ERISA and Enterprise Clouds: Fiduciaries Need to Learn How to Marry the Two

Most of the requirements for administering a 401k plan are relatively easy to assess and follow. It’s not as clear for those upgrading their information systems.

In 2011, the Department of Labor (“DOL”) convened an advisory group to discuss privacy issues and plan administration. That group produced a report to then Secretary of Labor Hilda L. Solis focused on privacy and security of benefit data and personal information. The advisory group made three recommendations to the Secretary of Labor: (1) provide guidance on the obligation of plan fiduciaries to secure and keep private the personal identifiable information (“PII”) of participants and beneficiaries; (2) develop educational materials and outreach efforts for plan sponsors, participants, and beneficiaries to address the issues of privacy and security of PII; and (3) include in their outreach and educational materials information regarding elder abuse related to benefit plans.

Since 2011, many companies have moved archiving data and records into data storage including enterprise and public clouds. Yet, the Department of Labor did not produce a clear set of guidelines for protecting PII (unlike HIPAA’s protections of Protected Health Information). PII, as defined by the Office of Management and Budget (OMB) is “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name….” 

In terms of security breaches, the advisory group highlighted four practices for employers and plan sponsors to focus on in avoiding security breaches: (1) Data management, including minimal use, discarding unnecessary paper copies, data mapping the location of PII in an organization’s information systems, and understanding cloud computing and remote data storage; (2) technology management, including installing patches, risk analysis of threats and risk assessments, firewall management; limiting use of portable and smart devices and following NIST guidelines on configurations; (3) Service Provider Management, including due diligence on providers and holding subcontractors to the same standards as providers; and (4) Managing human capital through providing criminal background checks, training employees on PII, and designating an individual to oversee privacy and security.

While HIPAA may have created a set of regulations for how often security assessments need to take place, and the need to train all employees on protecting PHI, it left much of the development of how to implement specifics on protecting electronic personal information to the various health care and health insurance providers, so that they could scale the implementation to meet their needs. In the case of plan providers, it appears that there is no set of regulations, just a need to protect the PII.

Just two years after the advisory group’s report, in 2013, Forbes reported that nearly half of all U.S. businesses used the cloud for computing. Tech analysts report a shift in developing technologies from cloud-first to cloud-only, meaning that the newer and more useful versions of software needed by businesses will be designed for use with the cloud only.

As the advisory group recommended the plan providers understand remote storage, it seems that to meet fiduciary duties that a provider must understand how a cloud works, and the differences between public clouds and enterprise clouds. Further, it’s clear that the DOL’s fiduciary rules require that a plan provider use technology to work in their client’s best interests.

Plan providers would do well to first distinguish between the public and private or enterprise cloud options.  A public cloud is a shared space where large organizations that rely on web development can house data and processing and have low needs for complying with regulatory systems.

While there is some variance in opinion about what specifically an enterprise cloud is, the generally accepted version is that an enterprise cloud is a computing network housed behind a firewall that provides software, infrastructure and platform services to an enterprise. The goal of enterprise cloud computing is to allow for resource pooling, dynamic scaling, broad network access, unilateral service, and importantly, metered service.

A company whose computing decisions are primarily driven by eCommerce may choose a public cloud for its computing and finance. However, enterprise clouds can be created with the required security and encryption provisions of regulations, like HIPAA from the get go. Some tech advisors refer to those security provisions underlying the architecture of the enterprise cloud “baked-in.”

It is widely accepted that HIPAA regulations and public cloud computing don’t mix. Enterprise computing really is private, in the sense that the hardware, storage and network are dedicated to a single client or company. Because of that limitation, privacy is greatly enhanced. If plan providers have to protect PII without a clear set of rules, just like health care administrators have to protect PHI without a clear set of rules, then it follows that plan providers would do well to be careful in their construction of enterprise clouds for their storage of plan related information, even if the company as a whole relies on a public cloud structure. 

‍