Employee benefit plan data stored online may include participants’ names and Social Security numbers, account information and protected health information (PHI), all of which are inviting targets for hackers. Highly-publicized data breaches in recent years have called attention to the obligations of benefit plan administrators (typically the employers sponsoring the plans) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to safeguard PHI.
These data breaches are also causing benefit plan administrators and other fiduciaries under the Employee Retirement Income Security Act of 1974 (ERISA) to consider whether their ERISA responsibilities include securing online plan data from cyberattacks, especially as to 401(k) and other benefit plans that are not subject to HIPAA. Although definitive guidance has not been provided, fiduciaries would be well-advised to proceed on the assumption that cybersecurity is an ERISA issue.
The Cybersecurity ERISA Regulatory Gap
When ERISA was enacted, the predecessor to today’s Internet was in its formative years. Although online storage of benefit plan data has been the norm for some time, Congress has not amended ERISA to address cybersecurity. Moreover, the Department of Labor (DOL), which is charged with enforcing ERISA, has not formally addressed cybersecurity in the ERISA context.
In 2011, the ERISA Advisory Council, established to advise the Secretary of Labor, recommended that the DOL issue guidance on the obligation of plan fiduciaries to secure and keep private the personal identifiable information of plan participants and beneficiaries. In a recent release, the current council indicated that its goal is to offer the DOL draft materials that will help plan sponsors understand, evaluate and protect benefit plan data and assets from cybersecurity risks.

Last week, social media giant Facebook announced an expansion of its online advertising business to include serving ads to users who are not members of Facebook. Under a press posting titled “Bringing People Better Ads,” Facebook decried ads that are “annoying, distracting or misleading” and talked about its efforts to do better.  This move highlights again the sometimes contentious topic of Internet ads and ad-blocking technology. Internet advertising and the technological and social aspects of ad-blocking have important consequences for user privacy and data security, both for individuals and for enterprises.
In the press information posted on its news site, Facebook talked about some of the issues raised by “bad” advertising. Much of the discussion of ads and ad-blocking has focused on user inconvenience and consumer ethics. On the one hand, Internet advertising slows the retrieval of requested content, utilizes megabytes of expensive bandwidth, drains power-thirsty mobile batteries, and annoys users with unexpected sound and video. On the other hand, some ask whether it is right to block ads but still consume ad-supported content when, as Facebook noted, “apps rely on advertising to pay the bills.”
The ad-blocking debate also has an “us” versus “them” element, as Internet companies dependent on advertising revenue are pitted against those that profit from device sales. Indeed, the expansion of ad-blocking to some mobile platforms last year was seen by some as a competitive step by smartphone providers aimed at search and social network companies.

On May 16, 2016, the U.S. Supreme Court held in Spokeo, Inc. v. Robins that a bare procedural violation of a statutory requirement, divorced from any concrete harm, does not establish the injury-in-fact necessary to maintain a lawsuit in federal court.  The Court acknowledged, however, that an alleged violation of a procedural statutory right could…