Cybersecurity and ERISA Retirement Plans: Risks and Best...

Cybersecurity and ERISA Retirement Plans:

Risks and Best Practices For Plan Sponsors

and Fiduciaries

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.

WEDNESDAY, JANUARY 13, 2021

Presenting a live 90-minute webinar with interactive Q&A

Mark E. Bokert, Partner/Co-Chair, Davis & Gilbert, New York

Michelle Capezza, Member, Epstein Becker & Green, New York

Robert R. Gower, Director, Trucker Huss, San Francisco

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-877-447-0294 and enter your Conference ID and PIN when prompted.

Otherwise, please send us a chat or e-mail [email protected] immediately

so we can address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the ‘Full Screen’ symbol located on the bottom

right of the slides. To exit full screen, press the Esc button.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 2.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the link to the PDF of the slides for today’s program, which is located to the right of the slides,

just above the Q&A box.

• The PDF will open a separate tab/window. Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

© 2020 Epstein Becker & Green, P.C. | All Rights Reserved. ebglaw.com

Cybersecurity and ERISA Retirement Plans: Risks and Best Practices for Plan Sponsors and Fiduciaries

Michelle Capezza

January 13, 2021

© 2020 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com

Presented by

6

Michelle Capezza

Member of the Firm Epstein Becker [email protected]

© 2020 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com 7

AGENDA

In Today’s Program, our team of panelists will address the following issues in our respective segments:

▪ Segment I: The framework of ERISA fiduciary responsibility considerations and cybersecurity

▪ Segment II: Trends, recent events and developments increasing vulnerabilities, risks and scrutiny on these issues

▪ Segment III: Emerging ERISA litigation in this area

▪ Segment IV: Best practices for plan sponsors and fiduciaries to address and manage these issues


Segment I: Understanding ERISA Fiduciary Responsibilities and Cybersecurity/Potential Claims

▪ Who are the ERISA plan fiduciaries?

▪ What are the fiduciary responsibilities under ERISA?

▪ Who can bring fiduciary breach claims under ERISA?

▪ Are there potential fiduciary breach claims related to participant data privacy and security in retirement plans?

▪ What is the current landscape of laws that affect data privacy and security?

Let’s review the current framework and discuss cybersecurity….


ERISA Plan Fiduciaries

▪ Fiduciaries include individuals or entities who:

• Exercise any discretionary authority or control over the management of the plan or management or disposition of plan assets

• Render investment advice to the plan for a fee

• Have discretionary authority or responsibility in plan administration

• Fiduciaries are “named” in the plan documents and other individuals can be fiduciaries based on their functions

• Fiduciaries include:

o Plan Sponsor

o Plan Administrator

o Plan Benefits Committee Members

o Plan Trustee

o Plan Investment Advisers

o Individuals exercising discretion in the administration of the Plan


ERISA Plan Fiduciary Responsibilities

▪ Fiduciary responsibilities include:

• Acting solely in the interest of plan participants and beneficiaries with the exclusive purpose of providing benefits to them (duty of undivided loyalty)

o E.g., ensure timely remittance of employee contributions, maintain plan records, claims procedures, avoid misleading statements and

misrepresentations

• Use plan assets for the exclusive purpose of paying plan benefits or defraying reasonable expenses of administering the plan (exclusive benefit rule)

• Carrying out duties with care, skill, prudence and diligence (prudent person rule)(e.g., develop prudent processes and procedures to demonstrate prudent decision making which can include Investment Policy Statement, Retirement Committee meetings and

Minutes, RFPs for service providers)

• Diversifying plan investments to minimize risk of large losses (diversification rule)

• Following plan document terms (unless inconsistent with ERISA), interpreting provisions, maintaining plan documents


ERISA Plan Fiduciary Responsibilities

Examples continued:

• Meeting applicable reporting and disclosure requirements (e.g., Form 5500 filings, SPDs, SMMs, SARs, benefit statements, fee disclosures, QDIA notice, safe harbor notice, 204(h) notice, blackout notice, plan documents upon request)

• Prudently selecting and monitoring all those to whom responsibilities have been delegated, the performance of service providers, plan services, investment options and reasonableness of fees

• Timely depositing plan contributions

• Meeting the bonding requirement

• Avoiding prohibited transactions (e.g., certain transactions with parties in interest, self dealing, acting adversely to participants or beneficiaries)


Who Can Bring Fiduciary Breach Claims Under ERISA

▪ A civil action under ERISA Section 502(a)(2) can be brought against a fiduciary for breach of fiduciary duties by:

• Participants

• Beneficiaries

• Co-Fiduciaries

• The Secretary of Labor

For appropriate relief under ERISA Section 409:

• Personal liability for loss caused to the plan

• Personal liability to restore to the plan any profits that the fiduciary made through the use of plan assets

• Other equitable or remedial relief a court deems appropriate, including removal of the fiduciary


What Must a Plaintiff Prove in an ERISA Section 502(a)(2) Claim?

