Data Breaches Highlight ERISA Legal Peril Attorney Says Plans May Some Day Face


Faced with the possibility of legal actions under an evolving prudence standard and state consumer protection laws, pension plans should be protecting the private data of their participants, attorneys told Bloomberg BNA in recent interviews.

Plans' responsibility to their participants regarding such personal information under the Employee Retirement Income Security Act has yet to be addressed by the courts or the Department of Labor, but Stephen P. Wilkes, of counsel with the Wagner Law Group in San Francisco, told Bloomberg BNA  that “over time, at a minimum,” he expects that plan sponsors and financial institutions that are fiduciaries will take various steps to protect private participant data and that such steps will become the “normal standard.”

“Any deviation from that standard may arguably be a breach of duty to act prudently under ERISA,” he said.

But while Wilkes suggests that a fiduciary standard under ERISA may be arising for plan sponsors, it doesn't appear that litigation in this area is on the radar of employee benefit plaintiff attorneys. Several contacted by Bloomberg BNA said the topic of pension plan responsibility under ERISA to protect private participant data is a topic they hadn't given much thought to.

Even if ERISA isn't yet fertile ground for potential lawsuits or sanctions, plan sponsors may be subject to liability from other sources. Plaintiffs' attorney Teresa Renaker, partner with Renaker Hasselman LLP in San Francisco, told Bloomberg BNA that “there's probably a more direct cause of action under consumer protection law and/or financial industry regulation. If a participant called me about a claim like this, I would most likely encourage them to speak to a consumer lawyer first.”

Vulnerable Data

Due to a number of recent high-profile attacks on corporate computer systems at Target Corp., Sony Pictures Entertainment and others, the public has become aware of how vulnerable their private information is.

In February, Anthem Inc. revealed that a cyberattack on its computer systems had resulted in the theft of names, addresses, telephone numbers, birth dates and Social Security numbers of some 80 million of the company's current and past customers, including health benefit plan participants of plan sponsors served by the insurer/plan administrator.

While the Anthem breach involved health plans, there are lessons that could be learned by pension plans. Like health plans, defined benefit and defined contribution plans have been expanding their use of technology to collect, analyze, share and store their participants' personal data. At the same time, the electronic transfer of plan and participant financial information among plans, plan sponsors, participants and myriad plan service providers has also been increasing.

Excerpted from a story that ran in Pension & Benefits Daily (5/11/2015).

Design benefit plans and respond quickly and confidently to a range of potential issues with a free trial to the Benefits Practice Resource Center.