erisa fiduciaries, data privacy and cybersecurity risks...
TRANSCRIPT
![Page 1: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/1.jpg)
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Presenting a live 90-minute webinar with interactive Q&A
ERISA Fiduciaries, Data Privacy and
Cybersecurity Risks: HIPAA, HITECH, and
ERISA Preemption of State Data Breach Laws Responding to Data Breaches of Healthcare Administrators
and Retirement Plans, Minimizing Risks with TPAs
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
TUESDAY, JUNE 20, 2017
Saad Gul, Partner, Poyner Spruill, Raleigh, N.C.
Michael E. Slipsky, Partner, Poyner Spruill, Raleigh, N.C.
Brenna A. Davenport, Poyner Spruill, Charlotte, N.C.
![Page 2: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/2.jpg)
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-258-2056 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
![Page 3: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/3.jpg)
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 35.
FOR LIVE EVENT ONLY
![Page 4: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/4.jpg)
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
![Page 5: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/5.jpg)
ERISA Fiduciaries, Data
Privacy and
Cybersecurity Risks Poyner Spruill LLP
www.poynerspruill.com
![Page 6: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/6.jpg)
Mike Slipsky
Trends in ERISA
Data Breaches:
Health Care and Retirement Plans
www.poynerspruill.com
![Page 7: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/7.jpg)
Health care and retirement
plans are target-rich
environments for
cybercriminals
7
![Page 8: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/8.jpg)
Cybersecurity
threats affecting
benefit plans are
not unique to
benefit plans:
• Identity theft
• Ransomware
• Phishing
• Wire fraud
• Malware
8
![Page 9: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/9.jpg)
The Chicago Deferred Compensation Plan is a
Section 457(b) defined contribution plan with
more than $3 billion in assets.
Identity theft and fraud attack.
Perpetrators independently obtained
participants' personal information, which they
then used to take out fraudulent loans from
participants’ accounts.
$2.6 million taken from
58 accounts 9
![Page 10: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/10.jpg)
UFCW Local 655 Food Employers
Joint Pension Plan
Ransomware Attack
Multi-employer defined benefit plan that had
assets of approximately $569 million at the end
of 2015
10
![Page 11: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/11.jpg)
Ransomware
Software that uses tools to encrypt or “lock” the data
located on the device or network to prevent access unless
what is, in effect, a monetary ransom is paid to the attacker
for a “key” to unlock and retrieve the data.
11
![Page 12: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/12.jpg)
Hackers took control of one of the
plan’s servers and demanded three
bitcoins, then worth about $2,000
The ransom was not paid and the
plan used a backup server to
recreate the information
12
![Page 13: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/13.jpg)
Anthem Insurance
Companies, Inc. Phishing Attack
• Data breach was discovered in January 2015
but began in February 2014
• A user in Anthem’s Amerigroup subsidiary
opened a phishing e-mail, which downloaded
malicious files to the user’s local system,
allowing the attacker to gain remote access
13
![Page 14: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/14.jpg)
Under settlement with
regulators, Anthem
is spending
$260 Million on improving its
cybersecurity measures.
14
![Page 15: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/15.jpg)
In the pending class action suit,
the Plaintiffs seek damages arising from:
Overpayme
nt for
services
Theft of
Plaintiffs’ PII
Out-of-
losses
Risk of
imminent
identity theft
15
![Page 16: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/16.jpg)
The huge size of the plaintiff
class in Anthem and the
creative damages theories
being advanced could
overcome the obstacles that
have heretofore prevented the
plaintiffs’ bar from monetizing
data breaches
16
![Page 17: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/17.jpg)
Saad Gul
ERISA Fiduciary
Obligations With
Respect To
Data Breaches
www.poynerspruill.com 17
![Page 18: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/18.jpg)
ERISA sponsors may be
responsible under
“prudent expert” standard
Familiar language imposes requirement to
act “with the care, skill, prudence, and
diligence under the circumstances then
prevailing that a prudent man acting in a like
capacity and familiar with such matters would
use in the conduct of an enterprise of a like character and with like aims.” 29 USCS §
1104 (a)(1)(B) 18
![Page 19: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/19.jpg)
ERISA does not specifically refer to data protection as a fiduciary duty, but requires each plan fiduciary to
discharge his duties with “care, skill prudence and diligence” (ERISA § 404(a)(1)).
