, however, that to control costs, one set of records should be maintained per plan, even if multiple fiduciaries have been assigned to that plan. The regulation should also require fiduciaries to inspect the data security practices of third-party service providers to ensure that they perform their duties with care.

Labor Department action is critical because state governments are preempted from regulating the data security of employee benefit plans, and market incentives alone do not influence businesses to protect their data, according to Moran. He reasons that, because businesses are best positioned to prevent data breaches, the companies—and not their customers—should bear the costs of those breaches. Moreover, Moran explains that legal remedies are often insufficient for data breach victims, especially those victims who fail to demonstrate concrete injuries suffered from a breach.

As an alternative to setting proactive regulations, the Labor Department could take a reactive approach by enforcing fiduciary duties through post-breach lawsuits. But Moran says that it would be better for the Department to focus on preventing the breaches in the first place due to the sheer size of the problem.

Data breaches exposed 5 billion private records in 2018. Even federal agencies such as the State Department, the Internal Revenue Service, and the National Security Agency have suffered data breaches. On average, one data breach costs a company $3.62 million. Not only would proactive measures benefit plan members, it would also save companies the costs associated with hiring outside forensic experts to analyze the breach, reputational harm, and customer loss.

Moran also describes how data breach victims are usually unable to quantify the damages resulting from data breaches. He realizes that the Labor Department’s inability to impose monetary or criminal penalties limits its enforcement power over fiduciaries with poor data security practices. Thus, his proposed regulation would address the Labor Department’s limited enforcement power by helping to prevent data breaches in the first place.

Moran notes that the Labor Department is in a unique position to benefit from other agencies’ experience in regulating data and existing federal laws relating to data security. For example, the Department of Health and Human Services administers data security practices relating to health plans and providers through Health Insurance Portability and Accountability Act regulations. In addition, the Gramm-Leach-Bliley Act requires financial institutions to explain how they share and protect their customers’ private information.

Moran argues that the type of regulation he proposes would promote improved data security practices and reduce the risk of data breaches without imposing too high of a burden on the affected fiduciaries.