The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Presenting a live 90-minute webinar with interactive Q&A

ERISA Fiduciaries, Data Privacy and

Cybersecurity Risks: HIPAA, HITECH, and

ERISA Preemption of State Data Breach Laws Responding to Data Breaches of Healthcare Administrators

and Retirement Plans, Minimizing Risks with TPAs

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

TUESDAY, JUNE 20, 2017

Saad Gul, Partner, Poyner Spruill, Raleigh, N.C.

Michael E. Slipsky, Partner, Poyner Spruill, Raleigh, N.C.

Brenna A. Davenport, Poyner Spruill, Charlotte, N.C.

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-258-2056 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail sound@straffordpub.com immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

ERISA Fiduciaries, Data

Privacy and

Cybersecurity Risks Poyner Spruill LLP

www.poynerspruill.com

Mike Slipsky

Trends in ERISA

Data Breaches:

Health Care and Retirement Plans

www.poynerspruill.com

Health care and retirement

plans are target-rich

environments for

cybercriminals

7

Cybersecurity

threats affecting

benefit plans are

not unique to

benefit plans:

• Identity theft

• Ransomware

• Phishing

• Wire fraud

• Malware

8

The Chicago Deferred Compensation Plan is a

Section 457(b) defined contribution plan with

more than $3 billion in assets.

Identity theft and fraud attack.

Perpetrators independently obtained

participants' personal information, which they

then used to take out fraudulent loans from

participants’ accounts.

$2.6 million taken from

58 accounts 9

UFCW Local 655 Food Employers

Joint Pension Plan

Ransomware Attack

Multi-employer defined benefit plan that had

assets of approximately $569 million at the end

of 2015

10

Ransomware

Software that uses tools to encrypt or “lock” the data

located on the device or network to prevent access unless

what is, in effect, a monetary ransom is paid to the attacker

for a “key” to unlock and retrieve the data.

11

Hackers took control of one of the

plan’s servers and demanded three

bitcoins, then worth about $2,000

The ransom was not paid and the

plan used a backup server to

recreate the information

12

Anthem Insurance

Companies, Inc. Phishing Attack

• Data breach was discovered in January 2015

but began in February 2014

• A user in Anthem’s Amerigroup subsidiary

opened a phishing e-mail, which downloaded

malicious files to the user’s local system,

allowing the attacker to gain remote access

13

Under settlement with

regulators, Anthem

is spending

$260 Million on improving its

cybersecurity measures.

14

In the pending class action suit,

the Plaintiffs seek damages arising from:

Overpayme

nt for

services

Theft of

Plaintiffs’ PII

Out-of-

pocket

losses

Risk of

imminent

identity theft

15

The huge size of the plaintiff

class in Anthem and the

creative damages theories

being advanced could

overcome the obstacles that

have heretofore prevented the

plaintiffs’ bar from monetizing

data breaches

16

Saad Gul

ERISA Fiduciary

Obligations With

Respect To

Data Breaches

www.poynerspruill.com 17

ERISA sponsors may be

responsible under

“prudent expert” standard

Familiar language imposes requirement to

act “with the care, skill, prudence, and

diligence under the circumstances then

prevailing that a prudent man acting in a like

capacity and familiar with such matters would

use in the conduct of an enterprise of a like character and with like aims.” 29 USCS §

1104 (a)(1)(B) 18

ERISA does not specifically refer to data protection as a fiduciary duty, but requires each plan fiduciary to

discharge his duties with “care, skill prudence and diligence” (ERISA § 404(a)(1)).

Liability for breach of fiduciary duty under ERISA can be limited by contractually delegating the

duty to a third party.

19

Cybersecurity is not a

specifically designated

TPA responsibility in

any agreement we

have reviewed

20

However, the selection remains a fiduciary function,

so the administrator still has a responsibility to vet

potential third party cybersecurity practices.

• Duty to monitor

• Duty to act in event of notice of data breach

21

Does participant data in either

welfare or pension plans

constitute a “plan asset”

And

Persons who are responsible

for managing or controlling

such data are “managing a

plan asset” so as to render

them fiduciaries under ERISA § 3(21).

Technical Issues

22

Prediction:

Data will ultimately be

deemed a plan asset

23

There is no regulation or decision imposing

this in the context of data breaches or

cyber-security in general

On November 10, 2016 ERISA Advisory

Council stated that it would not address

the issue of whether cybersecurity was a

fiduciary responsibility under ERISA

24

• Difficulty with definitive

determination • Patchwork of technology and

laws, with successor liability

and arcane tax issues

• U.S. Cyber Command was

discovering 600,000 new

malware variants a day

• Concerns that there

are too many variables

for a single fiduciary

standard

25

Why “prudent care standard”

applies

Decisions to date have turned on different

grounds

Analysis of opinions and regulatory

guidance indicates that ERISA requires

“prudent care standard” to extend to

cybersecurity functions

26

ERISA has no

prescribed standard • Necessitates piecemeal adjudication akin to

tort.

• Risk of harm is judged retroactively, which is

risky.

