The Department of Labor (“DOL”) has increased its focus on the cybersecurity practices of plan sponsors and their service providers. As a result, the DOL has started to ask comprehensive cybersecurity questions in plan audits. It seems apparent that the DOL is concerned with the misuse of confidential participant data, in addition to the theft of plan data or assets.
The DOL has focused on the practice of some service providers using participant data for nonplan purposes. This usage includes selling their own or related products and services outside the plan. The following item has appeared on some DOL audit document requests and, therefore, bears some potential significance:
“All documents and communications describing the permitted use of data by the sponsor of the plan or by any service provider of the plan including, but not limited to, all uses of data for the direct or indirect purpose of cross-selling or marketing products and services.”
Most legal challenges to service providers’ cross-selling practices have been unsuccessful. This effect may be the result of, in part, -+the reluctance of courts to conclude that participant data used for identification purposes is a plan asset. However, recently some highly publicized settlements involving Code Section 403(b) plans have specifically addressed this issue by prohibiting plan sponsors from making any agreements to allow plan service providers to cross-sell outside the plan.
There have also been recent highly publicized actions by the Securities and Exchange Commission (“SEC”) against service providers who use confidential participant data to cross-sell their products in the rollover context. The DOL shares the SEC’s concern with the practice of cross-selling in the rollover context as it shares similar concerns in its plan audits.
Plan sponsors should heed the actions of the DOL and SEC as warnings until Congress clearly settles on the law about cross-selling data.
A plan sponsor can ensure that the service agreement does not give tacit approval to the service provider’s use of participant data for cross-selling with reasonable effort. One option is for the plan sponsor to clarify in its service provider agreements that there is no access to or use of participant data by the service provider except for the sole purpose of performing its plan-based duties under the service agreement.
As case law evolves in this area, courts will have to address issues of confidentiality and cybersecurity, including the possible preemption of state data privacy laws, at least as they apply to retirement plans. Courts will also have to address which party should bear the loss, if no party is at fault, and the extent to which there should be consequences when a participant’s carelessness contributes to a breach of cybersecurity.
HBL has experience in all areas of benefits and employment law, offering a comprehensive solution to all your business benefits and HR/employment needs. We help ensure you are in compliance with the complex requirements of ERISA and the IRS code, as well as those laws that impact you and your employees. Together, we reduce your exposure to potential legal or financial penalties. Learn more by calling 470-571-1007.
Hall Benefits Law, LLC
Latest posts by Hall Benefits Law, LLC (see all)
- Penalties for Failing to Timely File 2023 Forms 1094/1095 - April 18, 2024
