How to Protect Participant Data
QUESTION: I am an investment adviser to ERISA [Employee Retirement Income Security Act] plans. Plan committees rely on me to keep them up to date on new developments. Recordkeepers sometimes use participant data—e.g., participant ages, retirement dates, account size—to cross-market investment products and services to participants outside the plan. Is there a fiduciary duty to protect this participant data from possible misuse?
ANSWER: It depends. If the participant data is considered a plan asset, there is a fiduciary duty to prudently oversee its use. However, the law is unsettled. Recent settlements of class action lawsuits suggest that participant data could be subject to ERISA fiduciary protection. As a result, plan committees may want to develop a strategy to address this issue.
Recordkeepers collect a wide range of participant information in order to carry out their recordkeeping services, including participants’ ages, length of employment, proximity to retirement, size of account balance, employment status, choice of investments, asset allocations and more. Plan committees rely on their adviser to keep them informed about new developments. As a result, plan advisers need to understand the committee’s responsibilities for participant data in light of a trend by plaintiffs’ class action attorneys to allege that there’s a fiduciary duty to protect such data.
ERISA does not specifically address whether participant data is a plan asset. If it is a plan asset, fiduciaries have a duty to oversee its use so that participants are not exposed to improper practices—e.g., excessive costs, unmanaged conflicts and inappropriate products or services.
This is the argument that was advanced in class action suits brought against Johns Hopkins University, Vanderbilt University and Northwestern University. In those lawsuits, the plaintiffs alleged that the plan committees breached their fiduciary duties by failing to protect participant data and permitting the recordkeeper to use it to sell investment products and services to participants outside of the plan.
The trial court in the Northwestern lawsuit held that participant data is not a plan asset; however, that decision has been appealed. Vanderbilt and Johns Hopkins were willing, as a part of their settlements, to agree that participant data could not be used by their plan recordkeepers for cross-marketing purposes, unless the participants individually requested the products or services. The schools’ willingness to settle on this issue could, but doesn’t necessarily, mean they perceived some litigation risk.
Even though these settlements have no legal weight, they do reflect the views of plaintiffs’ attorneys. For this reason, these settlement agreements are instructive.
Advisers should inform their plan committees about these developments and should help them create a strategy for overseeing participant data and managing the risk. For instance, the strategy could include the following approach:
1) A plan committee should find out what participant data is collected by the recordkeeper to carry out its services.
2) The committee should inquire about the recordkeepers’ cross-marketing practices, and access to that data should be considered in negotiating the fee; as a practical matter, though, recordkeepers may already be taking that into account.
3) The committee should evaluate the value to participants of the products and services that the recordkeeper cross-markets and allow those it does believe provide value. The committee should also review the products and services to make sure the quality and costs are reasonable and that any conflicts of interest are properly managed.
4) The committee should review the service agreement to determine what it says about the use of participant data.
5) The committee should monitor how the recordkeeper uses participant data, to make sure it does so in accordance with the terms of the service contract.
6) The committee should document the monitoring process; it should also monitor its decisions and the manner in which they are implemented.
7) Lastly, the committee should take into account state privacy requirements. For instance, as of January 1, 2021, the California Consumer Privacy Act is scheduled to take effect for administration of employee benefit programs. This may place more stringent privacy requirements on plans and their service providers as to information shared by employees in that state.
Fred Reish is chairman of the financial services ERISA practice at law firm Drinker Biddle & Reath LLP. A nationally recognized expert in employee benefits law, Reish has written four books and many articles on ERISA, pension plan disputes and audits by the IRS and Department of Labor. Joan Neri is counsel in the firm’s financial services ERISA practice, where she focuses on all aspects of ERISA compliance affecting registered investment advisers and other plan service providers.