Privacy and Security Concerns for Employee Benefit Plans with Service Provider Relationships. Ann Killilea, Andrew C. Liazos, and Amy C.

Transcription

1 VOL. 28, NO. 2 SUMMER 2015 BENEFITS LAW JOURNAL Privacy and Security Concerns for Employee Benefit Plans with Service Provider Relationships Ann Killilea, Andrew C. Liazos, and Amy C. Pimentel Recent cyber-attacks on health insurers have heightened awareness that sensitive participant and beneficiary information may not be adequately secure. There will undoubtedly be other attacks on data bases maintained by service providers to employee benefit plans, Ann Killilea (akillilea@mwe.com) is counsel at McDermott Will & Emery LLP and a member of the firm s Privacy and Data Protection Practice. She advises clients on a full range of data protection matters, including privacy assessments, policy development and implementation, international data transfers, cloud computing transactions and vendor management programs. Prior to joining the firm, Ann served for 25 years as senior inhouse corporate counsel advising large multinational companies in the information technology industry. Andrew C. Liazos (aliazos@mwe.com) is a partner in the law firm of McDermott Will & Emery LLP and he heads the firm s employee benefits practice in Boston. He regularly represents public companies and large closely held businesses on all aspects of ERISA fiduciary and plan governance matters and has extensive experience with ERISA preemption matters. Andrew has been recognized for several years as a national leader in the employee benefits field by Chambers USA, The Best Lawyers in America, Legal 500 and Corporate Counsel. He is a Fellow of the American College of Employee Benefits Counsel, which recognizes lawyers who have made outstanding contributions to the field of employee benefits, and is co-chair of the ABA Joint Committee on Employee Benefits National Institute on Executive Compensation. Amy C. Pimentel (apimentel@mwe.com) is a member of the Privacy and Data Protection Practice at McDermott Will & Emery LLP. Her practices focuses on consumer protection, privacy, and information security for private entities in a range of business sectors.

2 which raises an important question for ERISA fiduciaries: what should be done now to protect participant and beneficiary information entrusted to service providers against future attacks and unauthorized disclosure? While the extent of a fiduciary s responsibility to protect personal identifiable information of participants and beneficiaries is unclear, the fiduciary provisions of ERISA can be interpreted to impose a general duty to protect this information when it is part of a plan s administration. In addition, plan fiduciaries also may have obligations under other federal and state laws governing data privacy and security that are not preempted by ERISA. This article addresses the nature of the problem, identifies the types of data breaches that can occur with employee benefit plans, provides an overview of relevant law that may apply, and sets forth practical steps that can be taken by plan fiduciaries with service providers to address privacy and security concerns. NATURE OF THE PROBLEM There can be little doubt that ERISA plans are attractive targets for cyber-attacks, identity theft, and other forms of data malfeasance due to the broad range of personal identifiable information involved in plan administration and its potential market value. In particular, health care systems and insurers appear to be at significant risk for cyber-attack. According to a notice issued by the Federal Bureau of Investigation in April 2014, electronic health records are particularly valuable to cyber criminals, security measures are often not properly implemented, and breaches are quite common. 1 The financial costs of a successful cyber-attack are significant. A recent report with respect to data breaches affecting a broad range of companies indicates that the average cost for each lost or stolen record containing sensitive and confidential information increased over the past year from $188 to $201 per record, and that the total average cost paid by organizations increased from $5.4 million to $5.9 million. 2 Plan fiduciaries can increase these risks when providing participants sensitive personal data to service providers for plan administration (e.g., IT services, cloud services, and payroll services). Administering an employee benefit plan in the 21st century typically involves the assistance of service providers, including but not limited to third-party administrators (TPAs), outside payroll providers, benefits consultants, investment funds, investment advisors, and others. Much of benefit administration is now conducted through automated systems that rely upon the Internet. Service providers acting on behalf of employee benefit plans collect and process large amounts of personal, medical, and financial information with respect to participants and beneficiaries, including but not limited to Social Security numbers, accounts, retirement assets, and income figures. Increasing reliance on BENEFITS LAW JOURNAL 2 VOL. 28, NO. 2, SUMMER 2015

