The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Presenting a live 90-minute webinar with interactive Q&A
ERISA Fiduciaries, Data Privacy and
Cybersecurity Risks: HIPAA, HITECH, and
ERISA Preemption of State Data Breach Laws Responding to Data Breaches of Healthcare Administrators
and Retirement Plans, Minimizing Risks with TPAs
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
TUESDAY, JUNE 20, 2017
Saad Gul, Partner, Poyner Spruill, Raleigh, N.C.
Michael E. Slipsky, Partner, Poyner Spruill, Raleigh, N.C.
Brenna A. Davenport, Poyner Spruill, Charlotte, N.C.
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-258-2056 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
ERISA Fiduciaries, Data
Privacy and
Cybersecurity Risks Poyner Spruill LLP
www.poynerspruill.com
Mike Slipsky
Trends in ERISA
Data Breaches:
Health Care and Retirement Plans
www.poynerspruill.com
Health care and retirement
plans are target-rich
environments for
cybercriminals
7
Cybersecurity
threats affecting
benefit plans are
not unique to
benefit plans:
• Identity theft
• Ransomware
• Phishing
• Wire fraud
• Malware
8
The Chicago Deferred Compensation Plan is a
Section 457(b) defined contribution plan with
more than $3 billion in assets.
Identity theft and fraud attack.
Perpetrators independently obtained
participants' personal information, which they
then used to take out fraudulent loans from
participants’ accounts.
$2.6 million taken from
58 accounts 9
UFCW Local 655 Food Employers
Joint Pension Plan
Ransomware Attack
Multi-employer defined benefit plan that had
assets of approximately $569 million at the end
of 2015
10
Ransomware
Software that uses tools to encrypt or “lock” the data
located on the device or network to prevent access unless
what is, in effect, a monetary ransom is paid to the attacker
for a “key” to unlock and retrieve the data.
11
Hackers took control of one of the
plan’s servers and demanded three
bitcoins, then worth about $2,000
The ransom was not paid and the
plan used a backup server to
recreate the information
12
Anthem Insurance
Companies, Inc. Phishing Attack
• Data breach was discovered in January 2015
but began in February 2014
• A user in Anthem’s Amerigroup subsidiary
opened a phishing e-mail, which downloaded
malicious files to the user’s local system,
allowing the attacker to gain remote access
13
Under settlement with
regulators, Anthem
is spending
$260 Million on improving its
cybersecurity measures.
14
In the pending class action suit,
the Plaintiffs seek damages arising from:
Overpayme
nt for
services
Theft of
Plaintiffs’ PII
Out-of-
losses
Risk of
imminent
identity theft
15
The huge size of the plaintiff
class in Anthem and the
creative damages theories
being advanced could
overcome the obstacles that
have heretofore prevented the
plaintiffs’ bar from monetizing
data breaches
16
Saad Gul
ERISA Fiduciary
Obligations With
Respect To
Data Breaches
www.poynerspruill.com 17
ERISA sponsors may be
responsible under
“prudent expert” standard
Familiar language imposes requirement to
act “with the care, skill, prudence, and
diligence under the circumstances then
prevailing that a prudent man acting in a like
capacity and familiar with such matters would
use in the conduct of an enterprise of a like character and with like aims.” 29 USCS §
1104 (a)(1)(B) 18
ERISA does not specifically refer to data protection as a fiduciary duty, but requires each plan fiduciary to
discharge his duties with “care, skill prudence and diligence” (ERISA § 404(a)(1)).
Liability for breach of fiduciary duty under ERISA can be limited by contractually delegating the
duty to a third party.
19
Cybersecurity is not a
specifically designated
TPA responsibility in
any agreement we
have reviewed
20
However, the selection remains a fiduciary function,
so the administrator still has a responsibility to vet
potential third party cybersecurity practices.
• Duty to monitor
• Duty to act in event of notice of data breach
21
Does participant data in either
welfare or pension plans
constitute a “plan asset”
And
Persons who are responsible
for managing or controlling
such data are “managing a
plan asset” so as to render
them fiduciaries under ERISA § 3(21).
Technical Issues
22
Prediction:
Data will ultimately be
deemed a plan asset
23
There is no regulation or decision imposing
this in the context of data breaches or
cyber-security in general
On November 10, 2016 ERISA Advisory
Council stated that it would not address
the issue of whether cybersecurity was a
fiduciary responsibility under ERISA
24
• Difficulty with definitive
determination • Patchwork of technology and
laws, with successor liability
and arcane tax issues
• U.S. Cyber Command was
discovering 600,000 new
malware variants a day
• Concerns that there
are too many variables
for a single fiduciary
standard
25
Why “prudent care standard”
applies
Decisions to date have turned on different
grounds
Analysis of opinions and regulatory
guidance indicates that ERISA requires
“prudent care standard” to extend to
cybersecurity functions
26
ERISA has no
prescribed standard • Necessitates piecemeal adjudication akin to
tort.
• Risk of harm is judged retroactively, which is
risky.
