Protecting Participant Personal Data

Is the personally identifiable information shared with your retirement plan service providers safe? Many providers farm or harvest this data amongst their affiliates or others in order to market and solicit additional products or services. This gives the appearance that you, as the plan sponsor, endorse these additional products or services. Find out why allowing these practices may put you at risk of accusations of breaching fiduciary duties and what steps you can take to proactively protect yourself and your participants.

Protecting Participant Personal Data

The Value of Participant Personal Data

In an increasingly digital world, personal data is a valuable source of information for companies selling everything from socks to sailboats. Data is used for targeted marketing to potential consumers who fit the right age, interests, and level of income for the product at hand.

The same practice is frequently used to sell financial products. For companies engaged in qualified retirement plan recordkeeping, the sources of data at their fingertips are quite valuable.  It is up to plan sponsors to ensure the data shared with providers is not used for solicitation, avoiding the potential threat of litigation.

Participant Personal Data Litigation

Recent retirement plan lawsuits include complaints that involve protection of defined contribution retirement plan assets. The lawsuits allege a breach of fiduciary duty involving failure to protect participant data or misuse of participant data as a plan asset.  The alleged breach relates to using the participant data for the financial gain of the service provider or their affiliates (breach of fiduciary duty or prohibited transaction). While the courts’ responses have been mixed, this isn’t a claim to take lightly.

If a plan participant reaches out to a recordkeeping call center representative, that representative will at minimum have access to the participant’s age, home address, plan balance, and deferral percentage – information that can be extremely helpful when cross-selling IRAs, annuities, and other wealth management services.

Gain More Insights

Is personal data a plan asset?

ERISA strictly prohibits plan service providers from utilizing plan assets for their own benefit (prohibited transaction), which brings to light an important question: Is participant personal financial data a plan asset? This question was a consideration in the settlement of the class action suit Cassell v. Vanderbilt University. 1

Although the key component of the suit alleged that the Vanderbilt University Committee failed to appropriately monitor and control fees across the University’s two 403(b) Plans, included in the list of complaints was the Committee’s allowance of one of the plans’ recordkeepers to use participant data to cross-sell services outside of the plan.

As part of a $14.5 million settlement, Vanderbilt agreed to explicitly prohibit all future service providers from using participant personal financial data to promote services and sell products outside of the Plan. However, since the suit was settled out of court, the case did not establish a legal precedent on participant data’s status as a plan asset.

Protection for Plan Sponsors and Participants Alike

Ongoing court decisions continue to shape precedent, but the fact remains: The safety of participant personal data is under scrutiny. As a matter of best practice, there are several steps plan sponsors can take to not only protect themselves from accusations of this kind of fiduciary breach, but also protect the interests of their participants:

  • Review contracts to determine both the extent to and means by which service-providers or their affiliated companies may use employees’ personal financial data.
  • If your vendor is providing advice or guidance, request and review their ADV. This brochure will outline their services, their fees, their conflicts of interest, and any violations that may have been reported.
  • Ask service providers for a full description of what participant data is collected and if any of the data is utilized to offer both guidance and advice inside and outside of the plan.
  • Allowing service providers to offer advice is a fiduciary decision, one that plan committee members are duty bound to monitor. Undergo a trial of these services or a screening of recorded participant calls to verify participants are being advised in a prudent manner.
  • If participant data is being used to sell services outside of the plan, re-work contracts to prohibit the practice. Alternatively, ask the service providers to quantify the value of external services sold and revisit existing fee arrangements.

At Francis Investment Counsel, we work with our clients and their providers to contractually limit the sharing of this data and routinely monitor and audit the services ongoing.   Our independence and experience helps our clients better protect themselves as fiduciaries and their employees’ personal and private information.

1Cassell et al v. Vanderbilt University et al (M.D. Tenn, April 22, 2019)

Tags: participant personal data, data privacy, cybersecurity

Connect with Our Team of Experts

Vice President of Investment Consulting Services at Francis Investment Counsel
Vice President
Email | LinkedIn
Business Development Consultant Anne Loppnow of Francis Investment Counsel
Business Development
Email | LinkedIn
Vice President and Investment Consultant David Mandel of Francis Investment Counsel
Vice President
Regional Director
Email | LinkedIn
Vice President of Investment Consulting Services Cliff Duntemann of Francis Investment Counsel
Vice President
Email | LinkedIn
Vice President
Regional Director
Email | LinkedIn
Money Advisor
Regional Plan Consultant
Email | LinkedIn

We Want to Hear from You

Let us know you are interested in learning more about this topic and other important industry trends affecting retirement plan fiduciaries:

Learn More About What We Do

Whether we provide consulting to your retirement plan committee or financial education to a room full of your employees, our services are designed to help you take care of what matters most: your employees.