3 technology for plan administration requires close examination of the way service providers will handle and protect this information. While managing personal security has now become a business in and of itself, privacy and data security issues have often been given short shrift when engaging and monitoring service providers for employee benefit plans. Protecting this massive amount of information is not only about complying with the Health Insurance Portability and Accountability Act (HIPAA) for medical plans. More than HIPAA compliance is at stake. A plan fiduciary cannot assume that the service providers will take care of all compliance obligations. Indeed, failure to identify and address privacy and security considerations with service providers may create exposure for ERISA fiduciaries. Section 404(a) of ERISA generally requires a fiduciary to discharge his duties with respect to a plan solely in the interest of the participants and beneficiaries and with the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims. Hiring a service provider to provide services to an ERISA-covered employee benefit plan is itself a fiduciary act because it requires discretionary control or authority over plan administration. Similarly, removing or retaining a service provider is a fiduciary act. 3 To date, the U.S. Department of Labor has not provided guidance regarding the contours of this responsibility. DATA BREACHES INVOLVING EMPLOYEE BENEFIT PLANS Data breaches involving employee benefit plans are not limited to the recent high profile cyber-attacks on health insurers. Even prior to these data breaches, there have been numerous other reported incidents involving employee benefit plan. A 2011 report by the Advisory Council on Employee Welfare and Pension Benefits Plans 4 identifies the following ways breaches have occurred with respect to retirement plans: Failure to install security system updates hoax (phishing attack) Downloads of plan information to a home computer Social Security numbers mailed to wrong addresses Using the same password for multiple clients Phase I audits of covered entities under HIPAA identified additional data breaches involving medical plans, including: BENEFITS LAW JOURNAL 3 VOL. 28, NO. 2, SUMMER 2015

4 Unencrypted information on laptops Failure to implement physical safeguards at workstations Return of photocopiers without erasing data contained on hard drives Lost documents with protected health information (PHI) Disposal of prescriptions in trash containers accessible to the public 5 There is little doubt that there are a myriad of ways that participant and beneficiary information may be accessed by unauthorized users. REGULATED PERSONAL INFORMATION A plan fiduciary may have an obligation to protect plan-related information separate and apart from ERISA based on the type of data that is at issue. Each information privacy statute tends to define its own particular concept of personal information. 6 These laws include the Fair Credit Reporting Act, Fair and Accurate Credit Transactions Act, the Gramm-Leach-Bliley Act, state identity theft laws, state data breach notification laws, state information security laws, state laws protecting Social Security numbers, and state laws requiring proper disposal of personal information. It is unwise to assume that these laws will not apply to ERISAcovered employee benefit plans. ERISA generally will not preempt other federal laws, and the extent to which ERISA preempts state laws is unclear. To date, the US Department of Labor has not expressed a view regarding the extent to which state laws would be preempted as relating to an employee benefit plan. 7 Although one court has found invasion of privacy claims to be preempted by ERISA, 8 it does not appear that there are reported cases finding actions by state regulators due to a data breach to be preempted by ERISA. SERVICE PROVIDER MANAGEMENT AS REGULATED ACTIVITY Providing sensitive personal information to a service provider can expose a plan fiduciary to risk. The service provider will have access to sensitive personal information outside of the protective boundaries, virtual and physical, of the plan. This access triggers additional regulatory obligations that require plan fiduciaries to take certain affirmative steps to protect that sensitive personal information. BENEFITS LAW JOURNAL 4 VOL. 28, NO. 2, SUMMER 2015

