Department of Labor action is putting additional scrutiny on the misuse of confidential retirement plan participant data. This is particularly important in the context of cybersecurity practices of plan sponsors and service providers. Retirement Plan fiduciaries and trustees need to take note. According to a recent article from national ERISA and benefits law firm the Wagner Law Group, at issue is how participant data can be used. Specifically, the Department of Labor action addresses retirement plan service providers that cross-sell their own or related products and services outside the plan.
The Department of Labor action has included notice on some recent audit requests. The concern with this matter comes in the form of: “All documents and communications describing the permitted use of data by the sponsor of the plan or by any service provider of the plan including, but not limited to, all uses of data for the direct or indirect purpose of cross-selling or marketing products and services.”
In addition, some service providers’ cross-selling practices recently have been unsuccessfully challenged in court. The Wagner Law Group asserted that this “may be due, in part, to courts’ reluctance to conclude that participant identifying information is a plan asset.” However, some recent settlements regarding 403(b) plans have prohibited plan sponsors and retirement committees from agreeing to allow plan service providers to cross-sell outside the plan. To date, the fiduciary responsibilities of retirement plan sponsors and committees vis-à-vis the use of participant data generally have been unclear.
Moreover, the Securities and Exchange Commission (SEC) has taken action against service providers who use confidential participant data to cross-sell their own products in the context of rollovers. These actions have been highly publicized. According to the Wagner Law Group article, “Until the law has settled on cross-selling, it may be appropriate for plan sponsors to heed this warning. A plan sponsor can at least ensure that the service agreement doesn’t give tacit approval to the service provider’s use of participant data to cross-sell. The plan sponsor could go further and clarify in its service provider agreements that there should be no access to or use of participant data by the service provider except for the sole purpose of performing its plan-based duties under its service agreement.”
To be sure, these regulations seem to be evolving, and as Wagner Law Group aptly pointed out, “…other issues with respect to confidentiality and cybersecurity will need to be addressed, such as the possible preemption of state data privacy laws, at least with respect to plans; which party should bear the loss if no party is at fault; and the extent to which there should be some consequences when a participant’s carelessness contributes to a cyberbreach.”
In addition, there will need to be clarification on how cybersecurity breaches that result in theft of participant account assets will be dealt with vs. theft of participant data. As with the majority of the shifting regulations in the retirement plan industry, plan sponsors and retirement plan committees should monitor this issue carefully from a fiduciary and compliance perspective. The Department of Labor action should serve as a harbinger of what is on the horizon.