Legal Blog

Managing Cybersecurity for Employee Benefit Plans

Employee benefit plans are awash in sensitive employee data.  They maintain troves of personally identifiable information or PII, including social security numbers, addresses, dates of birth, account balances, beneficiaries and bank account data.  In addition, pension plan administrators maintain systems that allow employees to initiate transactions online, such as obtaining loans or making account withdrawals.  A cybersecurity breach within a benefit plan could expose employees’ identities, personal information or even plan assets to theft by malicious actors.

Despite the obvious and growing cybersecurity risks, the legal landscape regarding cybersecurity obligations of plan administrators and plan sponsors is still unformed.  No court has yet opined that managing cybersecurity risk constitutes part of a plan administrator’s “fiduciary duty,” nor has any federal court determined whether state privacy and data breach laws are preempted by Employee Retirement Income Security Act (ERISA), the federal law that regulates employee benefit plans.

But without doubt the day of reckoning for plan sponsors, plan administrators and service providers on cybersecurity is coming.  In 2016, the ERISA Advisory Council to the U.S. Department of Labor held hearings and provided a report to the DOL on cybersecurity considerations as they relate to pension and welfare benefit plans.  As its request, the Council’s report was made public on the DOL’s website in 2017.  The Council went further in late 2018 by asking the DOL to require pension plan sponsors to be familiar with cybersecurity protocols and to adopt a cybersecurity process.

In view of the potential threats to benefit plan data and assets, each plan administrator and plan sponsor should start the process now of devising a strategy for managing cybersecurity risks.  One size will not fit all.  The scope and cost of the plan should be developed consistent with the size and sophistication of the plan and the plan sponsor.  Vendors who handle sensitive employee information should be asked to report on their systems for protecting personally identifiable information from cybersecurity threats.  Wherever possible, vendor contract should spell out responsibility for managing cybersecurity.

A proactive approach to cybersecurity is warranted now.  In that way, your plan and its fiduciaries may be able to avoid an adverse court ruling down the road that the plan should have done more to safeguard plan data and assets from cyber villains.

If you have any questions about this, please contact us.





Offit Kurman is one of the fastest-growing, full-service law firms in the mid-Atlantic region. With over 185 attorneys offering a comprehensive range of services in virtually every legal category, the firm is well positioned to meet the needs of dynamic businesses and the people who own and operate them. Our twelve offices serve individual and corporate clients along the I95 corridor in the Virginia, Washington, DC, Maryland, Delaware, Pennsylvania, New Jersey, and New York City regions. At Offit Kurman, we are our clients’ most trusted legal advisors, professionals who help maximize and protect business value and personal wealth. In every interaction, we consistently maintain our clients’ confidence by remaining focused on furthering their objectives and achieving their goals in an efficient manner. Trust, knowledge, confidence—in a partner, that’s perfect.

Find out why Offit Kurman is The Better Way to protect your business, your assets and your family by connecting via our BlogFacebookTwitterInstagramYouTube, and LinkedIn pages. You can also sign up to receive LawMatters, Offit Kurman’s monthly newsletter covering a diverse selection of legal and corporate thought leadership content.