The Social Security Administration has updated its recently announced identity proofing requirements, in an effort to clarify which of its services will require in-person or online registration. The SSA has said the new requirements are intended to prevent fraudulent claims.
Under the updated policy, now slated to take effect April 14, 2025, individuals applying for Social Security Disability Insurance, Medicare or Supplementary Security Income who cannot use their personal “my Social Security” account online can complete their claim entirely over the telephone, without the need to come into an office.
Last week, the SSA said, starting March 31, it would require all individuals signing up for Social Security benefits to visit a field office or use the internet and not allow them to do so over the phone. The policy’s effective date is now extended two weeks and makes an exception for those applying for SSDI, Medicare or SSI.
“We have listened to our customers, Congress, advocates, and others, and we are updating our policy to provide better customer service to the country’s most vulnerable populations,” said Lee Dudek, acting commissioner of Social Security, in a statement.
Individuals who cannot use their personal online my Social Security account to apply for benefits will only need to provide proof of their identity at a Social Security office if applying for Retirement, Survivors or Auxiliary (spouse or child) benefits. The SSA said it will enforce online digital identity proofing or in-person identity proofing for these cases.
“The agency will not enforce these requirements in extreme dire-need situations, such as terminal cases or prisoner pre-release scenarios,” the announcement said. “SSA is currently developing a process that will require documentation and management approval to bypass the policy in such dire need cases.”
In addition, individuals who do not, or cannot, use the online service to change their direct deposit information for any benefit will need to visit a field office to process the change or can call 1-800-772-1213 to schedule an in-person appointment.
The SSA also plans to implement the Department of Treasury’s Bureau of Fiscal Service’s payment integrity service called Account Verification Service, which provides instant bank verification services to prevent fraud associated with direct deposit change requests, according to the announcement.
The SSA recently required nearly all agency employees to work in the office five days a week, which the agency claims will ensure maximum staffing is available to support the identity-proofing requirement. However, President Donald Trump’s Department of Government Efficiency Service Temporary Organization published a list of 47 SSA offices that are slated to close either this year or in the near future.
The agency also announced in February that it aims to lay off at least 7,000 people as part of the president’s effort to downsize the federal government.
Almost all health plans must comply with the Health Insurance Portability and Accountability Act. However, all employee benefit plans subject to the Employee Retirement Income Security Act, including health plans, other welfare plans (for example, disability or life insurance) and retirement plans, must follow the U.S. Department of Labor’s cybersecurity guidance.
In September 2024, the DOL clarified that its April 2021 cybersecurity guidance applies to all employee benefit plans and not only retirement plans. The DOL intended the 2021 guidance to help plan sponsors, fiduciaries, service providers and participants safeguard plan data, assets and personal information.
Among many other things, the guidance suggests implementing a formal documented cybersecurity program, annual risk assessments, third-party audits, training, technical controls and a breach response procedure. As discussed below, the DOL routinely uses its investigative authority to ask plans and their vendors about their cybersecurity measures.
DOL cybersecurity investigations and subpoenas have been upheld by courts
In Walsh v. Alight Solutions, LLC, the U.S. 7th Circuit Court of Appeals decided that the DOL could subpoena documents about the cybersecurity practices of a plan vendor that was not a fiduciary. The court noted that ERISA Section 504(a) gives the DOL the authority “to determine whether any person has violated or is about to violate” ERISA. The court rejected the argument that cybersecurity was not within the DOL’s investigative authority since cybersecurity might be relevant to whether ERISA has been violated.
The court went on to say that the vendor had not sufficiently detailed the burden of responding or that responding would “threaten the normal operations of its business.” It rejected the vendor’s request for a protective order to guard confidential information because it believed the Freedom of Information Act’s criminal penalties to be sufficient. The vendor had to give the DOL its cybersecurity policies and procedures. The court’s ruling is helpful in that it may provide a roadmap to challenge overly broad and unduly burdensome subpoenas. The court’s decision reinforced the idea that plans and their vendors, including vendors that might not be fiduciaries, should have cybersecurity policies and procedures that consider DOL guidance. Health and welfare plans are no exception.
