Not yet a Member?
HR Magazine is highlighting the next generation of HR leaders.
Is your employee handbook ready for the New Year? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
30+ HR education programs, including 4 NEW programs on hot topics, are available for registration.
Join us in Chicago for the latest trends and technology in talent management, and what to expect in the future.
A Supreme Court case is a reminder to protect participant’s private data
In recent weeks, much of the discussion around a recent Supreme Court case,
Gobeille v. Liberty Mutual Insurance Co., has focused on the Employee Retirement Income Security Act (ERISA) preemption. But for fiduciaries of benefit plans, the case can serve as a reminder of important duties that often go unexplored—protecting the private data of participants.
Briefly, the case challenged a Vermont law that required reporting of health care claim payments to a state agency for inclusion in a health care database. A great deal of sensitive and personal data hovers in and around employee health and benefits plans. It seems like news of data breaches can be seen almost daily in the headlines. And anyone familiar with databases maintained for plans can imagine what alluring targets they must be. On top of that, when one considers how often this data is shared with third parties in day-to-day plan administration, (consultants, third-party administrators, payroll providers, investment advisors, etc.) data breaches will increasingly expose fiduciaries and plans to liability.
When a fiduciary sits down to think about its responsibilities to participants in regards to personal information, a complex and often unclear picture emerges. And a large part of that picture comes outside of the “ERISA-box” plan fiduciaries typically consider. The few court cases exploring this subject are generally not brought as ERISA claims, but rather are based on financial regulations and consumer protection laws. As fiduciary standards continue to evolve and differences in privacy protection laws appear from jurisdiction to jurisdiction, there are a host of laws and regulations to keep in mind.
A short list of legislation that touch on the area includes: the Health Insurance Portability and Accountability Act; the Gramm-Leach Bliley Act; the Federal Trade Commission Act; the Fair Credit Reporting Act; the Fair and Accurate Credit Transactions Act, along with numerous state laws relating to “personally identifiable information” and “protected health information.”
At this point, even though the scope of a fiduciary’s duty under ERISA with respect to data protection has yet to be addressed by the courts and the DOL, there are still a number of practical steps that plan sponsors and other fiduciaries can take in the hope of preventing problems.
Unfortunately, data breaches are here to stay and so are government agencies’ attempts to develop guidance on how they should be handled. Plan sponsors and other fiduciaries need to be aware of these sensitive issues and put into place defensible policies and procedures. Such actions will not only help protect participant information but will also help limit exposure to liability for the plan and the fiduciaries to the myriad of laws aimed at these issues.
Dan O'Neil is an attorney in the Albany, N.Y. office of Jackson Lewis. © 2016 Jackson Lewis P.C. All rights reserved. Reposted with permission.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Become a SHRM Member
SHRM’s HR Vendor Directory contains over 3,200 companies