Confero Summer 2015: Issue 11 | Page 10

participant data and fiduciary responsibility in the information/innovation age >> By Michelle Capezza With recent advancements in plan administration technology, online enrollment and electronic access to account information, as well as benefit plan transaction processing, personally identifiable information (“PII”) and data has become increasingly more vulnerable to attack as it travels through employer and third party systems. Earlier this year, the attack on Anthem’s information technology system, which compromised the personal information of individuals under numerous health plans (including PII, bank account and income data, and Social Security numbers), raised questions of privacy and security under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), and there have been other similar attacks. These cases 8 | Summer 2015 remind us that in today’s world, plan participant information, whether it be protected health information (PHI), PII, or retirement savings account information, is vulnerable to theft. In 2011, the Advisory Council on Employee Welfare and Pension Benefit Plans (the “Council”) studied the importance of addressing privacy and security issues with respect to employee benefit plan administration. The Council examined concerns about potential breaches of the technological systems used in the employee benefit industry, the misuse of benefit data and PII and the impact on all parties who share, access, store, maintain and use PII, including, but not limited to, plan sponsors and fiduciaries, trustees, participants, plan administrators, third party administrators (TPAs), record keepers, investment advisors, and other service providers. The Council recognized several potential areas of vulnerability, including (i) theft of personal identities and other PII, (ii) theft of money from bank accounts, investment funds, and retirement accounts, (iii) unsecured/unencrypted data, (iv) outdated and low security passwords, (v) hacking into plan administration, service provider, and broker systems, (vi) email hoaxes, and (vii) stolen laptops or data hacked from public computers where participants logged into accounts. The Council recommended that the U.S. Department of Labor (the “DOL”) provide guidance on the obligation of plan fiduciaries to secure PII and develop educational materials. To date, the DOL has issued no such guidance.