August 12, 2020

Volume X, Number 225

August 12, 2020

Subscribe to Latest Legal News and Analysis

August 11, 2020

Subscribe to Latest Legal News and Analysis

August 10, 2020

Subscribe to Latest Legal News and Analysis

Is Personal Information of Retirement Plan Participants an ERISA Plan Asset?

A little more than one year ago, we reported on a settlement (Cassell et al. v. Vanderbilt University, et al.) involving the alleged wrongful use of personal information belonging to retirement plan participants, claimed to be “plan assets.” This year, similar claims have been made against Shell Oil Company in connection with its 401(k) plan. Retirement plan sponsors may begin seeing more of these claims and they might consider some strategies to head them off.

The essence of the allegations is that employers breach their fiduciary duties of loyalty and prudence when they permit plan service providers to profit from the use of plan assets – sensitive personal information of plan participants – for non-plan purposes. Citing several “cross-selling” activities of plan advisors and other service providers, the Shell plaintiffs claim downstream sales opportunities working with retirement plans are more plentiful through better access to plan participant data, and without the need to engage in “cold-calling.”

The Employee Retirement Income Security Act (“ERISA) is the primary federal statute regulating employee benefit plans, including retirement plans. Currently, there are no express provisions in ERISA that prohibit the use of plan participant data for any particular purpose. However, as in the Vanderbilt case, the Shell plaintiffs rely on ERISA’s long-standing fiduciary duty provisions to support their claims concerning plan data:

  • ERISA’s fiduciary duty provisions require plan fiduciaries to discharge their duties with respect to a plan solely in the interest of the participants and beneficiaries and for the exclusive purpose of providing benefits to participants and their beneficiaries. 29 U.S. Code § 1104.
  • ERISA also prohibits plan fiduciaries from engaging in certain prohibited transactions, including transactions between the plan and a party in interest which the fiduciary knows constitutes a direct or indirect transfer to, or use by or for the benefit of a party in interest, of any assets of the plan. 29 U.S.C. §1106(a)(1).

For example, in Count IV of the complaint, the Shell plaintiffs alleged fiduciary duties under § 1104(a)(1) include:

restricting its use of Confidential Plan Participant Data solely to carrying out its Plan recordkeeping role, not using the data for nonplan purposes

Recordkeeping, investment of contributions, and other tasks associated with retirement plan administration require access to large amounts of personal information, usually in electronic format. The risks involving such information are not limited to data breaches. As the Vanderbilt and Shell cases indicate, plan participants have become increasingly aware of the vulnerabilities associated with handling their data, as well as how their data are being used by plan vendors. The California Consumer Privacy Act (CCPA) and similar laws emerging in other states may increase this awareness. At least for the time being, employees of CCPA covered entities are entitled to a “notice at collection” that must outline the categories of personal information collected and the purpose(s) that information is used. Regardless of whether ERISA preempts the CCPA, increased communication about privacy of personal information may cause participants to be more sensitive to the collection and use of their information.

There are some measures plan sponsors can take to minimize the risk of these kinds of claims.

  • Consider relationships with plan service providers more carefully and earlier in the process. ERISA requires plan fiduciaries to “obtain and carefully consider” the services to be provided by plan service providers before engaging the provider. Whether that duty extends to assessing the provider’s data privacy and security practices is not clear. Nonetheless, during the procurement process, consider basic questions such as: Who has access to participants’ data? How much (and what) data does the provider have access to, and what are they doing with that data? Is the service provider sharing data with other third parties?
  • Limit by contract the ability of plan service providers to use plan participant data to market or sell to participants products unrelated to the retirement plan, unless the participants initiate or consent.

Of course, depending on the bargaining power of the sponsor, it may not be able to convince a vendor to agree not to use participant data solely for plan administration purposes. However, sponsors should be sure their process includes these and other factors when making selections and when evaluating the performance of their service providers.

 

Jackson Lewis P.C. © 2020National Law Review, Volume X, Number 192

TRENDING LEGAL ANALYSIS


About this Author

Principal

Joseph J. Lazzarotti is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. He founded and currently helps to co-lead the firm's Privacy, e-Communication and Data Security Practice, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals.

In short, his practice focuses on the matrix of laws governing the privacy, security and management of data, as well as the impact and regulation of social media. He also...

973- 538-6890
René E. Thorne, Jackson Lewis, Employment Litigation, ERISA Attorney"
Office Managing Principal and Office Litigation Manager

René E. Thorne is Office Managing Principal of the New Orleans, Louisiana, office of Jackson Lewis P.C. Her practice covers the full range of employee benefit litigation matters, including representation of employers, plans, plan fiduciaries, and trustees.

In that regard, she has handled numerous ERISA class actions for clients such as Nortel Networks, Target, Krispy Kreme Doughnuts, Owens Healthcare, United Airlines ESOP Committee, Dunbar Armored, United Companies, Benefits Administration Corporation, and Beverly Enterprises. Ms. Thorne also has handled benefits and employment matters for such clients as for Alcatel-Lucent, Raytheon, Pfizer, Omega Protein, The Hartford, Northwest Airlines, Amtrak, United Airlines, Turner Industries, Starwood Hotels, and Sempra Energy. Ms. Thorne has been retained as an expert in complex ERISA breach of fiduciary duty, prohibited transaction, and cash balance cases. Ms. Thorne has been qualified and testified as an expert on ERISA matters in federal court.

504-208-1755