5 A plan fiduciary should not assume that the service provider will assume any obligations that the plan may have to protect sensitive personal information. Some service providers may function in a regulated industry requiring them to develop security methodologies to protect personally identifiable information, however, others do not. Service providers often do not operate in the same industry as the plan fiduciary nor are they likely to be subject to the same compliance obligations. It is prudent for plan fiduciaries to select service providers capable of protecting sensitive participant and beneficiary information and obligate them, by written contract, to protect that information. As is often said, You can outsource the work, but you cannot outsource the responsibility. It is important to check that the service provider implements appropriate privacy and security systems and that all groups with access to the plan s sensitive personal information are obligated to protect that information. These service provider relationships should be subject to substantially similar risk management, security, privacy, and other protection policies that would be expected if the plan fiduciary were conducting the activities directly. Following a data breach, regulators often review and evaluate the role of the service provider, the due diligence that was performed before selecting the service provider, and the contract provisions with respect to privacy and data security obligations and responsibilities. Without a concerted approach to address these issues, plan fiduciaries can be vulnerable on many fronts. RESPONSIBILITY FOR SERVICE PROVIDERS DATA SECURITY FAILURES A recent PricewaterhouseCoopers LLP survey observed that the percentage of cyber incidents attributed to current and former service providers, consultants, and contractors increased from 16 and 13 percent to 18 and 15 percent, respectively, in Of the companies surveyed, just over 54 percent, representing diverse industries, require third parties, including outsourcing service providers, to comply with their privacy policies. 10 Because service providers often are recognized as the weak link in any corporate privacy management program, federal and state laws have adopted requirements to address this risk to the protection of personal information. 11 Among the governing laws, enforcement actions, and industry standards requiring service provider management of regulated personal information are the following: HIPAA and its Business Associate Requirements; Federal Trade Commission (FTC) data security enforcement actions against company failures to oversee service providers with access to personal information; BENEFITS LAW JOURNAL 5 VOL. 28, NO. 2, SUMMER 2015

6 State information security laws requiring oversight of datarelated service providers; The Gramm-Leach-Bliley Act; and Payment Card Industry Data Security Standards. 12 The FTC enforcement actions provide useful examples of the requirements expected of an entity that shares sensitive personal data with external service providers. In a number of its enforcement actions, the FTC has critiqued companies for inadequate third party management 13 and, most recently, has taken enforcement actions to make the point. 14 The message is clear that the FTC is now requiring companies to: (1) exercise due diligence before hiring data-related service providers; (2) have appropriate protections of personal information in their contracts with data-related service providers; and (3) take steps to verify and monitor that the data-related service providers are adequately protecting the information. The FTC s service provider case, In re GMR Transcription Services Inc., provides an example of these allegations and consent order requirements. The GMR case involved the inadvertent exposure of personal medical data maintained by GMR, a company that provides medical transcription services. The FTC concluded that GMR s failure to adequately choose, contract with, and oversee a data service provider constituted an unfair and deceptive trade practice in violation of Section 5 of the Federal Trade Commission Act. 15 According to the FTC complaint, GMR failed to adequately verify that its data service provider implemented reasonable and appropriate security measures to protect the personal information stored on the provider s network and computers. Moreover, the FTC faulted GMR for failures in contracting with its data service provider. The FTC alleged that GMR failed to: (1) require the provider by contract to adopt and implement appropriate security measures to protect personal information; and (2) take adequate measures to monitor and assess whether the provider employed measures to appropriately protect personal information under the circumstances. The FTC additionally found GMR to be deficient in conducting due diligence before hiring its data service provider. Under the terms of GMR s settlement with the FTC, GMR and its owners are prohibited from misrepresenting the extent to which they maintain the privacy and security of consumers personal information. BENEFITS LAW JOURNAL 6 VOL. 28, NO. 2, SUMMER 2015

7 Further, they must establish a comprehensive information security program that will protect consumers sensitive personal information, including information the company provided to independent service providers. In addition, the company must have the program evaluated both initially and every two years by a certified third party. As is typical of these FTC enforcement actions, the settlement will remain in force for the next 20 years. The GMR settlement signals that the FTC will hold companies to a high bar with regard to third-party vendor management and oversight when it involves personal information. In addition to the FTC, state attorneys general have required companies to incorporate vendor management programs in settlement agreements for violations under state consumer protection statutes. For example, in late 2014, six state attorneys general 16 collectively entered into an Assurance of Voluntary Compliance with PointRoll, Inc., that was intended to resolve the states investigation into whether PointRoll engaged in any unlawful or deceptive trade practices in violation of the state consumer protection statutes. 17 As part of its settlement agreement and for the protection of its consumer information, PointRoll was required to implement a privacy program that included taking reasonable steps to select and use only certain third-party service providers. Those providers must either agree to comply with PointRoll s privacy policies and data security protocols, or be subject to policies and protocols that are at least equivalent to those of PointRoll. Certain state laws reflect a similar approach. At least 12 states 18 require all companies that process personal information of a resident of that state regardless of industry to implement safeguards designed to protect such information. Under these state information security laws, the term personal information generally is defined to include an individual s name in combination with some other piece of data that could be used to commit fraud or identity theft, such as a payment card number, financial account number, Social Security number, or any other government-issued identifier. Massachusetts is particularly noteworthy in its explicit requirement for effective service provider management. Before a company can provide its personal information to a service provider, the Massachusetts Data Security Regulation affirmatively requires that the company: (1) Take reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information; and (2) Require such third-party service providers by contract to implement and maintain such appropriate security measures for personal information. 19 Each state s law applies only to the extent that the plan fiduciaries maintain personal information about a resident of that particular BENEFITS LAW JOURNAL 7 VOL. 28, NO. 2, SUMMER 2015