▪ For this claim of breach of fiduciary duty, the plaintiff must:

• Prove a plan fiduciary breached its ERISA fiduciary duty

• Show that there was a loss to the plan because of the breach

See, e.g., Leckey v. Stefano, 501 F.3d 212, 225-26 (3d Cir. 2007).

Circuit courts are split on who must prove causation-some Circuits have held that the fiduciary must prove that a loss was not caused by the breach of duty.

Relief can be provided to the plan as a whole, not to award relief to individuals in compensatory or punitive damages. See Massachusetts Mutual Life Insurance Co. v. Russell, 473 U.S. 134 (1985).

However, the U.S. Supreme Court later found that this does authorize recovery for fiduciary breaches that impair the value of plan assets in a participant’s individual account under a defined contribution plan because each account is in essence a plan that can suffer loss. See LaRue v. DeWolff, Boberg & Associates, Inc., et. al., 552 U.S. 248 (2008).


Other Potential ERISA Claims

▪ ERISA Section 502(a)(3)

• Participants and beneficiaries can sue for individual relief to remedy fiduciary breaches and not for relief for the plan under ERISA Sections 502(a)(3) where the remedy for a successful claim is equitable relief for individual harm (the DOL can sue for similar relief under ERISA Section 502(a)(5))

o This section is generally viewed as the catchall provision, and normally provides relief for injuries not adequately remedied

elsewhere under Section 502. See Varity Corp. v. Howe, 516 U.S. 489, 512 (1996).

o To bring a claim under this section, a plaintiff must generally prove both (1) that there is a remediable wrong, i.e., that the

plaintiff seeks relief to redress a violation of ERISA or the terms of the Plan, and (2) the relief sought is appropriate

equitable relief. See, e.g., Gabriel v. Alaska Elec. Pension Fund, 773 F.3d 945, 954 (9th Cir. 2014).

• A fiduciary may bring suit under ERISA Section 502(a)(3) to enjoin an act or practice which violates ERISA or the plan, or to obtain other equitable relief

• Appropriate equitable relief:

o “[C]ategories of relief that were typically available in equity (such as injunction, mandamus, and restitution, but not

compensatory damages).” Mertens v. Hewitt Associates, 508 U.S. 248, 256 (1993).


Other Potential ERISA Claims

▪ Individual benefit claims are brought under ERISA Section 502(a)(1)(B) which allows participants and beneficiaries to bring a cause of action to challenge benefits claim denials or a declaration of benefits entitled to in the future

▪ These claims require a plaintiff to show that:

• (1) plaintiff properly made a claim for benefits

• (2) the plaintiff exhausted the plan’s administrative appeals process (if raised as a defense)

• (3) the plaintiff is entitled to a particular benefit under the plan’s terms; and,

• (4) the plaintiff was denied that benefit.


Other Avenues to Bring Claims?

▪ ERISA Preemption Analysis

▪ State Law Claims (to the extent not preempted by ERISA) including, without limitation:

• Breach of contract

• Violation of state confidentiality requirements

• Violation of state privacy laws

• Negligence

To date, no Circuit Court has applied ERISA preemption to preclude a plaintiff from moving forward with state law claims arising out of a data breach. In re Anthem, Inc. Data Breach Litigation (Settled in August 2018).


Sample of the Patchwork of Privacy and Security Laws and Regulations

There is a gap in the law for benefit plan participant and beneficiary information and data

▪ Gramm-Leach-Bliley Act of 1999 (“GLBA”), 15 U.S.C. 6801 et seq.

• Requires financial institutions that offer consumers financial products and services to respect customer privacy and protect the security and confidentiality of customers’ nonpublic

personal information.

▪ General Data Protection Regulation (EU) 2016/679 (“GDPR”)

• Rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.• Provides individual “data subjects”, among other things, with the right to be forgotten or have the “controller” erase their personal data

▪ SEC’s Regulation S-P, 17 C.F.R. 248, et seq. (see 248.30)

• Requires registered broker-dealers, investment companies, and investment advisers to adopt written policies and procedures that address administrative, technical, and physical

safeguards for the protection of customer records and information

▪ Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and The Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009

• Privacy standards for the use and disclosure of protected health information; security standards to protect the confidentiality, integrity and availability of electronic PHI.

