Larry Goldstein of McGuireWoods LLP writes:
Employee benefit plan data stored online may include participants’ names and Social Security numbers, account information and protected health information (PHI), all of which are inviting targets for hackers. Highly-publicized data breaches in recent years have called attention to the obligations of benefit plan administrators (typically the employers sponsoring the plans) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to safeguard PHI.
These data breaches are also causing benefit plan administrators and other fiduciaries under the Employee Retirement Income Security Act of 1974 (ERISA) to consider whether their ERISA responsibilities include securing online plan data from cyberattacks, especially as to 401(k) and other benefit plans that are not subject to HIPAA. Although definitive guidance has not been provided, fiduciaries would be well-advised to proceed on the assumption that cybersecurity is an ERISA issue.
Read more on JDSupra.