8 state. If the plan does not process any personal information of a Massachusetts resident and will not be sending any Massachusetts information to a service provider, then Massachusetts law will not apply. However, even then, there is no question that it has become a generally accepted practice and an advisable risk mitigation tool for companies in any industry to implement a data-related service provider management program that meets these obligations. STEPS TO TAKE In light of the foregoing considerations, the plan fiduciary should consider taking the following steps when selecting and contracting with service providers that will handle sensitive personal information of participants and beneficiaries: Conduct Effective Due Diligence The starting point for defining service provider privacy requirements is to understand the plan fiduciary s own privacy and data security requirements. Then it will want to determine, based on the services that would be provided by the service provider, which requirements apply. This work will likely be conducted during the request for proposal (RFP) process and can be built into the RFP documents requiring service providers to respond to the due diligence. The plan fiduciary may want to include some of the service provider s representations, made during due diligence, into the binding contract terms. There are many subject areas to explore during the due diligence phase. For example: What is the track record of the service provider? What are its resources? How will the service provider use the personal information? Where will the personal information be stored and processed? Does the service provider itself intend to use subcontractors, including its affiliates, and where are they located? What security does the service provider apply to personal information? Will the service provider provide the security that the plan fiduciary requires based on its own obligations? What reporting does the service provider provide? What auditing is done (i.e., Service Organization Controls (SOC) 1 and SOC 2 reports)? BENEFITS LAW JOURNAL 8 VOL. 28, NO. 2, SUMMER 2015

9 The due diligence should be documented in a manner that provides the plan fiduciary with a defensible record should a data breach occur and its service provider practices be challenged. A list of due diligence questions designed to elicit these and other critical security issues is advisable. Recommended Contracting Practices for Privacy and Data Security Issues When the due diligence is complete, the plan fiduciary will want to ensure that appropriate protections are built into its service provider contract. These protections include thoughtful contractual provisions related to confidentiality, appropriate and limited use of the provided data set, data security, audit rights, risk allocation, and remedies. The plan fiduciary should consider including a detailed security schedule in order to provide sufficient detail on required security obligations. Ongoing service provider monitoring and management also are essential. The level of oversight needed will depend on the amount and sensitivity of the personal information being processed. Apart from other commercial contracting issues, the service provider contract should address many privacy and data security issues. For example: Privacy and data security obligations should be separate from confidentiality obligations. The service provider should agree to cooperate with the plan fiduciary to enable the plan fiduciary to meet its regulatory and legal obligations. The service provider s use of personal information must be limited as necessary to the delivery of the services. As between service provider and the plan fiduciary, the plan fiduciary is the owner of the personal information. 20 The service provider s use of subcontractors should be subject to the plan fiduciary s consent and subject to the service provider s obligation to flow-down privacy and data security obligations. Security obligations should be detailed and added to the minimum security requirements as dictated by law. The service provider s reporting obligations should be specified with respect to any compromise of personal data or compromise of a system(s) containing personal data. BENEFITS LAW JOURNAL 9 VOL. 28, NO. 2, SUMMER 2015

