4 Practical Law
© 2021 Thomson Reuters. All rights reserved. Use of Practical Law websites and services is subject to the Terms of Use
(static.legalsolutions.thomsonreuters.com/static/agreement/westlaw-additional-terms.pdf) and Privacy Policy (a.next.westlaw.com/Privacy).
Cybersecurity and ERISA Fiduciary Responsibilities for RetirementPlans
Plan Assets and Cybersecurity
ERISA recognizes a fiduciary duty to protect plan
assets, but that definition has not yet been extended to
specifically encompass plan data, though case law is
developing in this area.
Under ERISA Section 3(42), the term “plan assets”
means plan assets as defined by the regulations
(29U.S.C.§1002(42)). The regulations define two broad
categories of plan assets, which are:
• Plan investments. When a plan invests in another
entity, the plan’s assets include its investment but
donot, solely by reason of this investment, include
any of the underlying assets of the entity (29 C.F.R.
§2510.3-101(a)(2)).
• Participant contributions. Participant contributions
are amounts that a participant or beneficiary pays
to an employer or that a participant has withheld
from the participant’s wages by an employer
(29C.F.R.§2510.3-102(a)(1)).
ERISA Section 406 prohibits a plan from engaging in a
transaction where the plan knows that this transaction
involves a transfer to or use by or for the benefit of a party
in interest of any assets of the plan (29 U.S.C.§1106).
Under ERISA Section 406, if the definition of a plan
asset includes the actual data and information that
plans maintain, fiduciaries may be liable for a prohibited
transaction related to any misuse or self-dealing
regarding these assets or security breaches resulting from
the transfer of this data between the plan sponsor and
other plan parties in interest.
The regulations do not suggest that PII, account
information, and other data that plans maintain fall within
the definition of a plan asset.
Plan Asset Case Law
Case law is emerging that may complete the link between
treating participant information and data as a plan asset
for which the ERISA fiduciary duties and responsibilities
apply. These developments may further complicate
prohibited transaction analyses.
One court has noted that there is not a single case
in which a court has held that releasing confidential
information or allowing someone to use confidential
information constitutes a breach of fiduciary duty
under ERISA or that this information is a plan asset in
a prohibited transaction (Divanev.Nw. Univ., 2018 WL
2388118, at *12 (N.D. Ill. May 25, 2018), aff’d on other
grounds, 953 F.3d 980 (7th Cir. 2020)).
Plan participants are raising fiduciary breach claims
when their data is disclosed to third parties for product
marketing based on arguments that their data is a
valuable plan asset to be used for their exclusive benefit to
provide plan benefits.
In Cassellv.Vanderbilt University, the plaintiffs brought
both breach of fiduciary duty claims and claims for
violations of prohibited transaction rules, alleging that the
plan allowed plan service providers to use their positions
as recordkeepers to obtain access to participants, learning
their ages, length of employment, contact information,
account sizes, and investment choices, and used that
information in marketing lucrative investment products
and wealth management services to participants as
they neared retirement and before retirement. The case
settled before progressing through motion practice,
but the settlement contained one provision requiring
the plan’s current recordkeeper to refrain from using
information about plan participants acquired in the course
of providing recordkeeping services to the plan to market
or sell products or services unrelated to the plan unless a
request for these products or services is initiated by a plan
participant (285 F. Supp. 3d 1056 (M.D. Tenn. 2018)).
More recently, in Harmonv.Shell Oil Company, the US
District Court for the Southern District of Texas determined
that it was unable to conclude that participant data is a
plan asset under ERISA and granted a motion to dismiss
the case (2021 WL 1232694 (S.D. Tex. Mar. 30, 2021)).
Cases are continuing to emerge regarding the use of
participant confidential information to market financial
products and services outside the benefit plan and
are likely to evolve in determining whether participant
information and data is a plan asset to which ERISA
fiduciary responsibilities may extend.
Plan sponsors and fiduciaries should:
• Recognize these developments.
• Take prudent steps to manage and protect participant
data.
• Ensure that the data is used for the exclusive interest of
participants.
• Monitor state requirements related to notifications
to employees concerning use of their data and
determine the applicability of these requirements
to plan participants (for example, there are notice
requirements under the California Consumer Privacy
Act (CCPA) of 2018 and California Privacy Rights Act
(CPRA) of 2020 regarding use of employee data and
sensitive personal information).