Nearly two and a half years following the appeal of the Federal Communications Commission’s (FCC) July 2015 Order, the U.S. Court of Appeals for the District of Columbia issued a ruling on March 16, 2018. On appeal, over a dozen entities sought review of the 2015 Order, in which the FCC interpreted various aspects of
Litigation
Spokeo Strikes Down Another Data Privacy Class Action
The Supreme Court’s decision in Spokeo, Inc. v. Robins continues to have an impact on class actions involving data privacy statutes. Most recently, a federal district court dismissed yet another class action involving claims under the Fair and Accurate Credit Transactions Act (FACTA) in Kirchein v. Pet Supermarket, Inc. for lack of subject matter jurisdiction…
Call Me Maybe: Equivocal Statements May Partially Revoke Consent Under TCPA
In a recent decision, the 11th U.S. Circuit Court of Appeals reversed a grant of summary judgment in favor of a bank on Telephone Consumer Protection Act (TCPA) claims, by holding that a consumer can partially revoke her previously provided consent.
In Schweitzer v. Comenity Bank, the plaintiff sued the bank under the TCPA…
Another Circuit Joins the Trend of Setting a “Low Bar” for Standing in Data Breach Actions
Consistent with a growing trend among courts nationwide, the D.C. Circuit Court unanimously held that a group of plaintiffs had cleared a “low bar” to establish constitutional standing for their claims in a data breach case against health insurer CareFirst by alleging potential future harm as a result of the breach. The plaintiffs alleged that…
Law Firms’ Data Duty: Protecting Client Information From Cybercriminals
The impact from the recent Petya/NotPetya ransomware attack — or what was reported as a ransomware attack but now appears to be something even more damaging — continues to spread around the globe, with several new companies coming forward as victims, including a prominent law firm.
This attack acts as an unfortunate reminder that…
Second Circuit Holds Data Breach Class Action Plaintiff Lacks Sufficient Injury to Support Standing
Those who tuned in to McGuireWoods’ data breach class action webinar last month know that attacking the plaintiff’s standing can be an effective defense strategy in these cases. Here’s our analysis of the most recent appellate decision on that issue.
Last Tuesday, the Second Circuit Court of Appeals affirmed the district court’s dismissal of a…
AT&T Privacy Rule Goes Too Far Says NLRB
Last week a National Labor Relations Board (NLRB) administrative judge ruled that AT&T Mobility interfered with employees’ labor rights with an overly broad privacy rule. The rule prohibited employees from recording any conversation without approval from the company’s legal department.
The judge found that the rule was in violation of Section 8(a)(1) of the National…
Eighth Circuit Undoes Target Data Breach Settlement Class
The $10 million settlement class in the Target data breach case was unraveled by the Eighth Circuit Court of Appeals in a recent decision that will force the district court to address the impact of the Supreme Court’s decision in Spokeo v. Robins. The Eighth Circuit remanded the case to the district court, finding…
ERISA Advisory Council Issues 2016 Report on Benefit Plan Cybersecurity
“Cyber threats cannot be eliminated but they can be managed. Cyber experts say that it is not a question of if you will have a cyber-attack, rather it is a question of when. The next question is what you are going to do about it. In addition to taking action to minimize cybersecurity risk, all parties involved in the administration of benefit plans and their data should be prepared to RESPOND and RECOVER in the case of a cyber event. Cybersecurity is everyone’s responsibility. Critical actions and decisions can be anticipated, so they should be considered before an incident occurs, not while it is occurring or after it has occurred. You should be PREPARED IN ADVANCE.”
The above admonition appears in the November 2016 report to the Secretary of Labor recently released by the Advisory Council on Employee Welfare and Benefit Plans (the Council) entitled “Cybersecurity Considerations for Benefit Plans” (the Report). The Council was established under the Employee Retirement Income Security Act of 1974 (ERISA) to advise the secretary on issues related to employee benefit plans. ERISA, which was designed to be a comprehensive federal law regulating benefit plans, gives the Department of Labor (the DOL) enforcement authority over various matters involving plans, including the responsibilities of plan fiduciaries.
The Report notes that while cybersecurity is a focus area for organizations as to ongoing business activities, benefit plans often fall outside the scope of cybersecurity planning. Given that plans maintain and share sensitive employee data and asset information across multiple unrelated entities on a regular basis as part of the plan administration process, the Report indicates that such data and asset information should be specifically considered when implementing cybersecurity risk management measures.
Report’s Objective and Recommendations
The Council’s objective in producing the Report was to provide relevant information to, and raise awareness with, plan sponsors, fiduciaries and service providers regarding the development of cybersecurity risk management programs for benefit plans.
During 2016, the Council studied benefit plan cybersecurity, receiving oral and written testimony from experts and interested parties. Based on this testimony and the Council’s own research, the Report provides two recommendations:
- Make the Report and its appendices available via the DOL website as soon as administratively feasible to provide plan sponsors, fiduciaries and service providers with information on developing and maintaining a robust cyber risk management program for benefit plans; and
- Provide information to the members of the employee benefit plan community to educate them on cybersecurity risks and potential approaches for managing these risks.
In connection with the second recommendation, the Report includes as Appendix A a sample document designed to be a resource for plan sponsors and service providers as to considerations for managing cybersecurity risks.
Unfortunately, the Report does not address two major concerns of plan administrators. According to the Report, the Council is aware that ambiguities and potential issues remain as to:
- Whether cybersecurity is a fiduciary responsibility; and
- Whether state cyber laws are preempted by ERISA.
However, the Report notes, the Council has determined that providing guidance on these topics is beyond the scope of its study.
Observations:
Fiduciary Duty: If courts should hold that fiduciaries are required under ERISA to safeguard benefit plan data (the statute is silent on the matter), the implications are enormous. ERISA provides that any fiduciary as to a plan “who breaches any of the responsibilities, obligations, or duties imposed upon fiduciaries by [Title I of ERISA] shall be personally liable to make good to such plan any losses to the plan resulting from each such breach.” Under ERISA, various persons, including plan participants, can bring suit for “appropriate relief” in connection with a breach of fiduciary duty. A representative of one prominent company that assists thousands of businesses in managing employee benefit programs has told us that it views the safeguarding of participant data as a contractual matter rather than an ERISA matter.
Preemption: ERISA provides, with certain exceptions, that it “shall supersede [i.e., preempt] any and all State laws insofar as they may now or hereafter relate to any employee benefit plan.” State-law preemption is a bedrock principle of ERISA. If courts should conclude that state laws on data breaches do not “relate” to benefit plans, and are therefore not preempted by ERISA, the determination of which state law or laws apply to a data breach involving a plan having participants in multiple states would be a daunting task for its administrator, given that these laws are far from uniform as to the duties they impose.
Existing Cybersecurity Frameworks
The Report reviews and comments on various cybersecurity frameworks that could provide the foundation for cybersecurity strategies for benefit plans.
Continue Reading ERISA Advisory Council Issues 2016 Report on Benefit Plan Cybersecurity
Data Privacy Class Actions Post-Spokeo
Earlier this year, the Supreme Court, in Spokeo, Inc. v. Robins, held that a bare procedural violation of a statutory requirement, divorced from any concrete harm, does not establish the injury-in-fact necessary to maintain a lawsuit in federal court. As the year comes to an end, it is clear that Spokeo has undoubtedly had…