Liability for breach of fiduciary duty under ERISA can be limited by contractually delegating the
duty to a third party.
19
![Page 20: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/20.jpg)
Cybersecurity is not a
specifically designated
TPA responsibility in
any agreement we
have reviewed
20
![Page 21: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/21.jpg)
However, the selection remains a fiduciary function,
so the administrator still has a responsibility to vet
potential third party cybersecurity practices.
• Duty to monitor
• Duty to act in event of notice of data breach
21
![Page 22: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/22.jpg)
Does participant data in either
welfare or pension plans
constitute a “plan asset”
And
Persons who are responsible
for managing or controlling
such data are “managing a
plan asset” so as to render
them fiduciaries under ERISA § 3(21).
Technical Issues
22
![Page 23: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/23.jpg)
Prediction:
Data will ultimately be
deemed a plan asset
23
![Page 24: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/24.jpg)
There is no regulation or decision imposing
this in the context of data breaches or
cyber-security in general
On November 10, 2016 ERISA Advisory
Council stated that it would not address
the issue of whether cybersecurity was a
fiduciary responsibility under ERISA
24
![Page 25: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/25.jpg)
• Difficulty with definitive
determination • Patchwork of technology and
laws, with successor liability
and arcane tax issues
• U.S. Cyber Command was
discovering 600,000 new
malware variants a day
• Concerns that there
are too many variables
for a single fiduciary
standard
25
![Page 26: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/26.jpg)
Why “prudent care standard”
applies
Decisions to date have turned on different
grounds
Analysis of opinions and regulatory
guidance indicates that ERISA requires
“prudent care standard” to extend to
cybersecurity functions
26
![Page 27: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/27.jpg)
ERISA has no
prescribed standard • Necessitates piecemeal adjudication akin to
tort.
• Risk of harm is judged retroactively, which is
risky.
• Easier to rebut plaintiff allegations if:
• Paper trail documenting security
requirements, even if flexible – with
commensurate flexibility
• Adherence to industry standards (NIST SP
800-53) can be shown)
27
![Page 28: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/28.jpg)
“Prudent Care Standard” • Is the only available benchmark in absence of congressional
action to impose HIPAA-type statutory penalties
• Could be a safe harbor if cybersecurity concerns documented
28
![Page 29: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/29.jpg)
Trends In ERISA
Preemption
Litigation
29
![Page 30: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/30.jpg)
Since the United States has
acted to preempt state
regulation of private employer
plans, states may not enforce
laws that interfere with
ERISA.
Do data breach laws interfere
with federal goal of uniformity
in plan administration?
Precedents would say yes.
Supreme Court
30
![Page 31: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/31.jpg)
ERISA Preemption • Preempts all state laws that relate to an employee benefit plan.
• Plan participants may bring civil action under ERISA against plan
administrator.
31
![Page 32: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/32.jpg)
Difficulties underscored by most
recent decision: Gobeille
• The state law at issue required all Vermont
insurers, including ERISA plans, to report
claims data to the state.
• In 6-2 Kennedy opinion, SCOTUS
concluded that reporting, disclosure, and
record keeping are central ERISA functions.
• Vermont’s reporting regime intruded
upon a central matter of ERISA plan
administration and interfered with
nationally uniform plan
administration.
• Only the Secretary of Labor may
enact reporting requirements for
ERISA plans.
32
![Page 33: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/33.jpg)
No court has ruled on an ERISA
preemption defense in the context
of a data breach or other
cybersecurity claim.
33
![Page 34: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/34.jpg)
State laws that offer a
remedy that supplants
ERISA’s exclusive remedial
structure e.g. imposing a
duty of exercise ordinary
care in decision-making
have been found to be
preempted.
However 34
![Page 35: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/35.jpg)
ERISA TPAs are likely subject
to additional regulation as
“affiliates” of other regulated
entities e.g. NY DFS
cybersecurity rules
35
![Page 36: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/36.jpg)
ERISA Preemption Prediction:
Claim premised entirely on state law breach will be preempted.
