The loss of Americans’ privacy through the growing use of their data continues to be a major topic in the media. This focus is now turning to the retirement industry.
Plan and participant data plays a key role in our retirement system – from the basic operation of retirement plans, to designing wellness solutions, implementing distributions and beyond. Almost all aspects of plan operation and participant interaction rely on data.
Notably, plaintiffs’ lawyers have begun to focus on privacy issues as well. To begin to prepare for a world where data could be a key compliance consideration, there are three basic questions that advisors can begin to ask now to begin to develop a framework for navigating the interaction of privacy and retirement.
The Legal Framework
The first question is: Which legal rules govern the use of retirement plan and participant data?
Often, the answer can depend on the exact data and exact usage, but key rules to keep in mind include the following.
- ERISA. ERISA sets out rules relating to the use of “plan assets.” A key question is whether data is a plan asset. In two recent cases, we now have conflicting signals. In one case involving Northwestern University, the court dismissed claims implicating plan data as a plan asset. In another case, involving Vanderbilt University, the settlement included an agreement to limit the use of plan data by the plan recordkeeper on a go-forward basis. (Note that settlements do not constitute binding law.)
- The GLBA. The Gramm-Leach-Bliley Act imposes certain limits on the use of data used in certain financial transactions. Historically, the law has not been thought to apply to retirement plan-related activities. However, given the rise of state initiatives as noted below, the GLBA or other legislation may play a role in the future.
- State Laws. Privacy-related legislation continues to be introduced in numerous state legislatures. The most prominent state effort is the California Consumer Privacy Act (CCPA). The extent to which the CCPA will affect retirement plans or related services is yet to be determined, as various amendments may be adopted before the law goes into effect.
- International Laws. Global privacy laws, such as the European Union General Data Protection Regulation and Brazil’s privacy law, hold the potential to affect the operation of U.S. retirement plans, especially given the emergence of a global workforce that may, at times, participate in U.S. retirement plans.
- HIPAA. While it’s not directly applicable to retirement, the Health Insurance Portability and Accountability Act, along with related guidance, contains some of the most detailed framework governing privacy in the United States. As such, it has the potential to affect broad-based wellness programs, which increasingly are being tied to both health and retirement.
Click here to browse past columns by David Levine.
The second question is: Who is focusing on retirement plans and data privacy?
Yes, privacy is front and center in the media. In the retirement industry, however, the brightest spotlight has not been the media. Instead, grassroots privacy concerns from participants and plaintiffs lawyers have caught the attention of industry organizations like NAPA.
Plan sponsors and plan fiduciaries are increasingly asking questions about and negotiating limitations on the use of plan data by vendors, including advisors, education providers, recordkeepers and other providers of retirement plan services. This chorus continues to grow in size, with participants, plaintiffs, industry groups, plan sponsors, fiduciaries and service providers already focused on the issue, and regulators and legislators signaling that they too are interested. With this increased focus, there is greater potential that new rules will develop as a result of industry self-regulation, legislation, government regulation or judicial decisions.
The third and final key question is: Given the current legal framework and increased attention, what should an advisor be doing now?
Advisors wear many hats in this process. In supporting their clients, advisors play an essential role in understanding their privacy interests and concerns and helping them negotiate agreements with service providers. And advisors themselves may also be using plan data and need to consider their client’s positions on the use of their plan and participant data, whether as part of a plan, in wealth management, or in some other function. Thus, advisors should stay up to date on the various data privacy laws – because to the extent that they hold this data, they may face their own responsibilities in holding and utilizing it.
In summary, advisors are likely to be well served by paying proactive attention to privacy matters now so that they are well positioned to support their clients and their own business activities in the future.
The author thanks his colleague, Kevin Walsh, for his input on this column.
David N. Levine is a principal with Groom Law Group, Chartered, in Washington, DC. This column appears in the latest issue of NAPA Net the Magazine.