Considering Best Data Practices for ERISA Fiduciaries


Michelle Capezza, a Member of Epstein Becker Green in the Employee Benefits and Health Care and Life Sciences practices, in the firm’s New York office, and August Emil Huelle, an Associate in the Employee Benefits and Labor and Employment practices, in the firm’s New York office, authored an article in Law360, titled “Considering Best Data Practices for ERISA Fiduciaries.” 

Following is an excerpt (see below to download a PDF of the full article):

Employee benefit plan fiduciaries are charged with meeting a prudence standard when discharging their duties solely in the interest of plan participants and beneficiaries. With increasing regulation of benefit plans, these duties and associated responsibilities are mounting. With advancements in technology, online enrollment and access to account information, as well as benefit plan transaction processing, participant identifiable information and data have become increasingly more vulnerable to attack as it travels through employer and third-party systems.

Earlier this year, the attack on Anthem Inc.'s information technology system, which compromised the personal information of individuals under numerous health plans (including personally identifiable information, bank account and income data, and Social Security numbers), raised questions of privacy and security under the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act, and there have been other similar attacks.

These cases remind us that in today’s world, plan participant information, whether it be protected health information, personally identifiable information or retirement savings account information, is vulnerable to theft. Employee Retirement Income Security Act plan fiduciaries must not only act prudently in responding to a breach of their plan participants’ PHI, but should also consider developing prudent policies and procedures with respect to the handling and transmission of all PII and participant data in the regular course.