In recent weeks, much of the discussion around a recent Supreme Court case, Gobeille, has focused on ERISA preemption. But for fiduciaries of benefit plans the case can serve as a reminder of important duties that often go unexplored—protecting the private data of participants.
Briefly, the case challenged a Vermont law that required reporting of health care claim payments to a state agency for inclusion in a healthcare database. But in reading the case, I was reminded about how much data—sensitive and personal data—hovers in and around employee health and benefits plans. It seems like news of data breaches can be seen almost daily in the headlines. And anyone familiar with databases maintained for plans can imagine what alluring targets they must be. On top of that, when one considers how often this data is shared with third parties in day-to-day plan administration, (consultants, TPAs, payroll providers, investment advisors, etc.) data breaches will increasingly expose fiduciaries and plans to liability.
When a fiduciary sits down to think about its responsibilities to participants in regards to personal information, a complex and often unclear picture emerges. And a large part of that picture comes outside of the “ERISA-box” plan fiduciaries typically consider. The few court cases exploring this subject are generally not brought as ERISA claims but rather are based on financial regulations and consumer protection laws. As fiduciary standards continue to evolve and differences in privacy protection laws appear from jurisdiction to jurisdiction, there are a host of laws and regulations to keep in mind.
A short list of legislation that touch on the area includes: the Health Insurance Portability and Accountability Act, the Gramm-Leach Bliley Act, the Federal Trade Commission Act, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act, along with numerous state laws relating to “personally identifiable information” and “protected health information.”
At this point, even though the scope of a fiduciary’s duty under ERISA with respect to data protection has yet to be addressed by the courts and the DOL, there are still a number of practical steps that plan sponsors and other fiduciaries can take in the hope of preventing problems. These include:
- Performing due diligence on all data and security protocols when selecting and monitoring vendors;
- Developing privacy provisions for contracts with TPAs and other service providers over and above standard confidentiality agreements;
- Limiting access to sensitive information to necessary personnel;
- Training personnel on the law and the fiduciary responsibilities;
- Developing written policies and procedures detailing for personnel the applicable state and federal laws;
- And continuing to monitor and watch over service providers with access to sensitive data.
Unfortunately, data breaches are here to stay and so are government agencies’ attempts to develop guidance on how they should be handled. Plan sponsors and other fiduciaries need to be aware of these sensitive issues and put into place defensible policies and procedures. Such actions will not only help protect participant information but will also help limit exposure to liability for the plan and the fiduciaries to the myriad of laws aimed at these issues.