Fiduciary Risk in Not Protecting Participant Data

/ By / Compliance, Latest Stories, Regs and Regulators

Fiduciary Risk It’s clear that employers and their partners must secure personal data gathered in the company’s healthcare plan under HIPAA. But what about a company’s retirement plan? There is fiduciary risk in not protecting participant data.

Failure to secure protected health information from disclosure can result in civil monetary penalties of up to $1.5 million and potential criminal penalties of up to 10 years’ imprisonment. According to the law firm Morgan Lewis, “Penalties of this size have the tendency to get people’s attention.” While there are no similar laws under ERISA – yet – it does not mean that plan sponsors are off the hook.

A company sponsoring an ERISA plan must design the plan in the sole interest of the participants and must discharge their duties as a prudent expert. It’s not a stretch to imagine that if a company is careless with securing sensitive data like Social Security numbers, there could be liability which may also apply to third party vendors which have access to the data.

It’s obvious that participant data stored by record keepers and TPAs should be protected. But other parties are getting access to sensitive data as more contribution plans and their advisors are using financial wellness firms to help their employees to improve their financial picture and better prepare them for retirement. Most do not think about protecting the privacy of the employees’ data who might assume that, like health care information, it cannot be reused. And in order to personalize professionally managed investments, some firms and advisors are asking the DC record keeper for information about the participant.

To predict plan health, firms will need to analyze sensitive data like health care claims. And in the age of information, robo advisors and fin-tech companies are aggregating a person’s entire financial picture to help them better manage their money.

So the question is, how are companies and their partners protecting participant data in DC plans. A chain is as strong as its weakest link. Companies that strive to protect their data and their employees from cyber-attacks may be vulnerable if their defined contribution record keeper or TPA either does not have adequate protection or uses data without the permission of the company. In fact, adequate protection against cyber-attacks could lead to fiduciary liability according to another major law firm.

Leave a Comment

Your email address will not be published. Required fields are marked *

FOLLOW US:

401kTV

About Us

Management Team

Affiliates

Privacy Policy

Terms Of Service

Contact 401kTV

Thank you for visiting our site!

TRAU, Inc. and its affiliates TPSU and 401kTV do not provide investment, legal, tax or accounting advice. 401kTV readers and viewers should consult their legal and tax advisors for guidance. All materials, including but not limited to articles, directories, photos, videos, graphics etc., on this website are the sole property of TRAU, Inc. and are intended for educational purposes only. We do encourage your sharing 401kTV content with Plan Sponsors; however, unauthorized use of any and all materials is prohibited/restricted.

Permission to use any of the materials, etc. on any of this site or affiliate websites may be requested in writing at [email protected] and may be granted in writing on a case by case basis. Use of all editorial content without permission is strictly prohibited.

Scroll to Top