Protecting Participant Personal Data
The Value of Participant Personal Data
In an increasingly digital world, personal data is a valuable source of information for companies selling everything from socks to sailboats. Data is used for targeted marketing to potential consumers who fit the right age, interests, and level of income for the product at hand.
The same practice is frequently used to sell financial products. For companies engaged in qualified retirement plan recordkeeping, the sources of data at their fingertips are quite valuable. It is up to plan sponsors to ensure the data shared with providers is not used for solicitation, avoiding the potential threat of litigation.
Participant Personal Data Litigation
Recent retirement plan lawsuits include complaints that involve protection of defined contribution retirement plan assets. The lawsuits allege a breach of fiduciary duty involving failure to protect participant data or misuse of participant data as a plan asset. The alleged breach relates to using the participant data for the financial gain of the service provider or their affiliates (breach of fiduciary duty or prohibited transaction). While the courts’ responses have been mixed, this isn’t a claim to take lightly.
If a plan participant reaches out to a recordkeeping call center representative, that representative will at minimum have access to the participant’s age, home address, plan balance, and deferral percentage – information that can be extremely helpful when cross-selling IRAs, annuities, and other wealth management services.
Gain More Insights
Is personal data a plan asset?
ERISA strictly prohibits plan service providers from utilizing plan assets for their own benefit (prohibited transaction), which brings to light an important question: Is participant personal financial data a plan asset? This question was a consideration in the settlement of the class action suit Cassell v. Vanderbilt University. 1
Although the key component of the suit alleged that the Vanderbilt University Committee failed to appropriately monitor and control fees across the University’s two 403(b) Plans, included in the list of complaints was the Committee’s allowance of one of the plans’ recordkeepers to use participant data to cross-sell services outside of the plan.
As part of a $14.5 million settlement, Vanderbilt agreed to explicitly prohibit all future service providers from using participant personal financial data to promote services and sell products outside of the Plan. However, since the suit was settled out of court, the case did not establish a legal precedent on participant data’s status as a plan asset.
Protection for Plan Sponsors and Participants Alike
Ongoing court decisions continue to shape precedent, but the fact remains: The safety of participant personal data is under scrutiny. As a matter of best practice, there are several steps plan sponsors can take to not only protect themselves from accusations of this kind of fiduciary breach, but also protect the interests of their participants:
- Review contracts to determine both the extent to and means by which service-providers or their affiliated companies may use employees’ personal financial data.
- If your vendor is providing advice or guidance, request and review their ADV. This brochure will outline their services, their fees, their conflicts of interest, and any violations that may have been reported.
- Ask service providers for a full description of what participant data is collected and if any of the data is utilized to offer both guidance and advice inside and outside of the plan.
- Allowing service providers to offer advice is a fiduciary decision, one that plan committee members are duty bound to monitor. Undergo a trial of these services or a screening of recorded participant calls to verify participants are being advised in a prudent manner.
- If participant data is being used to sell services outside of the plan, re-work contracts to prohibit the practice. Alternatively, ask the service providers to quantify the value of external services sold and revisit existing fee arrangements.
At Francis Investment Counsel, we work with our clients and their providers to contractually limit the sharing of this data and routinely monitor and audit the services ongoing. Our independence and experience helps our clients better protect themselves as fiduciaries and their employees’ personal and private information.
1Cassell et al v. Vanderbilt University et al (M.D. Tenn, April 22, 2019)
Tags: participant personal data, data privacy, cybersecurity