As we explained in our recent Law Alert, the Department of Labor (“DOL”) has become highly focused on the cybersecurity practices of plan sponsors and their service providers and has begun asking comprehensive cybersecurity questions in plan audits. It seems clear the DOL is concerned not just with theft of plan data or assets, but also with the misuse of confidential participant data.
Potentially of significance is the following item that has appeared on some DOL audit document requests: “All documents and communications describing the permitted use of data by the sponsor of the plan or by any service provider of the plan including, but not limited to, all uses of data for the direct or indirect purpose of cross-selling or marketing products and services.” The DOL is referring to the practice of some service providers using participant data for nonplan purposes – trying to sell their own or related products and services outside of the plan.
There have been some unsuccessful legal challenges to service providers’ cross-selling practices which may be due, in part, to courts’ reluctance to conclude that participant identifying information is a plan asset. However, recently some highly publicized settlements involving Code Section 403(b) plans specifically addressed the issue by prohibiting plan sponsors from agreeing to allow plan service providers to cross-sell outside the plan.
There have also been recent highly publicized actions by the Securities and Exchange Commission against service providers who use confidential participant data to cross-sell their own products in the rollover context. We know that the DOL has been very concerned with the practice of cross-selling in the rollover context as well, and it seems that the DOL is expressing the same concerns in its plan audits. Until the law has settled on cross-selling, it may be appropriate for plan sponsors to heed this warning. A plan sponsor can at least ensure that the service agreement doesn’t give tacit approval to the service provider’s use of participant data to cross-sell. The plan sponsor could go further and clarify in its service provider agreements that there should be no access to or use of participant data by the service provider except for the sole purpose of performing its plan-based duties under its service agreement.
It may be a cliché to state that a particular area of law is evolving, but clichés are occasionally accurate. As case law develops in this area, other issues with respect to confidentiality and cybersecurity will need to be addressed, such as the possible preemption of state data privacy laws, at least with respect to plans; which party should bear the loss if no party is at fault; and the extent to which there should be some consequences when a participant’s carelessness contributes to a cyberbreach. Although understandably not mentioned in the DOL guidance, there also will likely be some attempted differentiation between breaches involving theft of participant account assets and breaches involving theft of participant data. Losses to be remedied in the former are concrete, but unfortunately, the law is far less clear, at least for ERISA and possibly for constitutional standing purposes, with respect to the misappropriation of participant data.
* * * * *
This is part of our ongoing series of alerts on cybersecurity. Follow us for updates in the case law and DOL guidance. Our attorneys are available to assist you in addressing cybersecurity related questions. Please contact Jon Schultze, Susan Rees, Barry Salkin or Dan Brandenburg.
Part 1 of our three-part series of alerts on the DOL’s Cybersecurity guidance may be found by clicking here.
Part 2 of our three-part series of alerts on the DOL’s Cybersecurity guidance may be found by clicking here.