• Expanding obligations of business associates, and additional requirements for covered entities regarding breach notifications of unsecured PHI.

▪ Federal Trade Commission Act of 1914 (“FTCA”)

• The FTCA prohibits unfair and deceptive trade practices. The FTC has brought legal actions against organizations that have violated consumers’ privacy rights, or misled them by failing

to maintain security for sensitive consumer information, or caused substantial consumer injury often charging the defendants with violating Section 5 of the FTC Act, which bars unfair

and deceptive acts and practices in or affecting commerce. FTC also enforces other federal laws relating to consumers’ privacy and security.

▪ Examples of State Privacy Statutes

• New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD” Act) of 2019; California Consumer Privacy Act (CCPA) of 2018 (and California Privacy Rights Act (CPRA))

Presented by:

Robert R. Gower, Esq.Director, Trucker ö Huss, [email protected](415) 788-3111

Segment II: Trends, Events, Developments and Increased Scrutiny

© Copyright Trucker Huss, APC | One Embarcadero Center, 12th Floor, San Francisco, California 94111 Telephone: 415-788-3111 | Facsimile: 415-421-2017 | www.truckerhuss.com

A P R O F E S S I O N A L C O R P O R A T I O N

ERISA AND EMPLOYEE BENEFITS ATTORNEYS

Impacts of a Global Pandemic and Shelter in Place

Polling through October 2019 shows that between 22 and 25 percent of the United States workforce remains working at home on a full-time basis. Another 20 to 22 percent are on-site only when necessary.

As of October 2019, 35 percent of surveyed workers that currently work from home would prefer to continue working from home post-pandemic. Another 22 percent would prefer a hybrid environment.

Numerous metropolitan regions remain under strict stay at home orders


Impacts of a Global Pandemic and Shelter in Place

Shelter in place orders were unprecedented, and came with little warning; many companies did not (and still may not) have adequate remote work security parameters

A significant uptick in phishing scams and ransomware attacks has coincided with shelter in place orders

According to the Federal Trade Commission, there were more than 172,000 fraud reports filed in the first six months of the pandemic

Remote work environments (especially those that are not adequately secured) create greater opportunity for attacks aimed at plan sponsors, service providers and participants


Compounding Factors During Global Pandemic and Shelter in Place

Hardships caused by the pandemic have increased the likelihood a participant will request a hardship distribution, loan, or other withdrawal

The CARES Act provided for special in-service distributions (Coronavirus Related Distributions) as well as plan loan relief permitting an increased loan limit

> Immediate increase in withdrawal/distribution requests to recordkeepers

> Heavy reliance on self-certification process minimizes human involvement and may increase potential for fraud



2019 hardship withdrawal rules from the IRS allows for enhanced e-certification, permitting streamlined hardship distributions

> The final rules do not require substantiating the validity of a hardship, which may increase the potential for fraud

2020 Department of Labor Electronic Disclosure Rule increases ease of electronic dissemination of plan related information

> The Final Rule eases conditions under which pan fiduciaries can provide plan information electronically, including directly via email. Disseminating information via email is a particular risk for phishing scams.



Increase in use of single sign on or “SSO”

Third party password storage

Mobile account access

Increase in use of bundled financial wellness programs

Increase in long-term retention of retirement plan accounts


Increased Interest, Increased Scrutiny

The AICPA Employee Benefit Plan Audit Quality Center released guidance to help plan auditors understand cybersecurity risk and discuss cybersecurity risk with plan sponsors, including responsibilities, preparedness and response strategies.

> Cybersecurity risks and controls are within the scope of the financial statement auditor’s concern to the extent they could impact financial statements and company assets to a material extent



In 2016, the ERISA Advisory Council provided a report to the Secretary of Labor examining cybersecurity considerations and issuing related recommendations

In October of 2020, the Department of Labor announced that it is preparing to issue a cybersecurity guidance package for plan sponsors and service providers

> Emphasis on good cybersecurity practices and avoiding unsophisticated cyber crime

> Increased attention on the duty of prudence in selecting and monitoring service providers

> Anticipated focus on service provider standards and risk assessments

> Anticipated focus on the importance of responsiveness to cybersecurity incidents



In the same October 2020 announcement, the Department of Labor announced that there would be increased investigation focus on the adequacy of cybersecurity programs, especially for large plans

> Recent plan audits are requesting information on cybersecurity policies and procedures, as well as history of cybersecurity attacks and responses



