news & articles
Fiduciary Responsibility Under ERISA in the Event of a Security Breach
On February 4, 2015, the second largest health insurer in the country announced that it had suffered a major security breach and that, as a result, up to 80 million individual records had been stolen. Most of the extensive media coverage of this breach has focused on the type of data presumed to be stolen and what the health insurer’s obligations are to notify and provide identity protection services under HIPAA and the various state privacy laws; however, there are broader ERISA implications for employers.
When employers in the private sector establish and maintain employee benefit plans the employer is considered a fiduciary of those plans pursuant to ERISA. Under ERISA there are basic duties to act prudently, diligently and with care & skill in maintaining your company retirement and health care plans. In the case of a breach of private health information of employees (even if by a third party entity with whom the company has contracted), the company, as the plan sponsor, has the ultimate responsibility under ERISA to act for the benefit of plan participants and plan beneficiaries.
A 3/6/15 Haynes & Boone article details the HIPAA and broader ERISA responsibilities of employer sponsors of employee medical plans. It offers specific advice with respect to the large health insurer breach (that is impacting even other health plans) which can also serve as risk management guidelines for preparing for and responding to similar future events.
In addition, a Baker Hostetler presentation provides similar information in a slide format.
McGriff Employee Benefits Practice specialists are helping clients to address these compliance issues every day and would be available to answer any questions your firm may have. We in the Financial Services Division are monitoring for any impact this exposure may have on the fiduciary liability insurance marketplace.