December 6, 2021

Volume XI, Number 340

Advertisement
Advertisement

December 03, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Employee Benefit Plans and Data Security Issues

In recent weeks, much of the discussion around a recent Supreme Court case, Gobeille, has focused on ERISA preemption. But for fiduciaries of benefit plans the case can serve as a reminder of important duties that often go unexplored—protecting the private data of participants.

Briefly, the case challenged a Vermont law that required reporting of health care claim payments to a state agency for inclusion in a healthcare database. But in reading the case, I was reminded about how much data—sensitive and personal data—hovers in and around employee health and benefits plans. It seems like news of data breaches can be seen almost daily in the headlines. And anyone familiar with databases maintained for plans can imagine what alluring targets they must be. On top of that, when one considers how often this data is shared with third parties in day-to-day plan administration, (consultants, TPAs, payroll providers, investment advisors, etc.) data breaches will increasingly expose fiduciaries and plans to liability.

When a fiduciary sits down to think about its responsibilities to participants in regards to personal information, a complex and often unclear picture emerges. And a large part of that picture comes outside of the “ERISA-box” plan fiduciaries typically consider. The few court cases exploring this subject are generally not brought as ERISA claims but rather are based on financial regulations and consumer protection laws. As fiduciary standards continue to evolve and differences in privacy protection laws appear from jurisdiction to jurisdiction, there are a host of laws and regulations to keep in mind.

A short list of legislation that touch on the area includes: the Health Insurance Portability and Accountability Act, the Gramm-Leach Bliley Act, the Federal Trade Commission Act, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act, along with numerous state laws relating to “personally identifiable information” and “protected health information.”

At this point, even though the scope of a fiduciary’s duty under ERISA with respect to data protection has yet to be addressed by the courts and the DOL, there are still a number of practical steps that plan sponsors and other fiduciaries can take in the hope of preventing problems. These include:

  • Performing due diligence on all data and security protocols when selecting and monitoring vendors;

  • Developing privacy provisions for contracts with TPAs and other service providers over and above standard confidentiality agreements;

  • Limiting access to sensitive information to necessary personnel;

  • Training personnel on the law and the fiduciary responsibilities;

  • Developing written policies and procedures detailing for personnel the applicable state and federal laws;

  • And continuing to monitor and watch over service providers with access to sensitive data.

Unfortunately, data breaches are here to stay and so are government agencies’ attempts to develop guidance on how they should be handled. Plan sponsors and other fiduciaries need to be aware of these sensitive issues and put into place defensible policies and procedures. Such actions will not only help protect participant information but will also help limit exposure to liability for the plan and the fiduciaries to the myriad of laws aimed at these issues.

Jackson Lewis P.C. © 2021National Law Review, Volume VI, Number 116
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Daniel O'Neil, Jackson Lewis, ERISA fiduciary matters lawyer, pension and profit sharing attorney
Associate

Daniel O'Neil is an Associate in the Albany, New York, office of Jackson Lewis P.C. His practice focuses on employee benefits, executive compensation, ERISA fiduciary matters, pension and profit sharing, and health and welfare plans. 

During his time with Jackson Lewis, Mr. O’Neil has assisted in the design and implementation of qualified retirement plans including 401(k), profit-sharing, ESOP, defined benefit, and 403(b) plans, as well as supplemental executive retirement plans and other nonqualified deferred compensation plans. He also assists...

518-434-1300
Advertisement
Advertisement
Advertisement