This Month Only! >> $20 off and a FREE SHRM tote with your membership and code TOTE2018!
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
A Supreme Court case is a reminder to protect participant’s private data
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
In recent weeks, much of the discussion around a recent Supreme Court case,
Gobeille v. Liberty Mutual Insurance Co., has focused on the Employee Retirement Income Security Act (ERISA) preemption. But for fiduciaries of benefit plans, the case can serve as a reminder of important duties that often go unexplored—protecting the private data of participants.
Briefly, the case challenged a Vermont law that required reporting of health care claim payments to a state agency for inclusion in a health care database. A great deal of sensitive and personal data hovers in and around employee health and benefits plans. It seems like news of data breaches can be seen almost daily in the headlines. And anyone familiar with databases maintained for plans can imagine what alluring targets they must be. On top of that, when one considers how often this data is shared with third parties in day-to-day plan administration, (consultants, third-party administrators, payroll providers, investment advisors, etc.) data breaches will increasingly expose fiduciaries and plans to liability.
When a fiduciary sits down to think about its responsibilities to participants in regards to personal information, a complex and often unclear picture emerges. And a large part of that picture comes outside of the “ERISA-box” plan fiduciaries typically consider. The few court cases exploring this subject are generally not brought as ERISA claims, but rather are based on financial regulations and consumer protection laws. As fiduciary standards continue to evolve and differences in privacy protection laws appear from jurisdiction to jurisdiction, there are a host of laws and regulations to keep in mind.
A short list of legislation that touch on the area includes: the Health Insurance Portability and Accountability Act; the Gramm-Leach Bliley Act; the Federal Trade Commission Act; the Fair Credit Reporting Act; the Fair and Accurate Credit Transactions Act, along with numerous state laws relating to “personally identifiable information” and “protected health information.”
At this point, even though the scope of a fiduciary’s duty under ERISA with respect to data protection has yet to be addressed by the courts and the DOL, there are still a number of practical steps that plan sponsors and other fiduciaries can take in the hope of preventing problems.
Unfortunately, data breaches are here to stay and so are government agencies’ attempts to develop guidance on how they should be handled. Plan sponsors and other fiduciaries need to be aware of these sensitive issues and put into place defensible policies and procedures. Such actions will not only help protect participant information but will also help limit exposure to liability for the plan and the fiduciaries to the myriad of laws aimed at these issues.
Dan O'Neil is an attorney in the Albany, N.Y. office of Jackson Lewis. © 2016 Jackson Lewis P.C. All rights reserved. Reposted with permission.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Choose from dozens of free webcasts on the most timely HR topics.
SHRM’s HR Vendor Directory contains over 10,000 companies