A little more than one year ago, we reported on a settlement (Cassell et al. v. Vanderbilt University, et al.) involving the alleged wrongful use of personal information belonging to retirement plan participants, claimed to be “plan assets.” This year, similar claims have been made against Shell Oil Company in connection with its 401(k) plan. Retirement plan sponsors may begin seeing more of these claims and they might consider some strategies to head them off.

The essence of the allegations is that employers breach their fiduciary duties of loyalty and prudence when they permit plan service providers to profit from the use of plan assets – sensitive personal information of plan participants – for non-plan purposes. Citing several “cross-selling” activities of plan advisors and other service providers, the Shell plaintiffs claim downstream sales opportunities working with retirement plans are more plentiful through better access to plan participant data, and without the need to engage in “cold-calling.”

The Employee Retirement Income Security Act (“ERISA) is the primary federal statute regulating employee benefit plans, including retirement plans. Currently, there are no express provisions in ERISA that prohibit the use of plan participant data for any particular purpose. However, as in the Vanderbilt case, the Shell plaintiffs rely on ERISA’s long-standing fiduciary duty provisions to support their claims concerning plan data:

  • ERISA’s fiduciary duty provisions require plan fiduciaries to discharge their duties with respect to a plan solely in the interest of the participants and beneficiaries and for the exclusive purpose of providing benefits to participants and their beneficiaries. 29 U.S. Code § 1104.
  • ERISA also prohibits plan fiduciaries from engaging in certain prohibited transactions, including transactions between the plan and a party in interest which the fiduciary knows constitutes a direct or indirect transfer to, or use by or for the benefit of a party in interest, of any assets of the plan. 29 U.S.C. §1106(a)(1).

For example, in Count IV of the complaint, the Shell plaintiffs alleged fiduciary duties under § 1104(a)(1) include:

restricting its use of Confidential Plan Participant Data solely to carrying out its Plan recordkeeping role, not using the data for nonplan purposes

Recordkeeping, investment of contributions, and other tasks associated with retirement plan administration require access to large amounts of personal information, usually in electronic format. The risks involving such information are not limited to data breaches. As the Vanderbilt and Shell cases indicate, plan participants have become increasingly aware of the vulnerabilities associated with handling their data, as well as how their data are being used by plan vendors. The California Consumer Privacy Act (CCPA) and similar laws emerging in other states may increase this awareness. At least for the time being, employees of CCPA covered entities are entitled to a “notice at collection” that must outline the categories of personal information collected and the purpose(s) that information is used. Regardless of whether ERISA preempts the CCPA, increased communication about privacy of personal information may cause participants to be more sensitive to the collection and use of their information.

There are some measures plan sponsors can take to minimize the risk of these kinds of claims.

  • Consider relationships with plan service providers more carefully and earlier in the process. ERISA requires plan fiduciaries to “obtain and carefully consider” the services to be provided by plan service providers before engaging the provider. Whether that duty extends to assessing the provider’s data privacy and security practices is not clear. Nonetheless, during the procurement process, consider basic questions such as: Who has access to participants’ data? How much (and what) data does the provider have access to, and what are they doing with that data? Is the service provider sharing data with other third parties?
  • Limit by contract the ability of plan service providers to use plan participant data to market or sell to participants products unrelated to the retirement plan, unless the participants initiate or consent.

Of course, depending on the bargaining power of the sponsor, it may not be able to convince a vendor to agree not to use participant data solely for plan administration purposes. However, sponsors should be sure their process includes these and other factors when making selections and when evaluating the performance of their service providers.

Tags: 401(k), 401(k) plan, CCPA, cybersecurity, Employee Retirement Income Security Act, ERISA, Fiduciary Duty, plan assets, retirement plan, service provider, Shell, Vanderbilt
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the…

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Read more about Joseph J. Lazzarotti
Show more Show less
Photo of René E. Thorne René E. Thorne

René E. Thorne is co-leader of the firm’s ERISA Complex Litigation practice group, and is a principal in the New Orleans, Louisiana, office of Jackson Lewis P.C. René started the New Orleans office and was the managing principal for ten years.

Her national…

René E. Thorne is co-leader of the firm’s ERISA Complex Litigation practice group, and is a principal in the New Orleans, Louisiana, office of Jackson Lewis P.C. René started the New Orleans office and was the managing principal for ten years.

Her national practice covers the full range of complex benefit litigation matters, including representation of employers, plans, plan fiduciaries, third party administrators, and trustees. In that regard, she has handled numerous ERISA class actions alleging breach of fiduciary duty; breach of the duty of loyalty; prohibited transactions; 401(k) plan asset performance, fees, and expense issues; defined benefit plan asset issues, accrual issues, and cut-back issues; cash balance plan issues; ESOP litigation; fiduciary misrepresentation claims; sophisticated preemption issues; executive compensation litigation, both pension and welfare claims; retiree rights litigation; severance plan claims; Section 510 cases; and complex benefit claim cases.

Read more about René E. Thorne
Show more Show less
Related Posts
2025 Cost of Living Adjustments for Retirement Plans
November 1, 2024
Conjuring Health Plan Hygiene: The Final Chapter
October 31, 2024
Health Plan Hygiene Part 2: ERISA Fiduciaries – That May Mean You!
July 24, 2024