Contact Us for More Information

Cyber Security and Online Privacy Issues for Employee Benefit Plans

Posted by Paul D. Woodard | Aug 31, 2017 | 0 Comments

When most plan participants think about security involving their retirement plan, they are typically thinking along the lines of financial security and how their investments perform. However, like other financial institutions, retirement accounts are subject to cyber threats that could threaten users' privacy and other account information.

Retirement and health benefit plans may have a lot of detailed information about plan participants. This includes their name, date of birth, Social Security Number, bank information, email and physical addresses, and passwords or PIN numbers. Hackers and cyber criminals can use this information to access bank accounts, open new credit cards, or take out loans in someone else's name.

Last year, the ERISA Advisory Council drafted a report on cyber security titled “Employee Benefit Plans: Considerations for Navigating Cybersecurity Risks.” The report raises awareness of cybersecurity threats and provides information to plan sponsors, service providers, and fiduciaries regarding the development of risk management programs to address cybersecurity threats.

Examples of cyber threats cited in the report that are common today include:

  • Ransomware used by criminals to encrypt and seize an entire hard drive, only releasing it in exchange for a high ransom.
  • Phishing where fraudulent emails are sent with the objective of enticing the user to interact and inadvertently provide an avenue for a cyber-criminal to infiltrate a computer network.
  • Wire transfer email fraud where cyber criminals pretend to be senior executives asking employees to transfer funds.
  • Malware via external devices where intrusive and harmful software is stored on an external drive that is inserted into and executed on a network computer.

While companies are increasingly aware of the potential for theft of personally identifiable information, there continues to be weak and unprotected areas of access to be aware of. Increasingly, data is accessed on mobile devices and data is stored using cloud-based services making it susceptible to cyber security threats.

The fact that there are many different users and service providers involved in benefits administration further complicates the issue. Everyone who comes in contact with personal information has a role to play in protecting that information. This includes cyber threat training and regular monitoring and reporting of threats to plan participants' personal information.

According to the report, “[l]arge employers and organizations are more likely to have the resources to obtain guidance on the management of personal information in benefit plans and to increase their due diligence efforts in this area. Small and mid-sized employers and organizations are less likely to have the resources to obtain this level of support and guidance.”

Many companies use third party administrators (TPAs) in managing employee benefits. However, while TPAs may have experience in handling benefit plans, not all TPAs “have a comprehensive and consistent regulatory framework to guide their data security programs.” Plan sponsors who use TPAs should be aware the benefits of using service providers with robust cybersecurity policies and procedures. Fiduciaries should clearly spell out security obligations and responsibilities and include automatic notification and audit obligations.

If you have any questions about cybersecurity threats to employee benefit plans, contact your benefits and ERISA attorneys at Butterfield Schechter LLP. We are San Diego County's largest firm focusing its law practice on employee benefits. Our firm can help you safeguard plan participants privacy and maintain compliance with ERISA regulations. Contact our office today with any questions on how we can help you and your business succeed.

About the Author

Paul D. Woodard

Paul Woodard practices in the areas of Employee Benefits, Employee Stock Ownership Plans, Pension and Profit Sharing Plans, ERISA, ERISA Litigation, Business Law, Qualified Domestic Relations Orders (QDROs), and Estate Planning.


There are no comments for this post. Be the first and Add your Comment below.

Leave a Comment

Retirement Plans

We help establish a customized plan that meets regulatory requirements as a tax qualified plan. Following implementation, our attorneys can assist clients and their plan administrator with regular reviews and updates to help with regulatory compliance for the plan's operation, and continued effectiveness in meeting the client's specific goals.


We are dedicated to employee ownership. When you come to us for ESOP services, you receive influential legal counsel who stand beside you to help you stay informed, in compliance, and abreast of the latest developments-all to help you realize your plan goals as fully and effectively as possible.


A QDRO is a specially designed court order that is required for the division of retirement benefits in a family law case. Many family law attorneys do not possess the expertise necessary to divide retirement benefits or stock options upon divorce. We have extensive experience in dividing qualified plans, government plans, IRAs and stock options between the employee spouse and non-employee spouse.

Butterfield Schechter LLP provides the information in this website as a service to its clients and visitors to the site. This website is for information purposes only and is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The information in this website is provided "as is," and while the information in this website is updated periodically, additional facts or future developments may affect subjects contained herein, and no guarantee is given that the information provided is correct, complete, or up-to-date. Seek the advice of professional counsel before acting or relying upon any article, form, or information in this web site. To ensure compliance with the requirements imposed by the United States Treasury and the Internal Revenue Service, we inform you that any federal tax advice contained in this communication is not intended or written to be used, and cannot be used, for the purpose of: (1) avoiding penalties under the Internal Revenue Code or (2) promoting, marketing, or recommending to another person any transaction or matter addressed herein. Butterfield Schechter LLP has endeavored to comply with all known legal and ethical requirements in compiling this website. In the event that this communication does not conform with any laws or regulations of any state or country in which it may be received, Butterfield Schechter LLP will not accept legal representation based on this communication from a person in such a state or country. Electronic mail is provided as a convenience in communicating with the attorneys at Butterfield Schechter LLP. Contact by e-mail does not alone create an attorney-client relationship. Please remember Internet e-mail is not secure and messages sent to the firm or any of its employees or attorneys should not contain sensitive or confidential information. Thank you for visiting our site.