10 The service provider should be required to reimburse the plan fiduciary for expenses, costs, and the like associated with any data breach occurring under its control. The service provider s auditing requirements must be specified. The service provider s obligations for data retention, disposal, and destruction obligations should be consistent with the plan fiduciary s regulatory obligations. Risk allocation provisions relating to privacy, data security, and confidentiality deserve careful attention. These are not regulatory issues; rather, they are commercial issues indicative of the leverage and relationship between the parties. Among these issues are: (1) whether damages for violations of confidentiality, privacy, and data security obligations are unlimited or capped by a limitation of liability or by a special limitation of liability devoted to these issues (i.e., a super cap ), and (2) whether the recommended service provider s full hold-harmless indemnity for third-party claims based on privacy and data security violations is unlimited or capped by a limitation of liability or by a super cap. Oversight and Monitoring A plan fiduciary s oversight responsibilities do not end when the contracts are signed. Action should be taken to assess whether service providers are adhering to the agreed-upon practices for data privacy and security. In addition, agreed-upon practices should be reviewed and updated from time to time in light of the shifting and evolving threats to ensure that the service provider is keeping current with reasonable security practices. CONCLUSION Employee benefit data breaches will recur and are now a fact of life. Plan participants and beneficiaries have become sensitized to the vulnerability of their personal information and it is reasonable to expect that they will look to plan fiduciaries to protect that information. State regulators and the FTC are alert to these issues as is the US Department of Labor. Given that service providers often have been the point of entry for attacks on plan data, plan fiduciaries are well served by conducting defensible due diligence in selecting providers, incorporating specific privacy and data security obligations into BENEFITS LAW JOURNAL 10 VOL. 28, NO. 2, SUMMER 2015

11 a binding agreement with the service provider, and monitoring the service provider s ongoing compliance with those obligations. These steps should reduce the risk of data breaches affecting the sensitive personal information of plan beneficiaries and participants and, if one occurs, reduce the exposure of the plan and its fiduciaries. NOTES 1. FBI Cyber Division, Private Industry Notification, Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain (April 8, 2014), 2. IBM and Ponemon Institute LLC, 2014 Cost of Data Breach Study: United States, (May 2014). 3. See Advisory Council on Employee Welfare and Pension Benefit Plans, Privacy and Security Issues Affecting Employee Benefit Plans (November 2011) (the 2011 ERISA Advisory Council Report ) (setting forth recommendation that the U.S. Department of Labor provide guidance concerning the protection of PII [personal identifiable information] as a fiduciary responsibility and the extent PII of benefit plan participants and beneficiaries should be protected in plan administration ). Available at ERISA Advisory Council Report (describing the current legal environment with respect to data privacy obligations outside of ERISA). 5. The U.S. Department of Health and Human Services Office for Civil Rights has recently sent pre-audit screening surveys to a pool of covered entities that may be selected for a second phase of audits of compliance with the HIPAA Privacy, Security and Breach Notification Standards. See McDermott Will & Emery LLP, OCR Launches Phase 2 HIPAA Audit Program with Pre-Audit Screening Surveys (May 18, 2015) (describing the selection of Phase 2 audit recipients, the audit process, and steps to take in preparing for Phase 2 audits). 6. Some statutory approaches define personal as meaning any information that identifies a person. Others focus on nonpublic information, exemplified by the Gramm-Leach-Bliley Act, which defines personally identifiable financial information as nonpublic personal information. Still, others, notably state data breach notification laws, list specific types of data that constitute personal information triggering data breach notification requirements. These definitions tend to include data that could be used to commit financial fraud or identity theft, such as a person s first name and last name, or first initial and last name in combination with a Social Security number, driver s license number, financial account number, or credit or debit card number. Many states are amending their current data breach notification laws to broaden the definition of personal information to include a person s name in combination with a birth or marriage certificate, medical and health insurance information, unique biometric data, and a username or address in combination with a password. See, e.g. Wyoming Senate Bill S.F.36, available at last accessed May 17, 2015; Florida Information Protection Act of 2014 (SB 1524), available at String=&URL= /0501/Sections/ html, last accessed May 17, BENEFITS LAW JOURNAL 11 VOL. 28, NO. 2, SUMMER 2015

