The Department of Labor issued three pieces of cybersecurity guidance, entitled (i) Tips for Hiring a Service Provider with Strong Cybersecurity Practices, (ii) Cybersecurity Program Best Practices, and (iii) Online Security Tips.  Importantly, the Department noted that “[r]esponsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.”  Stated another way, in the DOL’s view, a plan fiduciary can be personally liable for a cybersecurity breach if fiduciary obligations were not adequately discharged.

Central to the guidance is the Department’s view that plan sponsors should hire service providers that “follow strong cybersecurity practices.”  In this vein, the guidance sets forth standards that plan sponsors should meet when contracting with service providers.  According to the DOL, a service contract should require ongoing compliance with cybersecurity and information standards, and a plan sponsor should “beware contract provisions that limit the service provider’s responsibility for IT breaches.”  The guidance goes on to suggest that the following terms should be included in a service agreement:

Information Security Reporting. The contract should require the service provider to annually obtain a third party audit to determine compliance with information security policies and procedures.  

Clear Provisions on the Use and Sharing of Information and Confidentiality.  The contract should spell out the service provider’s obligation to keep private information private, prevent the use or disclosure of confidential information without written permission, and meet a strong standard of care to protect confidential information against loss, misuse, or unauthorized access, disclosure or modification.

Notification of Security Breaches. The contract should identify breach notification timing and ensure the service provider’s cooperation to investigate and reasonably address the cause of the breach.

Compliance with Record Retention, Privacy and Information Security Laws.  The contract should specify the service provider’s obligations to meet all applicable federal, state, and local laws pertaining to the privacy, confidentiality, or security of participants’ personal information. 

Insurance.  The contract should require insurance coverage such as professional liability, errors and omissions, cyber liability, privacy breach, fidelity bond and blanket crime.  The DOL states that a plan sponsor should understand the terms and limits of any coverage before relying upon it as protection from loss.

Efforts to ensure that the above service agreement provisions are in place are good steps that a plan sponsor or administrator could take toward satisfying ERISA cybersecurity fiduciary obligations.