Disclaimer

These materials have been prepared by Trucker ö Huss, APC for informational purposes only and constitute neither legal nor tax advice

Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship

Anyone viewing this presentation should not act upon this information without seeking professional counsel

In response to new IRS rules of practice, we hereby inform you that any federal tax advice contained in this writing, unless specifically stated otherwise, is not intended or written to be used, and cannot be used, for the purpose of (1) avoiding tax-related penalties or (2) promoting, marketing or recommending to another party any tax-related transaction(s) or matter(s) addressed herein

Strafford Presentation

CYBERSECURITY AND ERISA RETIREMENT PLANS: RISKS AND BEST PRACTICES FOR PLAN SPONSORS AND FIDUCIARIES

Wednesday, January 13, 2021

Mark BokertPartner/Co-chairBenefits & [email protected]

© 2021 Davis & Gilbert LLP

SEGMENT III: ERISA CYBER LITIGATION -CASES AND LESSONS

»Berman v. Estee Lauder

»Bartnett v. Abbott Laboratories

»Leventhal v. MandMarblestone Group

»Lessons Learned

ERISA CYBER LITIGATION:

»Berman v. Estee Lauder Inc., et. al, case No. 3:19-cv-06489, in the U.S. District Court for the Northern District of California (2019)

- ERISA Claims: ERISA §§ 409 and 502(a)(2)

- State Law Claim: None

- Facts: An unknown person or persons stole a participant’s retirement savings by withdrawing a total of $99,000 in three separate unauthorized distributions from her account in the Estee Lauder Companies 401(k) Savings Plan

- Holding: None. Case settled out of court


» Bartnett v. Abbott Laboratories et al., case number 1:20-cv-02127, in the U.S. District Court for the Northern District of Illinois (2020)

- ERISA Claims: ERISA §§ 409 and 502(a)(2)

- State Law Claim: Illinois Consumer Fraud and Deceptive Business Practice Act (ICFA)

- Facts: An unknown person or persons accessed the participant’s account online, reset the password, and initiated a withdrawal of $245,000 to a bank account that did not belong to the participant, after getting additional personal information from the plan’s customer service representatives

- Holding: Motion to dismiss claims against Abbott granted; motion to dismiss claims against record-keeper denied; claims under ICFA not preempted by ERISA

- Subsequent History: Plaintiff filed amended complaint against Abbott


»Leventhal et al. v. The MandMarblestone Group LLC et al., case number 2:18-cv-02727, in the U.S. District Court for the Eastern District of Pennsylvania (2019)

- ERISA Claims: ERISA §§ 502(a)(1)(B), 502(a)(2), 502(a)(3) and 502(d)

- State Law Claims: Breach of contract and negligence

- Facts: An unknown person or persons obtained a copy of the participant’s original withdrawal form by using an unknown method of cyber-fraud. The criminals then sent fraudulent withdrawal forms to the plan administrator and custodian requesting the transmittal of funds to a bank account that did not belong to the participant. The participant’s account in the plan was depleted from more than $400,000 to $0


- Holding: Motion to dismiss ERISA claims against MandMarblestone Group denied; breach of contract and negligence claims preempted by ERISA

- Subsequent History: MandMarblestone Group filed counter-claim against plaintiff as co-fiduciary

ERISA CYBER LITIGATION: LESSONS LEARNED

»Generally, claims under ERISA for breach of fiduciary duty related to cybersecurity will be allowed to proceed

»Service providers are in the cross-hairs, but plan sponsors are not out of the woods

»Some (but not all) state law claims may be preempted by ERISA

»Many questions still unanswered

Best Practice Considerations

The cybersecurity of plan participant information and data, and account assets, are constantly at risk. Best practice considerations for developing prudent cybersecurity policies and procedures to follow include:

• Assembling a coordinated team to devise a prudent approach to address these issues

• Identifying the data and information being collected, processed, transmitted and stored

• Coordinating benefit plan practices with organizational cybersecurity policies and protocols, including applicable breach response procedures

Best Practice Considerations

• Training employees handling participant information and data; and incorporating topic into fiduciary training

• Communicating with and educating employees (including with regard to remote work issues)

• Adhering to prudent standards for selecting and monitoring service providers

• Addressing organizational requirements for service agreement terms and mobile app security

• Verifying cybersecurity protocols with service providers

• Reviewing and updating fiduciary liability insurance, cyberinsurance, ERISA bond

Date post:	18-Feb-2021
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Cybersecurity and ERISA Retirement Plans: Risks and Best...

Documents