Health plans might have gaps that HIPAA BAAs do not reach
Health plans might assume incorrectly that HIPAA business associate agreements with vendors provide adequate protection against cybersecurity risks. But health plans and their sponsors might have agreements to share information that is not subject to HIPAA.
For example, HIPAA-protected health information does not include enrollment and disenrollment information. As a result, plans might not sign BAAs with some vendors, such as COBRA administrators.
Does this mean that this information is not protected? Probably not. The DOL is under no obligation to honor HIPAA’s exceptions and might argue that employers have a duty to protect the data. Also, practitioners often take the position that BAAs do not protect information that is not PHI.
A BAA may offer no protection for information that does not meet the definition of PHI. This leaves room for the DOL (or courts) to find that a plan breached its fiduciary duty by not obligating vendors to protect the information consistent with the DOL’s cybersecurity guidance.
Disability plans are not subject to HIPAA and may be subject to similar threats faced by retirement plans
Litigation involving cybersecurity and ERISA’s fiduciary duty is still in its infancy. Most cases involve social engineering where a fraudster impersonated a participant to drain their retirement account. This could also happen with a disability plan, where a fraudster might use social engineering or other means to siphon disability payments to the fraudster’s bank account. This might leave someone who is already vulnerable even more vulnerable while they attempt to right the wrong.
A good example of such fraud is found in Disberry v. Employee Relations Committee of the Colgate-Palmolive Co. The facts are unique and involve allegations that a PIN used to change email and bank account information was stolen from the South African mail system.
The plaintiff noted that the fraudster unsuccessfully tried to drain her retirement account balances in another plan of the same employer and a plan sponsored by an unrelated employer. Although the court denied the plan committee’s motion to dismiss, it showed some sympathy:
The plan was a victim of fraud and theft just as much as the Plaintiff was. An ERISA plan is not required to have procedures in place that account for every possibility – i.e. to act as an insurer against all losses. It must adopt reasonable procedures, but not absolutely air-tight procedures, to protect against the possibility of what happened here, which was a heinous crime.
The plan’s recordkeeper received far less sympathy. In denying the recordkeeper’s motion to dismiss, the court provided the plaintiff with a roadmap for her case. The court said, “The facts pleaded, if proved, would almost certainly suffice to make out a negligence claim against [the recordkeeper] if it turned out not to be a functional fiduciary under ERISA.” The court then advised the plaintiff that the statute of limitations on an “in the alternative” common-law negligence claim would run soon, said that “the clock is ticking,” and included the approximate filing deadline.
The case soon settled. However, the ruling shows that courts may be loath to say “too bad, so sad” when a fraudster drains a participant’s account and instead search for a way to find the participant relief. This relief might be under ERISA or, if ERISA does not provide relief, common law.
Plans and their vendors should ensure they have sufficient cybersecurity policies and procedures to prevent theft, as well as protection in the event of theft, since initial rulings seem to find that courts will not accept a parade of “not it” at plan participants’ expense.
Plans invest considerable time and money in benefits, which they should want to protect
Employers put substantial time and money into providing benefits to protect employees, and the cybersecurity risks are real. Disability plan participants might not receive money to pay their expenses when they need it most. Retirement plan participants stand to lose what they worked their lifetime to build. Health plans might assume HIPAA protects data that it does not. No employer wants to develop the reputation of not protecting its employees or retirees. All benefit plans should take the DOL’s cybersecurity guidance seriously.
Plans should also consider obtaining appropriate insurance, including cyber liability coverage, since courts so far have not been inclined to let participants leave empty-handed after a cybersecurity incident.
Steven Mindy is a partner at Alston & Bird. His practice focuses on employee benefits and ERISA litigation related to health and welfare benefits and on privacy and security laws and regulations that impact benefit plans.
This feature is to provide general information only, does not constitute legal or tax advice, and cannot be used or substituted for legal or tax advice. Any opinions of the author do not necessarily reflect the stance of ISS STOXX or its affiliates.
