Safeguarding Participant Data

Although ERISA does not explicitly designate participant data as a plan asset, recent litigation suggests that plan sponsors will want to make an effort to safeguard data and limit what they share with service providers.

There are several best practices for plan sponsors that have emerged as a result of the settlements.

What you should know

  • Plan participants do not approve of personal information being used to cross-sell. Recent litigation suggests that plan participants are not interested in having their personal information used to help recordkeepers or advisors market other products and services to them. This data includes investment choices, age, and account balances among other factors.
  • Recent settlement impacts responsibilities of plan sponsors. A case brought by participants in a Vanderbilt University plan argued that participant data should be covered under ERISA as a plan asset[1]. The case relied on an expanded interpretation of Interpretive Bulletin 96-1 from the Department of Labor on investor education to require fiduciary protection of information. While the court did not rule on the participants' claim, Vanderbilt agreed in a settlement to prohibit the plan's recordkeeper from using participant information acquired in the course of providing recordkeeping services to market other products or services to participants unless a request for such products or services is initiated by a participant.
  • For the first time a recordkeeper has been named in a suit alleging the use of participants’ personal information to market financial products. Shell Oil Co. and Fidelity have been hit with a recent proposed class action alleging excessive fees and improper use by Fidelity of participants’ personal data as a way to market Fidelity’s products even though those products are unrelated to the plan. Fidelity denies that it used participant information in this manner.[2]
  • Plan sponsors should begin discussions on data protection with service providers at the RFP phase. It is advisable for plan sponsors to inquire about what data is needed by a service provider and for what purpose during the RFP phase of engagement. Information about cross-marketing and cybersecurity practices should also be obtained through the RFP phase and a limited scope for the use of participant data should be established.


The amount Vanderbilt University paid to resolve claims over incorrect use of participant data[1]