12 7. In 2011, the Joint Committee on Employee Benefits of the American Bar Association requested informal guidance that breach of a state law violation due to an administrator providing personally identifiable information to service providers to generate approved participant communications would be preempted by ERISA because it interfered with plan administration. The US Department of Labor declined to answer the question, noting that it would need to review the specific state statute and how [the] statute relates to an ERISA Plan. See Q&A 19 Preemption, Questions and Proposed Answers for the Department of Labor Staff for the 2010 Joint Committee on Employee Benefits Technical Session held on May 5, 2010, available at aba/migrated/2011_build/employee_benefits/2010dol_qa.authcheckdam.pdf, last accessed May 17, In re GM, 3 F.3d 980 (6th Cir. 1993) (finding a right to privacy claim preempted by ERISA in the context of an alleged breach of Employee Assistance Plan confidentiality provision). 9. See PwC, CIO and CSO magazines, Global State of Information Security Survey 2015, available at last accessed May 17, See Id. 11. Industry standards under applicable law requiring service provider management of regulated personal information include the following: (1) HIPAA and its Business Associate Requirements; (2) FTC data security enforcement actions against company failures to oversee service providers with access to personal information; (3) state information security laws requiring oversight of data-related service providers; (4) Gramm-Leach-Bliley Act; and (5) the Payment Card Industry Data Security Standards. See Information Supplement: Third-Party Security Assurance, Third-Party Security Assurance Special Interest Group, PCI Security Standards Council (Aug. 2014), available at PCI_DSS_V3.0_Third_Party_Security_Assurance.pdf. See also 2011 ERISA Advisory Council Report (describing the legal environment with respect to laws that may apply outside of ERISA). 12. See Information Supplement: Third-Party Security Assurance, Third-Party Security Assurance Special Interest Group, PCI Security Standards Council (Aug. 2014), available at Security_Assurance.pdf, last accessed May 17, See, e.g., Complaint, In re Credit Karma, Inc., File No (Aug. 13, 2014), available at pdf, last accessed May 17, 2015; Complaint, In re CBR Systems, Inc. File No (April 29, 2013), available at cases/2013/05/130503cbrcmpt.pdf, last accessed May 17, See, e.g. Decision and Order, In re Snapchat, Inc., File No (Dec. 23, 2014), available at The FTC ordered Snapchat to develop a comprehensive privacy security program that included the use of reasonable steps to select and retain service providers capable of maintaining security practices consistent with th[e] order, and requiring service providers by contract to implement and maintain appropriate safeguards to protect the privacy and confidentiality of personal information. 15. See Complaint, In re GMR Transcription Services, Inc., File No (Jan. 31, 2014), available at BENEFITS LAW JOURNAL 12 VOL. 28, NO. 2, SUMMER 2015

13 pdf, last accessed May 17, 2015; Agreement Containing Consent Order, In re GMR Transcription Services, Inc., File No ( Jan. 31, 2014), available at ftc.gov/system/files/documents/cases/140203gmragree.pdf (13 PVLR 211, 2/13/14), last accessed May 17, 2015; Decision and Order, In re GMR Transcription Services, Inc., File No (Aug. 21, 2014) available at cases/140821gmrdo.pdf, last accessed May 17, Attorneys general from Connecticut, Florida, Illinois, Maryland, New Jersey, and New York. 17. See Assurance of Voluntary Compliance, In re Pointroll, Inc. (Dec. 10, 2014), available at last accessed May 17, Arkansas, California, Connecticut, Florida, Indiana, Maryland, Massachusetts, Nevada, Oregon, Rhode Island, Texas, and Utah. 19. See 201 Mass. Code Reg (2008) (emphasis added). See also Nev. Rev. Stat (requiring encryption for personal information transmitted electronically outside of a security system). 20. This is a critical term and one that is often neglected. Failure to address this ownership issue could have implications beyond these privacy and data security issues. For example, such an omission could adversely affect the right of the plan fiduciary to obtain the data upon expiration or termination of the agreement. Copyright 2015 CCH Incorporated. All Rights Reserved. Reprinted from Benefits Law Journal, Summer 2015, Volume 28, Number 2, pages 81 92, with permission from Wolters Kluwer, New York, NY, ,