participant data and fiduciary responsibility
in the information/innovation age
>>
By Michelle Capezza
With recent advancements in plan
administration technology, online
enrollment and electronic access to
account information, as well as benefit
plan transaction processing, personally
identifiable information (“PII”) and
data has become increasingly more
vulnerable to attack as it travels through
employer and third party systems.
Earlier this year, the attack on Anthem’s
information technology system, which
compromised the personal information
of individuals under numerous health
plans (including PII, bank account
and income data, and Social Security
numbers), raised questions of privacy
and security under the Health Insurance
Portability and Accountability Act
(HIPAA) and the Health Information
Technology for Economic and Clinical
Health Act (HITECH), and there have
been other similar attacks. These cases
8 | Summer 2015
remind us that in today’s world, plan
participant information, whether it be
protected health information (PHI),
PII, or retirement savings account
information, is vulnerable to theft.
In 2011, the Advisory Council on
Employee Welfare and Pension Benefit
Plans (the “Council”) studied the
importance of addressing privacy
and security issues with respect to
employee benefit plan administration.
The Council examined concerns about
potential breaches of the technological
systems used in the employee benefit
industry, the misuse of benefit data
and PII and the impact on all parties
who share, access, store, maintain and
use PII, including, but not limited to,
plan sponsors and fiduciaries, trustees,
participants, plan administrators, third
party administrators (TPAs), record
keepers, investment advisors, and other
service providers.
The Council recognized several potential
areas of vulnerability, including (i) theft of
personal identities and other PII, (ii) theft
of money from bank accounts, investment
funds, and retirement accounts, (iii)
unsecured/unencrypted
data,
(iv)
outdated and low security passwords, (v)
hacking into plan administration, service
provider, and broker systems, (vi) email
hoaxes, and (vii) stolen laptops or data
hacked from public computers where
participants logged into accounts.
The Council recommended that the
U.S. Department of Labor (the “DOL”)
provide guidance on the obligation of
plan fiduciaries to secure PII and develop
educational materials. To date, the DOL
has issued no such guidance.