In several recent ERISA plan lawsuits, plaintiffs have alleged that the plan fiduciary breached its fiduciary duties under ERISA with respect to participant data (e.g., participants’ ages, choice of investments, asset size, etc.), arguing that such participant data is a “plan asset” that the plan fiduciary failed to safeguard. Although ERISA does not specifically address whether participant data is a plan asset, the settlements reached in those lawsuits reveal an emerging trend that plan sponsors need to consider.
In class action lawsuits brought against John Hopkins University and Vanderbilt University, the plaintiffs alleged that the plan fiduciary breached its duties of loyalty and prudence by failing to protect confidential participant data and permitting the recordkeeper to use that data to market and sell lucrative investment products outside the plan to participant employees. The plaintiffs also alleged that the plan fiduciary breached its fiduciary duty by failing to take into consideration the value of the recordkeepers’ access to participant data for marketing purposes when negotiating pricing. The participant data included participant ages, length of employment, time of retirement, size of account balance, employment status, choice of investments and more.
The settlements in both of those lawsuits included, among other provisions, an obligation on the part of the plan fiduciary to contractually prohibit the recordkeeper from using participant data to market or sell products or services unrelated to the plan, unless responding to a participant’s request. The settlements also required that the plan fiduciary conduct periodic requests for proposal (RFPs) for recordkeeping services and that those RFPs require that the recordkeeper agree to this obligation. It is likely that we will see terms like these reflected in future plaintiffs’ claims and settlements.
To address this issue, plan fiduciaries may want to consider taking the following steps:
- Inquire About Participant Data Needed by the Service Provider. When conducting service provider RFPs, the plan fiduciary should inquire about the participant data that will be collected by the service provider and ensure that it is not beyond the scope of what is needed to perform the services.
- Inquire About the Service Provider’s Cross-Marketing Practices. When conducting service provider RFPs, the plan fiduciary should inquire about the service provider’s use of participant data to cross-market non-plan products and services and should take into account the value of that data access in negotiating the service provider’s fee.
- Limit Use of Participant Data for Marketing Non-Plan Products and Services. The plan fiduciary should contractually require the service provider to limit its use of participant data to cross-market non-plan products and services only to those plan participants who request such information.
- Monitor the Service Provider’s Use of Participant Data. The plan fiduciary should monitor the service provider’s use of participant data to make sure that (1) the data collected is within the scope of the plan services provided and (2) the data is used to cross-market non-plan products and services only to those plan participants who request that information.
Plan sponsors should work with ERISA counsel to undertake these best practices to carry out their fiduciary responsibilities and minimize the risk of misuse of participant data.