Is there a fiduciary responsibility to educate participants about cybersecurity?

[Peter Gulia]

Because someone who uses the care, skill, and caution that would be used by one who is experienced in managing an individual-account retirement plan would be mindful of privacy and security risks (including cybersecurity risks), there is a growing consensus that a plan’s administrator must oversee prudent procedures for managing those risks.

For many plans, that means getting a recordkeeper’s contract promise that it uses commercially reasonable privacy and security procedures.

But even good procedures might be ineffective if a participant, beneficiary, or alternate payee does not guard carefully her identifying information.

If that’s right, does a plan’s fiduciary have a responsibility to educate participants (and other individuals) about those risks?

If so, what do you think an employer/fiduciary should do?

[CuseFan]

That would make for a great presentation or panel discussion at a conference!

Personal opinion is that cybersecurity is a shared responsibility of all related parties, including the participant. But, like 404(c) where you must educate the participant to off-load fiduciary responsibility for investment selection, I think plan sponsors also bear the onus of keeping their participants informed regarding the security of their retirement accounts. 

Assuming buy-in on the initial premise, the next discussion is how plan sponsors do this and whose help do they enlist? RKs are probably best positioned to help as could legal counsel with subject matter expertise. And this is not a one and done affair, the more the issue is put in front of people the more they'll be aware - and if it is stressed that they share responsibility, including the risk of loss (i.e., not an automatic that others will reimburse them for their own security lapses) then hopefully they will pay attention.

My humble thoughts.

[RatherBeGolfing]

4 hours ago, Peter Gulia said:

If that’s right, does a plan’s fiduciary have a responsibility to educate participants (and other individuals) about those risks?

I'm going to split hairs a bit and ask for a clarification.  Do you mean a fiduciary responsibility (legal, must do) or a moral responsibility (should do)?

[Peter Gulia]

CuseFan, thank you for sharing your thoughts.

RatherBeGolfing, fair question, I am asking about ERISA § 404(a)(1) responsibility.

Would a prudent fiduciary know that some substantial number of participants do not recognize the security risks?

If so, would a prudent fiduciary find that protecting those participants’ interests requires educating them about the risks?

 

[Lois Baker]

Quick review of the articles we've linked to in BenefitsLink newsletters (which is a representative, but admittedly not an exhaustive, search of the "current literature") shows that courts so far seem to be holding the recordkeeper liable, but not the plan sponsor -- in several instances, plan sponsors have been granted motions to dismiss.  And so far, very few discussions of how plan sponsors can/should educate employees.

Definitely a great topic for further exploration.

[david rigby]

1 hour ago, Lois Baker said:

Definitely a great topic for further exploration.

... and lawsuits.  😉