You work in the legal office at the U.S. Department of Labor (DOL) as an advisor focusing on cybersecurity and privacy issues.
You work in the legal office at the U.S. Department of Labor (DOL) as an advisor focusing on cybersecurity and privacy issues.
Final Paper
The final paper will consist of a realistic hypothetical scenario requiring you to step into the role of an advisor/ consultant and apply comprehensive knowledge gained throughout the course. You will need to explain legal and policy principles in a clear, straightforward manner and then apply those principles to develop reliable, sound advice and potential options that minimize exposure to legal risk. The final paper submission should be at least 10 pages (single-spaced).
BACKGROUND
You work in the legal office at the U.S. Department of Labor (DOL) as an advisor focusing on cybersecurity and privacy issues. Based on your work, you are aware of the following background information. DOL has a number of responsibilities related to retirement plans under the Employee Retirement Income Security Act of 1974 (ERISA), as well as the authority to issue regulations and guidance. Unlike other federal agencies that are authorized to regulate other industry sectors, such as the Department of Health and Human Services and the Federal Trade Commission, the DOL has not promulgated any regulations or less formal guidance regarding data security or privacy that cover the retirement industry. Thus, there is no comprehensive, centralized federal framework for cybersecurity that covers all areas of the retirement industry. Instead, there are a number of different standards and certifications that have been developed in the absence of any overarching guidance from DOL that can be voluntarily adopted by companies in the retirement industry, but are not required.
In November 2016, the ERISA Advisory Council submitted a report (Links to an external site.) to DOL with a number of cybersecurity considerations and recommendations. In December 2018, industry representatives published a white paper (Links to an external site.) that also articulated the need for a central framework for measuring the effectiveness of cybersecurity protections around sensitive personal information and plan asset data. Given the low instance of cyber incidents in the retirement industry, DOL decided that it did not need to provide formalized guidance regarding cybersecurity and that the more flexible, voluntary approach is sufficient. However, more recently, there have been a number of cyber incidents impacting retirement accounts, including some litigation filed against retirement plan fiduciaries for data breaches, such as Berman v. Estee Lauder, Inc. (Links to an external site.) and Leventhal v. MandMarblestone Group LLC (Links to an external site.).
ASSIGNMENT
Your client has asked you to look into available cybersecurity guidance for retirement plans and to provide advice on what DOL should do to help mitigate cyber risk across the retirement industry. Your client has asked you to review the various frameworks that already exist that could be adopted or modified for application to retirement plans. The ERISA Advisory Council and industry white paper have suggested consideration of the following frameworks, among others: NIST Cybersecurity Framework, GLBA Safeguards Rule and Privacy Rule (FTC regulations), HIPAA, and SPARK Institute Best Practices (Links to an external site.).
After you have reviewed and evaluated these frameworks, prepare a memo to your client that summarizes the issue that DOL needs to decide and provides reasoned recommendations on the following questions with thorough explanation:
- Should there be a universal framework for the retirement industry that sets out minimum standards for cybersecurity, or is the current more flexible approach appropriate? Explain.
- If DOL publishes cybersecurity guidance, is there an existing framework that we could adopt? What are the benefits or challenges of applying that framework to the retirement industry?
- Alternatively, should DOL create a new framework? If so, what standards should be included?
- What are the key components of a cybersecurity strategy for the retirement industry? Why are those important? Should cyber insurance be a part of the strategy? Why or why not? Consider, among other things, the type, quantity, and sensitivity of information held, how and by whom the information is accessed, and what kind of sharing of information may occur.
To prepare for upcoming Congressional testimony, your client also would like your views on whether a sector-specific approach to cybersecurity and privacy protections makes sense. Your client shared with you a recent news article (Links to an external site.)that Congress may be working on comprehensive Federal privacy legislation and thinks the agency may be asked for views on this during the testimony. Based on your review of the retirement industry for this memo, do you think the current flexible, sector-specific approach works best or would a comprehensive, national standard that could be applied across all industry areas be the right approach? Would this approach benefit the retirement industry? Explain.
To provide your client with a thorough product that sufficiently answers the question posed, your memo should be at least ten pages (single-spaced) in length.
Click here for further assistance on this assignment