• Easier to rebut plaintiff allegations if:

• Paper trail documenting security

requirements, even if flexible – with

commensurate flexibility

• Adherence to industry standards (NIST SP

800-53) can be shown)

27

“Prudent Care Standard” • Is the only available benchmark in absence of congressional

action to impose HIPAA-type statutory penalties

• Could be a safe harbor if cybersecurity concerns documented

28

Trends In ERISA

Preemption

Litigation

29

Since the United States has

acted to preempt state

regulation of private employer

plans, states may not enforce

laws that interfere with

ERISA.

Do data breach laws interfere

with federal goal of uniformity

in plan administration?

Precedents would say yes.

Supreme Court

30

ERISA Preemption • Preempts all state laws that relate to an employee benefit plan.

• Plan participants may bring civil action under ERISA against plan

administrator.

31

Difficulties underscored by most

recent decision: Gobeille

• The state law at issue required all Vermont

insurers, including ERISA plans, to report

claims data to the state.

• In 6-2 Kennedy opinion, SCOTUS

concluded that reporting, disclosure, and

record keeping are central ERISA functions.

• Vermont’s reporting regime intruded

upon a central matter of ERISA plan

administration and interfered with

nationally uniform plan

administration.

• Only the Secretary of Labor may

enact reporting requirements for

ERISA plans.

32

No court has ruled on an ERISA

preemption defense in the context

of a data breach or other

cybersecurity claim.

33

State laws that offer a

remedy that supplants

ERISA’s exclusive remedial

structure e.g. imposing a

duty of exercise ordinary

care in decision-making

have been found to be

preempted.

However 34

ERISA TPAs are likely subject

to additional regulation as

“affiliates” of other regulated

entities e.g. NY DFS

cybersecurity rules

35

ERISA Preemption Prediction:

Claim premised entirely on state law breach will be preempted.

But bulk of “breach” damages stem from auxiliary injuries, specially contract damages

36

SEC and FINRA audits

suggest that cybersecurity

is now fundamental to

administration and

governance obligations.

37

If the only issue in litigation is

compliance with state breach

notification laws,

ERISA preemption is likely.

But even under deferential

standard of review, ERISA

administrators and fiduciaries

have to demonstrate “prudent

expert” compliance.

38

Brenna Davenport

Take-Aways from Anthem Breach

www.poynerspruill.com 39

Consider the framework on which to base your strategy

• SAFETY Act

• NIST

• SPARK

• AICPA

• Industry initiatives

40

Ownership of the strategy

• Implement data loss prevention tools

• Incident response plan

• Quick notice to affected individuals

• Two-factor authentication/behavioral biometrics

• Encryption

• Limit access

41

• Limit data collection and delete data that is no longer needed

• Identify data flow

• Control data flow

Understand the Data

42

• Monitor users (user behavior analytics)

• Audit compliance

Testing and Updating

43

External Certifications

• SSAE 16

• ISAE 3402

• Safety Act

44

Reporting and Improvement

45

Training of workforce

46

Hiring (and firing)

practices 47

Check the practices of service providers and protect yourself

• Often the weakest link in a data system is the third party

• Potential fiduciary responsibility

• Vet the service provider before you ever get to the contract

48

• Does it have a program?

• What is the program?

• Who enforces the program?

• How does it respond to threats

and actual breaches?

• How often does it review and

rate its systems for security?

• What controls are in place for

sensitive data?

Ask Questions

49

Contractual protections/checklist

NOTE: TPA forms are generally old and don't reflect cybersecurity concerns -- it's not to a TPA's benefit to offer you additional protections, so you have to negotiate

50

Data protection warranties • Comply with TPA privacy/security policies (vet the same)

• Comply with applicable law

• Comply with industry standards (ISO 27001)

• Annual audits from nationally recognized independent third

party (provide a copy of report)

• Fiduciary responsibility

51

• Use plan participant data solely

to provide services

• Keep in USA (require advance

approval otherwise; reserve

termination right if don't approve)

• Vetting of subcontractors

Confidentiality of data and use

restrictions 52

Breach Response

• Promptly notify plan sponsor/administrator (24 hours – 3 days)

• Duty to mitigate and preserve evidence

• Cooperate to perform an assessment and develop action plan for remediation

• TPA responsible for remediating the breach and using all commercially reasonable efforts to prevent recurrence

• Keep plan sponsor/administrator up to date on breach response 53

Liability and risk allocation

• Hold the TPA responsible for

cybersecurity breach

• TPA may carve out consequential

damages, etc. limitation, but

reasonable to require coverage of: • Reasonable investigative and legal costs,

actual fines/penalties, compliance and

breach reporting costs, credit monitoring

• Indemnification from participant (and other

third party) claims

• Any cap should be high enough to permit

substantial recovery

• Insurance • Amount

• Quality/rating of insurance company

• Plan sponsor/administrator named as

additional insured

54

Termination • For data breach

• Post-termination data

migration

• Destruction of records 55

Thank You

Mike Slipsky Partner

mslipsky@poyners.com

Saad Gul Partner

sgul@poyners.com

Brenna Davenport Associate

bdavenport@poyners.com

www.poynerspruill.com 56