While the full scale and severity of the breach have yet to be determined, many observers characterize it as significant — but not materially worse — than other breaches involving personally identifiable information.
Jay Gepfert, managing partner at cyber assessment firm DOL Cybersecurity LLC in Norwalk, Conn., sees the breach as being in the top 10 because the number of people affected crossed the significant 1 million mark.
“That’s like a billion-dollar lottery ticket,” he said, alluding to the fact that most people only pay attention to the lottery when it reaches $1 billion.
Regulators are paying attention.
The DOL’s Mr. Khawar says the agency has expectations of plan sponsors and their vendors as spelled out in guidance it released in 2021.
The DOL is interested in finding out what questions plan sponsors were asking their service providers and what process they went through to hire them, Mr. Khawar said.
“To the extent they weren’t evaluating the cybersecurity posture of a service provider when they were making that hiring decision, that would be something I think we would be concerned about,” he said.
Even though the breach occurred at the subcontractor level, in this case PBI and the MOVEit file transfer provider Progress Software, some lawyers believe that plan sponsors could be liable.
Legal experts argue that the DOL made clear in its guidance in 2021 that it is the plan sponsor’s fiduciary duty to assess its service providers.
“To the extent that vendors have personal data or have access to the accounts that maintain that data for participants or beneficiaries in the plans, you have to have an understanding of what their cybersecurity is,” said Joseph Lazzarotti, a principal in the Berkeley Heights, N.J., office of Jackson Lewis PC.
Mr. Lazzarotti said that the layers of vendor relationships make it difficult to assess how far plan sponsors need to go to vet the vendors they choose. If the sponsor selects a record keeper that then hires another vendor to subcontract some of the work, “where does the plan sponsor’s duty end?” he asked.
“It’s an interesting question. I don’t know where the answer lies, but it does raise questions,” Mr. Lazzarotti said.
For Ms. Buckmann, there’s little doubt in her mind that plan sponsors can be liable, even if the breach occurred deep down in the vendor chain.
If it’s an ERISA plan, sponsors can be sued on the grounds that they breached their fiduciary responsibilities in not properly monitoring service providers and investigating their practices before they were hired, Ms. Buckmann said.
“It’s not a slam-dunk win,” she said. “It may be an uphill battle in court, but I think there’s a basis in the law for taking that position and trying to litigate it.”