JATCs are some of the most complicated ERISA funds to administer because they operate simultaneously as an ERISA plan, a business/employer, and a registered apprenticeship program. This means they must follow relevant rules and regulations for all the above. 

In 2024, the Department of Labor (DOL) issued “DOL Compliance Assistance Release No. 2024-01,” clarifying that JATCs should do their best to follow the DOL’s cybersecurity best practices. Unfortunately, the release made it clear the DOL intends to hold JATCs responsible for cybersecurity measures currently imposed on retirement and health/welfare plans, which isn’t necessarily practical or realistic. This article is a starting point to help JATC training directors and coordinators find their footing and take control of their JATC’s cybersecurity.

DOL’s Cybersecurity Guidance

The first thing a training director should do is familiarize
themselves with existing DOL cybersecurity guidance. They are: “Cybersecurity Program Best Practices,” “Tips for Hiring a Service Provider”, and “Online Security Tips.” All three documents are on the DOL’s website — scan the QR code next to this paragraph to access them. We won’t address the guidance in these documents in detail here. If you have specific questions on this guidance, contact Secure Unions and/or an experienced JATC-focused attorney.

Take Inventory

We’re talking about more than taking physical inventory, here. The training director should familiarize themselves with the following:

• What data does the JATC collect for both students and staff and how is it stored?
  Data includes everything from personnel files to disciplinary records and applications.

• Who has access to that data? Has access been appropriately restricted?

• Does the JATC have a formal, well-documented cybersecurity program?
  If so, is it actually being followed? Does the program include a breach response plan?
  

• Does the JATC have a data and document retention policy? If so, is that policy actually being followed?
  Not following an existing policy is a negative in the event of a DOL audit.

• Does the JATC conduct cybersecurity training for its staff?
  If so, how often is that training conducted? What cybersecurity training is done when onboarding new hires and is it good enough?

• Where are passwords kept and who has access to them?
  Keeping passwords on piece of notebook paper in the training director’s drawer is not sufficient protection for the DOL.

• What cyber liability or other insurance policies exist to cover a cybersecurity incident loss?
  If there is an insurance policy, what does the policy cover and when does the carrier need to be notified of an incident to avoid a lapse in coverage?

Communicate Inventory Results with Board of Trustees and Cybersecurity Professionals

Once inventory is taken, the training director should present their findings regarding any concerning issues to the Board of Trustees. The Board of Trustees is the ultimate decision maker for the JATC, but the Board cannot decide to remedy an issue it’s not aware of. If the training director discovers an issue regarding cybersecurity protocol failures or policies not being followed, the JATC’s attorney and the Board of Trustees should be notified as quickly as possible. If the training director fails to notify the Board of such an issue in a timely fashion, the training director could be held personally liable for the consequences of their failure to address such issues, depending on the facts and circumstances. The training director should also work with the JATC’s attorney and a cybersecurity services provider (if one is retained by the JATC) to ensure the program is running in a manner that adheres to guidelines as best as possible.

Budgetary Issues

The cybersecurity solutions recommended in the DOL’s Cybersecurity Program Best Practices can be very costly because the document was initially written specifically for retirement plans. Unfortunately, many JATCs are often the least funded compared to companion benefit plans of their unions and may not have the resources to implement all best practices listed by the DOL. The DOL has not addressed how a JATC, or other employee benefit fund with limited means should prioritize which practices to implement if the budget is simply not there to meet all the best practices. 

A JATC’s “best practice” (for lack of a better term) for compliance with the DOL’s cybersecurity guidance is for training directors to implement what they can, and work with the JATC’s attorney, Board of Trustees, and cybersecurity service provider to:

• Take Inventory: Learn what cybersecurity measures and practices the JATC has and where such practices are deficient, then shore up those deficiencies as best as possible.
• Communicate with Trustees: Do your best to work with your Board of Trustees to ensure that data related to the JATC, staff, and apprentices remains safe, while being mindful of any budgetary concerns. 
• Work with Professionals: Use the team of professionals assembled by the JATC, including the attorney and the cybersecurity services vendor, to understand and implement existing practices and come up with creative solutions to keep JATC data safe.