DOL Cybersecurity Guidance and Health and Welfare Plan Gaps

Steven Mindy

Almost all health plans must comply with the Health Insurance Portability and Accountability Act. However, all employee benefit plans subject to the Employee Retirement Income Security Act, including health plans, other welfare plans (for example, disability or life insurance) and retirement plans, must follow the U.S. Department of Labor’s cybersecurity guidance.

In September 2024, the DOL clarified that its April 2021 cybersecurity guidance applies to all employee benefit plans and not only retirement plans. The DOL intended the 2021 guidance to help plan sponsors, fiduciaries, service providers and participants safeguard plan data, assets and personal information.

Among many other things, the guidance suggests implementing a formal documented cybersecurity program, annual risk assessments, third-party audits, training, technical controls and a breach response procedure. As discussed below, the DOL routinely uses its investigative authority to ask plans and their vendors about their cybersecurity measures.

DOL cybersecurity investigations and subpoenas have been upheld by courts

In Walsh v. Alight Solutions, LLC, the U.S. 7th Circuit Court of Appeals decided that the DOL could subpoena documents about the cybersecurity practices of a plan vendor that was not a fiduciary. The court noted that ERISA Section 504(a) gives the DOL the authority “to determine whether any person has violated or is about to violate” ERISA. The court rejected the argument that cybersecurity was not within the DOL’s investigative authority since cybersecurity might be relevant to whether ERISA has been violated.

The court went on to say that the vendor had not sufficiently detailed the burden of responding or that responding would “threaten the normal operations of its business.” It rejected the vendor’s request for a protective order to guard confidential information because it believed the Freedom of Information Act’s criminal penalties to be sufficient. The vendor had to give the DOL its cybersecurity policies and procedures. The court’s ruling is helpful in that it may provide a roadmap to challenge overly broad and unduly burdensome subpoenas. The court’s decision reinforced the idea that plans and their vendors, including vendors that might not be fiduciaries, should have cybersecurity policies and procedures that consider DOL guidance. Health and welfare plans are no exception.

Health plans might have gaps that HIPAA BAAs do not reach

Health plans might assume incorrectly that HIPAA business associate agreements with vendors provide adequate protection against cybersecurity risks. But health plans and their sponsors might have agreements to share information that is not subject to HIPAA.

For example, HIPAA-protected health information does not include enrollment and disenrollment information. As a result, plans might not sign BAAs with some vendors, such as COBRA administrators.

Does this mean that this information is not protected? Probably not. The DOL is under no obligation to honor HIPAA’s exceptions and might argue that employers have a duty to protect the data. Also, practitioners often take the position that BAAs do not protect information that is not PHI.

A BAA may offer no protection for information that does not meet the definition of PHI. This leaves room for the DOL (or courts) to find that a plan breached its fiduciary duty by not obligating vendors to protect the information consistent with the DOL’s cybersecurity guidance.

Disability plans are not subject to HIPAA and may be subject to similar threats faced by retirement plans

Litigation involving cybersecurity and ERISA’s fiduciary duty is still in its infancy. Most cases involve social engineering where a fraudster impersonated a participant to drain their retirement account. This could also happen with a disability plan, where a fraudster might use social engineering or other means to siphon disability payments to the fraudster’s bank account. This might leave someone who is already vulnerable even more vulnerable while they attempt to right the wrong.

A good example of such fraud is found in Disberry v. Employee Relations Committee of the Colgate-Palmolive Co. The facts are unique and involve allegations that a PIN used to change email and bank account information was stolen from the South African mail system.

The plaintiff noted that the fraudster unsuccessfully tried to drain her retirement account balances in another plan of the same employer and a plan sponsored by an unrelated employer. Although the court denied the plan committee’s motion to dismiss, it showed some sympathy:

The plan was a victim of fraud and theft just as much as the Plaintiff was. An ERISA plan is not required to have procedures in place that account for every possibility – i.e. to act as an insurer against all losses. It must adopt reasonable procedures, but not absolutely air-tight procedures, to protect against the possibility of what happened here, which was a heinous crime.

The plan’s recordkeeper received far less sympathy. In denying the recordkeeper’s motion to dismiss, the court provided the plaintiff with a roadmap for her case. The court said, “The facts pleaded, if proved, would almost certainly suffice to make out a negligence claim against [the recordkeeper] if it turned out not to be a functional fiduciary under ERISA.” The court then advised the plaintiff that the statute of limitations on an “in the alternative” common-law negligence claim would run soon, said that “the clock is ticking,” and included the approximate filing deadline.

The case soon settled. However, the ruling shows that courts may be loath to say “too bad, so sad” when a fraudster drains a participant’s account and instead search for a way to find the participant relief. This relief might be under ERISA or, if ERISA does not provide relief, common law.

Plans and their vendors should ensure they have sufficient cybersecurity policies and procedures to prevent theft, as well as protection in the event of theft, since initial rulings seem to find that courts will not accept a parade of “not it” at plan participants’ expense.

Plans invest considerable time and money in benefits, which they should want to protect

Employers put substantial time and money into providing benefits to protect employees, and the cybersecurity risks are real. Disability plan participants might not receive money to pay their expenses when they need it most. Retirement plan participants stand to lose what they worked their lifetime to build. Health plans might assume HIPAA protects data that it does not. No employer wants to develop the reputation of not protecting its employees or retirees. All benefit plans should take the DOL’s cybersecurity guidance seriously.

Plans should also consider obtaining appropriate insurance, including cyber liability coverage, since courts so far have not been inclined to let participants leave empty-handed after a cybersecurity incident.

Steven Mindy is a partner at Alston & Bird. His practice focuses on employee benefits and ERISA litigation related to health and welfare benefits and on privacy and security laws and regulations that impact benefit plans.

This feature is to provide general information only, does not constitute legal or tax advice, and cannot be used or substituted for legal or tax advice. Any opinions of the author do not necessarily reflect the stance of ISS STOXX or its affiliates.