DOL Cybersecurity Guidance
Benefit plans have been subject to only a limited regulatory and statutory scheme with respect to data privacy and cybersecurity. Most of the regulatory scheme is targeted towards health plans with respect to protected health information under HIPAA and HITECH.
In response to a March 15, 2021, Government Accountability Office report recommending that the Secretary of Labor formally state whether cybersecurity for private sector employer-sponsored defined contribution retirement plans is a plan fiduciary responsibility under ERISA, the DOL has issued non-binding cybersecurity guidance for plan sponsors, providers and plan participants. The guidance consists of suggestions for best practices released in three parts: Tips for Hiring A Service Provider (targeted at plan sponsors); Cybersecurity Program Best Practices (targeted towards service providers and record-keepers); and Online Security Tips (targeted towards plan participants).
The new guidance states that “responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.” It does not go as far as clarifying that such obligations are a plan fiduciary responsibility under ERISA. The DOL’s equivocation on this issue does not however protect plan fiduciaries from breach of fiduciary duty litigation in the event of a cybersecurity breach. Plan participants may, for example, argue that the fiduciaries failed to protect plan assets or exercise prudence in implementing data security controls.
While the new guidance does not impose specific compliance requirements on plan sponsors, it does provide a list of cybersecurity tips and best practices to help plan sponsors satisfy their obligations. Additionally, the guidance may be a useful tool for negotiating future record-keeper and other service provider contracts. For more information refer to our e-alert, Department of Labor Provides Cybersecurity Guidance for Stakeholders of ERISA-Covered Plans
Participant Data is Not an ERISA “Plan Asset”
Harmon v. Shell Oil Co., 2021 WL 1232694 (S.D. Tex. Mar. 30, 2021)
Harmon is the newest decision in a recent spate of fiduciary litigation over whether participant data is a plan asset under ERISA. In recent years, participants have brought several suits against plan sponsors and record-keepers alleging breach of fiduciary duty and prohibited transactions under ERISA. In each case, the record-keeper used confidential participant information to market and sell the participants additional services. These suits allege that participant data is itself a “plan asset” protected under ERISA.
In Divane vs. Northwestern University, the United States District Court for the Northern District of Illinois declined to recognize participant data as a plan asset under ordinary notions of property rights under non-ERISA law. Divane v. Northwestern. Univ., No. 16 C 8157, 2018 WL 2388118, (N.D. Ill. May 25, 2018). The court in Harmon reached the same conclusion after sparse analysis citing Divane and dismissed the plaintiff’s case for failure to state a claim upon which relief can be granted.
Ninth Circuit: ERISA Does Not Bar Forum Selection Clauses
In re Becker v. United States Dist. Court, No. 20-72805, 2021 WL 1219745 (9th Cir. Apr. 1, 2021)
ERISA section 502(e)(2) provides venue for ERISA civil enforcement claims in any district where the ERISA plan is administered, where the fiduciary breach took place or where the defendant resides or may be found. However, some plans contain forum selection clauses limiting venue to a particular district. In Becker, the Ninth Circuit joined the Sixth and Seventh Circuits in holding that “ERISA does not bar forum-selection clauses.”
HEALTH AND WELFARE PLAN DEVELOPMENTS
COBRA Subsidy Guidance
The DOL issued new FAQs regarding the administration of COBRA subsidies under the American Rescue Plan Act of 2021 (ARPA). Under ARPA, Assistance Eligible Individuals (AEIs) may receive fully-subsidized COBRA coverage between April 1 and September 30, 2021.
The FAQs explain the interaction between the new COBRA subsidy deadlines under ARPA and the general extension of COBRA deadlines during the COVID-19 pandemic. As a reminder, prior to ARPA, the IRS and EBSA issued notices extending COBRA election deadlines during the COVID-19 pandemic for COBRA qualified beneficiaries. The notices also provided plan sponsors additional time to comply with certain deadlines affecting COBRA continuation coverage.
The FAQs clarify that an individual’s right to elect COBRA under the extended time frames under the IRS and EBSA notices remain in place. However, the COBRA subsidy deadlines are not subject to the extension. To receive the subsidy, an AEI must make an election within 60-days of receiving notice. Plan sponsors must also be timely in issuing the required subsidy notices or face potential penalties.
