Under the Employee Retirement Income Security Act (ERISA), plan fiduciaries and sponsors are subject to duties of prudence and loyalty — which courts and regulators increasingly interpret to require careful vendor selection and robust ongoing cybersecurity oversight, especially for vendors with access to protected health information (PHI) and personally identifiable information (PII).

The Department of Labor’s (DOL) Cybersecurity Guidelines emphasize fiduciaries must evaluate vendor cybersecurity practices, require breach notifications, conduct risk assessments, require vendor audits, and maintain documentation of oversight efforts. DOL guidelines also clarify that fiduciaries are responsible for cybersecurity oversight of vendors. A fiduciary duty includes protection of plan assets, which may include PII/PHI and certainly extends to the financial aspects of the plan. Furthermore, there’s some discussion that data itself could be considered a plan asset subject to fiduciary protection, regardless of whether financial loss occurs.

Given the amount of financial transactions funds deploy, and the large amount of plan assets being distributed, it’s no wonder the DOL issued cybersecurity guidance in an effort to protect the benefits of America’s workers. In addition to the direct threat to plan assets that threat actors/hackers pose, there’s a growing wave of litigation concerns involving cybertheft-related fraud, and an argument that plan sponsors could face liability for insufficient vendor cybersecurity practices even for subcontractor breaches. 

Trustees can be sued for a data breach resulting from failure to uphold their fiduciary duties. Trustees are responsible for managing plan assets and participant information with a high level of diligence, including ensuring that appropriate cybersecurity measures are in place to protect sensitive data. If the trustees neglect to adopt reasonable data protection policies, fail to monitor third-party service providers, or ignore industry standards for cybersecurity, they may be deemed to have breached their fiduciary duty of care. Such negligence could expose them to significant legal liability if participants suffer harm from a breach.

Fiduciary duty also requires trustees to act solely in the interest of plan participants and beneficiaries. If a data breach leads to identity theft, financial loss, or medical fraud, and it can be shown that the trustees knew of certain and/or specified vulnerabilities but failed to act, plaintiffs could argue that the trustees prioritized convenience or cost savings over participant protections. By law, this would violate the duty of loyalty. Courts could find that trustees breached their obligations by failing to act prudently in the selection and oversight of service providers that handle participant data, especially if those providers lacked proper cybersecurity safeguards.

Lawsuits against trustees in such cases may be brought under federal statutes like ERISA, which imposes fiduciary duties on those managing employee benefit plans. Additionally, plaintiffs could raise state law claims such as negligence or breach of confidence, depending on the circumstances. More significantly, and arguably triggering further-reaching consequences, if the trustees failed to maintain confidentiality of personal health or financial information, and this resulted in harm to plan members, it has been suggested courts may hold these trustees personally liable. In order to mitigate this risk, trustees must implement robust cybersecurity protocols, routinely assess their effectiveness, and document all actions taken to protect participant data.

Therefore, third-party vendors — like recordkeepers, claims administrators, and IT providers — pose a significant cybersecurity risk to benefit plans. These vendors often have access to sensitive participant data, making them potential entry points for cyberattacks. As established above, trustees have a fiduciary responsibility to ensure vendors safeguard member data by following the same strict guidelines they have to themselves. Courts and regulatory agencies, including the Department of Labor, have emphasized that fiduciaries cannot outsource their obligations. Failing to properly vet and monitor vendors is a breach of the trustees’ duty of prudence. This includes assessing vendors’ cybersecurity policies, incident response plans, encryption standards, and past breach history, for example.

If a data breach occurs from a vendor’s failure to protect participant information, trustees will be scrutinized to verify they exercised due diligence in selecting and overseeing that vendor. If they didn’t, those trustees will be held liable.

Fiduciaries are expected to conduct thorough initial evaluations and ongoing audits to ensure vendors meet industry security standards. This includes executing robust service agreements that clearly define security expectations, breach notification protocols, and liability provisions. Accordingly, if trustees fail to take these precautions and a breach results in participant harm, like identity theft or financial fraud, trustees could face lawsuits for breach of fiduciary duty under ERISA and related state claims.

What to do

• Cybersecurity due diligence must be specific, including vendor and subcontractor technology reviews, incident history, and breach response protocols.
• Ongoing monitoring expectations should be part of fiduciary governance: Audits, annual reviews, red flag tracking, two-factor security measures, and documented oversight actions are essential.
• Contract provisions must comprehensively cover cybersecurity, breach-notification obligations, indemnity, and audit rights that includes the vendor chain. A contract should provide vendors with the fund’s expectations and provide a roadmap for liability and responsibility in the event of a data breach.
• Documentation matters: meeting minutes, vendor questionnaires, incident reports, and risk assessments help demonstrate fiduciary prudence. Also, funds should have a documented cybersecurity and data privacy program with supporting evidence to demonstrate compliance. Rote policies drafted by IT are not sufficient. These are the legal documents that show how the fund complies with its legal obligations.
• Documented, consistent remediation of vendor incidents, even if not related to your plan, can support a defense against monitoring claims.
• Retain qualified cybersecurity and data privacy legal counsel to guide the fund through to its legal obligations. Always utilize an attorney with deep insight and experience in cybersecurity and data privacy. This is not an area for fund counsel to “assess on the fly” due to the nuances and interconnection between state and federal laws, as well as sudden complexities that can arise especially after a cyber event or responding to regulatory enforcement actions. 

Conclusion

ERISA fiduciary duty litigation tied to data privacy and cybersecurity is evolving rapidly. Combined with escalating DOL guidance and commentary treating PII/PHI as plan assets, fiduciaries must proactively integrate robust cybersecurity oversight into their ERISA compliance frameworks to mitigate litigation and regulatory risk. Trustees have a critical fiduciary obligation to protect the sensitive personal and health information of plan participants, which includes proper oversight of data security practices. A failure to implement and maintain reasonable cybersecurity measures, or to conduct due diligence when selecting and managing third-party vendors, can expose trustees to significant legal liability. As data breaches become increasingly common and costly, courts and regulators are holding fiduciaries to higher standards of care and vigilance. Therefore, in order to fulfill their legal and ethical responsibilities, trustees must deliberately prioritize cybersecurity as an essential element of plan administration, regularly reviewing internal practices and ensuring that all service providers meet strict data protection requirements. Taking these steps is not only necessary to protect participants but also to shield trustees from potential lawsuits and reputational harm, not only in a business capacity but possibly a personal one as well.