Plan Data: What is “Secure”?

Medicare Eligibility

What does it mean for a retirement plan to "protect" data--and are barriers to unauthorized access limited to blocking hacks?

Once again, it’s time to talk about data and fiduciary responsibility. This is prompted by several recent events:

  • The GAO issued a new report in February calling for more guidance from the Department of Labor on plan fiduciaries’ responsibilities with respect to cybersecurity and data protection. The report focused on two specific areas–clarifying fiduciary responsibility for cybersecurity risks and providing guidance for mitigating cybersecurity risks. The GAO report recommended that (i) the DOL should “formally state whether cybersecurity for private sector employer-sponsored defined contribution retirement plans is a plan fiduciary responsibility under ERISA”, and (ii) the DOL “should develop and issue guidance that identifies minimum expectations for mitigating cybersecurity risks that outline the specific requirements that should be taken by all entities involved in administering private sector employer-sponsored defined contribution retirement plans.”
  • A federal district court has dismissed a claim against Fidelity (Harmon v. Shell Oil Company). The claim alleged that Fidelity, the recordkeeper for the Shell Oil plan, was a fiduciary of the plan; this fiduciary status was based on the assertion that (i) participant data derived from recordkeeping the plan was a plan asset under ERISA, (ii) Fidelity’s control over the data made Fidelity a plan fiduciary, and (iii) Fidelity’s use of the data represented a breach of Fidelity’s fiduciary responsibility because it did not use the data for the “exclusive benefit“ of participants–but used the data for Fidelity’s own commercial benefit. The court dismissed the claims against Fidelity, concluding that participant data was not a “plan asset” under ERISA and therefore Fidelity was not a fiduciary and Fidelity’s use of the data was not a fiduciary breach.
  • On April 14 the Department of Labor issued new guidance for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity. Although most of the guidance focuses on cybersecurity measures, the DOL guidance on “Tips for Hiring a Service Provider” does start to expand the DOL’s focus to data privacy by suggesting that fiduciaries determine if a recordkeeper’s contract spells out the “obligation to keep private information private” and “prevent the use or disclosure of confidential information without written permission.”

The juxtaposition of these events elicits several reactions from this blogger–reactions centered on the treatment, by the GAO and the Shell court, of data–and the hint, in the DOL guidance–of a broader and more holistic approach to data “security.”

Benefits professionals — and service providers– are acutely aware of the requirements of HIPAA regarding health plan participant medical data. The data protection provisions of HIPAA rest on two prongs–security standards for the protection of protected information and privacy standards for the protection of that information. The GAO report focused solely on the need for clarity regarding the security component and made no mention of protection of participants’ private information. Admittedly, cybersecurity poses a greater risk than privacy. As noted in the GAO report cybersecurity gaps have led to unauthorized access to — and distribution of — retirement plan assets. This has resulted in losses of retirement plan assets which have not been fully recovered. Nonetheless, as illustrated by HIPAA, true data protection has two components–security and privacy. Yet, in focusing only on the security component the GAO report has missed an opportunity to promote protection of participants’ privacy along with the security of their personal financial data.

Taking a similarly narrow view the court in the Shell case relied, in part, on two regulations in determining that the definition of plan assets did not include data–regulations issued in 1986 and 1987. The court’s reliance in these regulations is misplaced for several reasons. First, the regulations cited were specifically targeted rules focused on the treatment of financial assets–one regulation cited by the Shell court clarified the fact that investment in a company does not render the company’s assets as “plan assets” and the other regulation detailed  how quickly participant contributions to a plan must be deposited. Neither regulation cited by the Shell court purported to provide an exhaustive definition of plan assets.  

It is hard to look around and conclude that plan participant information is not an “asset.”

  • Financial services companies spend significant amounts for leads–ranging, by some estimates between $160 to $200 per lead; one presumes these firms would not pay these amounts for something with no value.
  • As noted, the regulations cited by the Shell court were issued in the 1980’s–almost twenty years before Facebook was incorporated. Currently Facebook — a company that epitomizes the value of data–has a market capitalization of over $800 billion.

So,  while data may have had little value in the 1980s–the past few decades have demonstrated that data now has tremendous value. And, when that data (with clear economic value to Fidelity or other recordkeepers) is obtained as the result of serving a retirement plan–a strong argument can be made that the data is indeed an “asset” of the plan. However, as noted above, the DOL’s April guidance indicates that this more narrow focus on cybersecurity–and not data privacy or the value of data–may be changing.

The GAO report and the Shell decision are two aspects of the same problem–limited or anachronistic views of the importance of participant data. While The Economist magazine concluded in 2017 that “the world’s most valuable resource is no longer oil, but data” the ERISA world has yet to catch up with that perspective. Perhaps the DOL’s new guidance reflects the beginning of a change in attitude and a recognition that true data security is both cybersecurity and data privacy.