Insight: Data Privacy and Cybersecurity—What’s a Plan Fiduciary to Do?

Data privacy is an emerging area for ERISA plan fiduciaries. And the rules aren’t all that clear.

The issue of data privacy made news May 31 when the U.S. District Court for the Middle District of Tennessee granted conditional approval for Vanderbilt University to settle claims related to its 403(b) plan for $14.5 million dollars. The settlement also had non-monetary conditions including a prohibition on Vanderbilt letting its next recordkeeper use plan data to cross-sell additional products and services to plan participants without their affirmative consent.

This case raises many questions for plan fiduciaries. What are plan fiduciaries to do when it comes to protecting the data of the plan’s participants? Is participant consent required? Should data be considered like any other form of service provider compensation? Should fiduciaries know what data their plan gathers, who it is shared with, and how it is used?

All of these questions are evolving as plaintiffs begin to probe these issues. In the past year, three big cases have signaled that data privacy and cybersecurity are moving to center stage.

In the Bloomberg Law article, “Data Privacy and Cybersecurity – What’s a Plan Fiduciary to Do?” Groom principals Allison Itami, David Levine, George Sepsakos and Kevin Walsh examine these recent cases and their implications.