Fidelity evades suit alleging use of personal information to market financial products was fiduciary breach

On March 30, 2021, the U.S. District Court for the Southern District of Texas dismissed claims in Harmon v. Shell Oil Co. that Fidelity breached its fiduciary duties under the Employee Retirement Income Security Act of 1974 (ERISA) when using participant data it maintained as plan recordkeeper to sell financial products and services separate from the plan. Participants argued their names, contact information, investment history, account balances, projected retirement dates, etc. are plan assets which impose specific obligations under ERISA on the person or people who manage the plan. However, the court reviewed the plain meaning of the ERISA statutory and regulatory definitions of plan assets, which refer to investments but not to data, and dismissed both breach of fiduciary duty and prohibited transaction claims against the recordkeeper. In keeping a narrow definition of plan assets, this ruling rejects the claim that cross-selling by plan recordkeepers based on participant data is an ERISA violation and likely limits who can be sued in the future.

What You Should Know

  • Despite the ruling, it is clear that many plan participants do not approve of personal information being used to cross-sell. Litigation suggests they are not interested in having participant data used to help recordkeepers or advisors market other products and services to them.
  • Plan sponsors should address the use of participant data and cross-selling in their recordkeeper agreements.
  • Discussions on data protection with service providers can begin at the RFP phase. It is advisable for plan sponsors to inquire about what data is needed by a service provider and for what purpose during the RFP phase of engagement. Information about cross-marketing practices should also be obtained through the RFP phase and a limited scope for the use of participant data should be established.
  • This outcome diverges from the 2019 Cassell v. Vanderbilt University settlement, in which $14.5 million was paid to resolve claims over use of participant data. While the court did not rule on the participants' claim, Vanderbilt agreed to prohibit the plan's recordkeeper from using participant information acquired in the course of providing recordkeeping services to market other products or services to participants unless a request for such products or services is initiated by a participant. The U.S. Supreme Court has yet to weigh in on this issue.