Due to the interaction between the COBRA subsidy special enrollment period and the extension of COBRA election deadlines during the pandemic, an AEI who experienced a qualifying event before April 1, 2021 faces an interesting choice. Under ARPA, AEIs can only prospectively elect subsidized COBRA continuation coverage starting April 1, 2021. However, under the general extension of COBRA election deadlines, a COBRA qualified beneficiary can retroactively elect coverage to the date he or she originally lost coverage due to a qualifying event. If the AEI is eligible to elect retroactive coverage, the AEI would still be charged COBRA premiums for the time between the qualifying event and April 1, 2021.
The FAQs also confirm that individuals who lose coverage due to a reduction in hours can be AEIs regardless of whether the reduction is voluntary or involuntary. In contrast, only individuals who lose coverage due to involuntary termination of employment can be an AEIs.
Finally, individuals are not eligible for the COBRA subsidy if they become eligible under a new group health plan, a spouse’s group health plan, or under Medicare. However, individuals currently receiving coverage through the marketplace or under Medicaid may be eligible for the COBRA subsidy.
The following model notices accompany the FAQs:
- Model General Notice and COBRA Continuation Coverage Election Notice
- Model Alternative Notice
- Model Notice in Connection with Extended Election Period.
- Model Notice of Expiration of Premium Assistance
- Summary of COBRA Premium Assistance Provisions under the American Rescue Plan Act of 2021
Plan sponsors may, but are not required to use the model notices.
CMS 2022 Notice of Benefit and Payment Parameters
CMS issued the final 2022 Notice of Benefit and Payment Parameters, which provide that the maximum annual limitation on cost-sharing for 2022 will be $8,700 for self-coverage and $17,400 for family-coverage. This is a reduction from the proposed limits CMS issued in December, though still an increase from the 2021 limits.
RETIREMENT PLAN DEVELOPMENTS
State Law Negligence Claims Not Preempted By ERISA
Bafford v. Northrop Grumman Corp., (9th Cir. Apr. 15, 2021)
In Bafford, a record-keeper for a defined benefit plan offered an online benefits portal that generated pension benefit estimates based on participant-entered assumptions. However, the program calculated the participant’s estimated benefits using a different period of employment than the period specified in the plan language. Recent retirees in the plan sued the record-keeper after they received a much smaller pension upon retirement than they anticipated. The plaintiffs alleged the record-keeper breached its fiduciary duty of care under ERISA and violated ERISA’s requirement to provide pension benefit statements. The plaintiffs also asserted professional negligence and negligent misrepresentation claims under state law.
The Ninth Circuit held that the calculation of pension benefits is a ministerial rather than fiduciary function. Thus the record-keeper’s failure to exercise the duty of care under ERISA in making the calculation is not a breach of fiduciary duties. However, the Ninth Circuit vacated and remanded the lower court’s decision to dismiss the plaintiffs’ state law claims, holding that the plaintiff’s professional negligence and negligent misrepresentation claims were not preempted by ERISA because the state negligence laws do not act “immediately and exclusively on ERISA plans, and the existence of an ERISA plan is not essential to these laws’ operation.”
Reinhart’s Employee Benefits Practice is one of the largest and most tenured in the country:
Attorneys: Thomas Funk, Jeffrey Fuller, Kristin Bergstrom, Bennett Choice, John Mossberg, William Tobin, Jussi Snellman, Gregory Storm, Rebecca Greene, Lynn Stathas, Keith Johnson, Philip O’Brien, Beth Bulmer, Pete Rosene, Pam Nissen, Michael Joliat, Lucas Pagels, Tiffany Reeves, Andrew Christianson, Stacie Kalmer, Jessica Culotti, Bryant Ferguson, Justin Musil, Woomin Kang, Nicholas Zuiker, Martha Mohs, Katherine Kratcha, Karyn Durkin, Emily Pellegrini, Jenny Zhang, Xavier Prather, Paul Beery.
Paralegals: Ellen Heib, Colleen McGuire Schmitz, Laurie Matthews, Mary Kaminski, Amanda Klein, Cheryl Yerkes, Stacy Heder and Grace Castagna.