Skip to main content

You are here

Advertisement


Practice Management

Whose Data Is it, Anyway?

I’ve always been just a bit paranoid about my personal data. All the more so because in a half dozen different circumstances over the past two decades, someone who had access to that data for legitimate purposes… lost it.
 
Those data breaches notwithstanding (and one did involve a 401(k) account) it’s the planned use of participant data that has recently emerged as a matter of concern in a handful of excessive fee litigation suits.   
 
To date, it’s only been cited in cases[1] brought by the St. Louis-based law firm of Schlichter, Bogard & Denton—but then, I figure it’s only a matter of time until the rest of the plaintiffs’ bar decides to follow suit (pun acknowledged). 
 
Two things that aren’t (or shouldn’t be) at issue; there is value in participant data—and ERISA doesn’t specifically address participant data or its use.
 
If ERISA itself is silent on the matter, there’s one recent case—Divane v. Northwestern University—that spoke to the issue, and that district court found that the sponsor doesn’t have a fiduciary duty to manage the use of participant data by its recordkeeper. While that decision was appealed—and continued to be found in favor of the defendants, the appeal didn’t address the participant data issue. Nonetheless, as things stand now, that would appear to be the standing legal evaluation—it’s already been cited as a precedent in some cases (and differentiated by plaintiffs in those same cases), and it will presumably continue to be until another court takes up the issue.

If they’ve not yet prevailed at court, the Schlichter law firm has nonetheless been successful in in negotiating, as part of a broader settlement, agreements in two cases that, for a period of three years, “it must not solicit current Plan participants for the purpose of cross-selling proprietary non-Plan products and services, including, but not limited to, Individual Retirement Accounts (IRAs), non-Plan managed account services, life or disability insurance, investment products, and wealth management services, unless in response to a request or expressed need by the Plan participant.” 
 
And, certainly based on their recent response to a motion to dismiss in a case involving Shell Oil, they plan to continue to do so.
 
It’s not that I don’t share a fair amount of data with my employer in the context of my employment, and data that is gathered in the interests of administering my benefits certainly serve an essential purpose. Arguably, that data, properly applied, can certainly be beneficial to me as a participant—whether as a reminder that I need to “catch-up” on my contributions after age 50½, a beneficiary check-up along with a change in marital status, a flag when I’m not maximizing the employer match… and surely that’s how plan sponsors view it. However, like anything in life, it can be abused. 
 
We’re all more sensitive to the issue of personal data these days—and with cybersecurity threats constantly in the news, I think it’s fair to say that that interest—and concern—is higher than ever. My guess is that many, if not most, employers already have as part of their service agreement with their recordkeeper some kind of “guardrails” around the use of that sensitive data.
 
If not, it’s probably time they did.
 
Footnotes
 
[1] The most recent one involving Shell Oil Co.’s $10.5 billion 401(k) plan.