The due diligence should be documented in a manner that pro- vides the plan fiduciary with a defensible record should a data breach occur and its service provider practices be challenged. A list of due diligence questions designed to elicit these and other critical security issues is advisable.