• Easier to rebut plaintiff allegations if:
• Paper trail documenting security
requirements, even if flexible – with
commensurate flexibility
• Adherence to industry standards (NIST SP
800-53) can be shown)
27
“Prudent Care Standard” • Is the only available benchmark in absence of congressional
action to impose HIPAA-type statutory penalties
• Could be a safe harbor if cybersecurity concerns documented
28
Trends In ERISA
Preemption
Litigation
29
Since the United States has
acted to preempt state
regulation of private employer
plans, states may not enforce
laws that interfere with
ERISA.
Do data breach laws interfere
with federal goal of uniformity
in plan administration?
Precedents would say yes.
Supreme Court
30
ERISA Preemption • Preempts all state laws that relate to an employee benefit plan.
• Plan participants may bring civil action under ERISA against plan
administrator.
31
Difficulties underscored by most
recent decision: Gobeille
• The state law at issue required all Vermont
insurers, including ERISA plans, to report
claims data to the state.
• In 6-2 Kennedy opinion, SCOTUS
concluded that reporting, disclosure, and
record keeping are central ERISA functions.
• Vermont’s reporting regime intruded
upon a central matter of ERISA plan
administration and interfered with
nationally uniform plan
administration.
• Only the Secretary of Labor may
enact reporting requirements for
ERISA plans.
32
No court has ruled on an ERISA
preemption defense in the context
of a data breach or other
cybersecurity claim.
33
State laws that offer a
remedy that supplants
ERISA’s exclusive remedial
structure e.g. imposing a
duty of exercise ordinary
care in decision-making
have been found to be
preempted.
However 34
ERISA TPAs are likely subject
to additional regulation as
“affiliates” of other regulated
entities e.g. NY DFS
cybersecurity rules
35
ERISA Preemption Prediction:
Claim premised entirely on state law breach will be preempted.
But bulk of “breach” damages stem from auxiliary injuries, specially contract damages
36
SEC and FINRA audits
suggest that cybersecurity
is now fundamental to
administration and
governance obligations.
37
If the only issue in litigation is
compliance with state breach
notification laws,
ERISA preemption is likely.
But even under deferential
standard of review, ERISA
administrators and fiduciaries
have to demonstrate “prudent
expert” compliance.
38
Brenna Davenport
Take-Aways from Anthem Breach
www.poynerspruill.com 39
Consider the framework on which to base your strategy
• SAFETY Act
• NIST
• SPARK
• AICPA
• Industry initiatives
40
Ownership of the strategy
• Implement data loss prevention tools
• Incident response plan
• Quick notice to affected individuals
• Two-factor authentication/behavioral biometrics
• Encryption
• Limit access
41
• Limit data collection and delete data that is no longer needed
• Identify data flow
• Control data flow
Understand the Data
42
• Monitor users (user behavior analytics)
• Audit compliance
Testing and Updating
43
External Certifications
• SSAE 16
• ISAE 3402
• Safety Act
44
Reporting and Improvement
45
Training of workforce
46
Hiring (and firing)
practices 47
Check the practices of service providers and protect yourself
• Often the weakest link in a data system is the third party
• Potential fiduciary responsibility
• Vet the service provider before you ever get to the contract
48
• Does it have a program?
• What is the program?
• Who enforces the program?
• How does it respond to threats
and actual breaches?
• How often does it review and
rate its systems for security?
• What controls are in place for
sensitive data?
Ask Questions
49
Contractual protections/checklist
NOTE: TPA forms are generally old and don't reflect cybersecurity concerns -- it's not to a TPA's benefit to offer you additional protections, so you have to negotiate
50
Data protection warranties • Comply with TPA privacy/security policies (vet the same)
• Comply with applicable law
• Comply with industry standards (ISO 27001)
• Annual audits from nationally recognized independent third
party (provide a copy of report)
• Fiduciary responsibility
51
• Use plan participant data solely
to provide services
• Keep in USA (require advance
approval otherwise; reserve
termination right if don't approve)
• Vetting of subcontractors
Confidentiality of data and use
restrictions 52
Breach Response
• Promptly notify plan sponsor/administrator (24 hours – 3 days)
• Duty to mitigate and preserve evidence
• Cooperate to perform an assessment and develop action plan for remediation
• TPA responsible for remediating the breach and using all commercially reasonable efforts to prevent recurrence
• Keep plan sponsor/administrator up to date on breach response 53
Liability and risk allocation
• Hold the TPA responsible for
cybersecurity breach
• TPA may carve out consequential
damages, etc. limitation, but
reasonable to require coverage of: • Reasonable investigative and legal costs,
actual fines/penalties, compliance and
breach reporting costs, credit monitoring
• Indemnification from participant (and other
third party) claims
• Any cap should be high enough to permit
substantial recovery
• Insurance • Amount
• Quality/rating of insurance company
• Plan sponsor/administrator named as
additional insured
54
Termination • For data breach
• Post-termination data
migration
• Destruction of records 55
Thank You
Mike Slipsky Partner
Saad Gul Partner
Brenna Davenport Associate
www.poynerspruill.com 56
Top Related