But bulk of “breach” damages stem from auxiliary injuries, specially contract damages
36
![Page 37: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/37.jpg)
SEC and FINRA audits
suggest that cybersecurity
is now fundamental to
administration and
governance obligations.
37
![Page 38: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/38.jpg)
If the only issue in litigation is
compliance with state breach
notification laws,
ERISA preemption is likely.
But even under deferential
standard of review, ERISA
administrators and fiduciaries
have to demonstrate “prudent
expert” compliance.
38
![Page 39: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/39.jpg)
Brenna Davenport
Take-Aways from Anthem Breach
www.poynerspruill.com 39
![Page 40: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/40.jpg)
Consider the framework on which to base your strategy
• SAFETY Act
• NIST
• SPARK
• AICPA
• Industry initiatives
40
![Page 41: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/41.jpg)
Ownership of the strategy
• Implement data loss prevention tools
• Incident response plan
• Quick notice to affected individuals
• Two-factor authentication/behavioral biometrics
• Encryption
• Limit access
41
![Page 42: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/42.jpg)
• Limit data collection and delete data that is no longer needed
• Identify data flow
• Control data flow
Understand the Data
42
![Page 43: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/43.jpg)
• Monitor users (user behavior analytics)
• Audit compliance
Testing and Updating
43
![Page 44: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/44.jpg)
External Certifications
• SSAE 16
• ISAE 3402
• Safety Act
44
![Page 45: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/45.jpg)
Reporting and Improvement
45
![Page 46: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/46.jpg)
Training of workforce
46
![Page 47: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/47.jpg)
Hiring (and firing)
practices 47
![Page 48: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/48.jpg)
Check the practices of service providers and protect yourself
• Often the weakest link in a data system is the third party
• Potential fiduciary responsibility
• Vet the service provider before you ever get to the contract
48
![Page 49: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/49.jpg)
• Does it have a program?
• What is the program?
• Who enforces the program?
• How does it respond to threats
and actual breaches?
• How often does it review and
rate its systems for security?
• What controls are in place for
sensitive data?
Ask Questions
49
![Page 50: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/50.jpg)
Contractual protections/checklist
NOTE: TPA forms are generally old and don't reflect cybersecurity concerns -- it's not to a TPA's benefit to offer you additional protections, so you have to negotiate
50
![Page 51: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/51.jpg)
Data protection warranties • Comply with TPA privacy/security policies (vet the same)
• Comply with applicable law
• Comply with industry standards (ISO 27001)
• Annual audits from nationally recognized independent third
party (provide a copy of report)
• Fiduciary responsibility
51
![Page 52: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/52.jpg)
• Use plan participant data solely
to provide services
• Keep in USA (require advance
approval otherwise; reserve
termination right if don't approve)
• Vetting of subcontractors
Confidentiality of data and use
restrictions 52
![Page 53: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/53.jpg)
Breach Response
• Promptly notify plan sponsor/administrator (24 hours – 3 days)
• Duty to mitigate and preserve evidence
• Cooperate to perform an assessment and develop action plan for remediation
• TPA responsible for remediating the breach and using all commercially reasonable efforts to prevent recurrence
• Keep plan sponsor/administrator up to date on breach response 53
![Page 54: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/54.jpg)
Liability and risk allocation
• Hold the TPA responsible for
cybersecurity breach
• TPA may carve out consequential
damages, etc. limitation, but
reasonable to require coverage of: • Reasonable investigative and legal costs,
actual fines/penalties, compliance and
breach reporting costs, credit monitoring
• Indemnification from participant (and other
third party) claims
• Any cap should be high enough to permit
substantial recovery
• Insurance • Amount
• Quality/rating of insurance company
• Plan sponsor/administrator named as
additional insured
54
![Page 55: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/55.jpg)
Termination • For data breach
• Post-termination data
migration
• Destruction of records 55
![Page 56: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks ...media.straffordpub.com/products/erisa-fiduciaries-data-privacy-and... · 20/06/2017 · Cybersecurity Risks: HIPAA, HITECH,](https://reader034.vdocuments.site/reader034/viewer/2022050207/5f5a03e0aa730b042447b1e4/html5/thumbnails/56.jpg)
Thank You
Mike Slipsky Partner
Saad Gul Partner
Brenna Davenport Associate
www.poynerspruill.com 56