Skip to main content

You are here

Advertisement

Protecting Confidential Participant Data and Cross-Selling

Practice Management

In light of the DOL’s increased focus on cybersecurity and participant data, plan sponsors should review their service agreements to ensure they do not give implicit approval to use participant data to cross-sell, a new blog post suggests.

As part of what seems to be a new cybersecurity initiative, for the last several months the DOL has been issuing extensive information and document requests for some plans under audit. This includes asking plan fiduciaries to produce all cybersecurity and information security program policies, procedures and guidelines that relate to the plan, and whether they are applied by the plan sponsor and vendors. 

According to the blog post by The Wagner Law Group, the DOL—in addition to asking about cybersecurity practices in plan audits—has begun making inquiries about the practice of some service providers using participant data for nonplan purposes in trying to sell their own or related products and services outside the plan. The DOL is asking specifically for “All documents and communications describing the permitted use of data by the sponsor of the plan or by any service provider of the plan including, but not limited to, all uses of data for the direct or indirect purpose of cross-selling or marketing products and services.”

“It seems clear the DOL is concerned not just with theft of plan data or assets, but also with the misuse of confidential participant data,” write attorneys Jon Schultze, Susan Rees and Barry Salkin. 

In addition, the Securities and Exchange Commission has acted recently against service providers that use confidential participant data to cross-sell their own products in the rollover context, the Wagner attorneys note. “We know that the DOL has been very concerned with the practice of cross-selling in the rollover context as well, and it seems that the DOL is expressing the same concerns in its plan audits,” they write. 

DOL Cybersecurity Best Practices

This comes following the DOL’s April guidance on cybersecurity:

  • Tips for Hiring a Service Provider (for plan sponsors on picking vendors);
  • Cybersecurity Program Best Practices (to assist plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks); and
  • Online Security Tips (for participants related to their online security).

In March, the Government Accountability Office had called on the DOL to set minimum standards for mitigating cybersecurity risks and to formally state whether it is a fiduciary’s responsibility to mitigate those risks in DC plans. For its part, the DOL has noted that, while the cybersecurity guidance didn’t establish formal standards, the department thought it was important to share best practices it would like to see in terms of what each stakeholder group should be doing—and indicated that the guidance is just the beginning of the department’s work in this area.  

Impact of Litigation

While the industry is still waiting for comprehensive cybersecurity guidance for retirement plan administration, there have been some unsuccessful legal challenges to service providers’ cross-selling practices. That may be due in part to courts’ reluctance to conclude that participant identifying information is a plan asset, the Wagner  attorneys note. In contrast, however, some recent settlements involving 403(b) plans have dealt with the issue by prohibiting plan sponsors from agreeing to allow plan service providers to cross-sell outside the plan. 

In fact, at NAPA’s 401(k) Plan Summit in September, panelists at a workshop discussion observed that recent lawsuit settlements have changed the conversation and made plan sponsors more aware of what is in their contract and how service providers can use plan data. Many providers contend, however, that having better participant data helps with driving improved retirement outcomes, and that it basically comes down to what has been contracted for, what the provider’s business model is, and the plan sponsor’s comfort level with data sharing. 

The blog post observes that as case law develops in this area, other issues with respect to confidentiality and cybersecurity will need to be addressed, such as: 

  • the possible preemption of state data privacy laws with respect to plans; 
  • which party bears the loss if no party is at fault; and 
  • the extent to which there should be some consequences when a participant’s carelessness contributes to a cyberbreach. 

Additional issues that could surface involve the attempted differentiation between breaches involving the theft of participant account assets and breaches involving theft of participant data. “Losses to be remedied in the former are concrete, but unfortunately, the law is far less clear, at least for ERISA and possibly for constitutional standing purposes, with respect to the misappropriation of participant data,” the Wagner attorneys emphasize. 

Service Agreements

Until the law is settled on cross-selling, the attorneys suggest that it may be appropriate for plan sponsors to bear all this in mind. Noting that a plan sponsor can at least ensure that the service agreement doesn’t give “tacit approval,” they suggest that a plan sponsor could go further by clarifying in its agreements that participant data will only be used for the purpose of performing plan-based duties.