For years, there has been a persistent trend toward outsourcing retirement plan recordkeeping and other administrative responsibilities. Although historically more prevalent for defined contribution plans, this outsourcing trend has been accelerating for defined benefit plans thanks, in part, to the prevalence of frozen plans (i.e., no more benefit accruals) and the potential for administrative cost savings. But service providers will be quick to remind plan fiduciaries that lightening the administrative load does not include transferring fiduciary duties. When selecting and monitoring a service provider, one key issue facing retirement plan fiduciaries is their duty with respect to the privacy and security of plan participant data.
As we previously discussed, managing and administering retirement plans also mean managing and protecting an extensive trove of personal data. Although there is no overarching privacy law governing retirement plans, fiduciaries must adhere to the “prudent expert” standard of care in fulfilling their duties, and, in the current environment, it can be expected that courts will be sympathetic to assertions that privacy and security of plan participant data are within the scope of those duties. Given that fiduciaries are personally liable for their fiduciary breaches and considering the cost of a data breach can be in the millions of dollars, the sensible course of action for retirement plan fiduciaries is to be continuously diligent and attentive regarding data privacy and security. This extends to diligence and care in the structuring of the outsourcing agreement.
Such diligence could include data security requirements that a company would normally impose on a service provider that processes personal data in connection with its services. In this regard, fiduciaries could consider utilizing the standard addendum or attachment for data security/processing that the plan sponsor uses for its vendor arrangements. Introducing this addendum or attachment at the request for proposal (RFP) stage would help (1) ensure that service providers are chosen (or downselected) based on more than just price and (2) avoid difficult negotiations later in the contracting process.
Regardless of whether a plan sponsor’s “standard” attachment is used or fiduciaries work with counsel to prepare an attachment tailored for the specific outsourcing arrangement, considerations for the data security requirements include the following:
- A broad definition of “security breach” or “security incident” to avoid a situation where the plan fiduciary is not immediately notified about, or does not receive sufficient assistance with and reimbursement for, relevant security-related incidents.
- Strict limitations on any access to or use of participant/plan data (i.e., only as necessary to perform the services).
- Data retention and reconstruction requirements that avoid unauthorized destruction, loss, or alteration of participant/plan data.
- Restrictions on disabling devices that might interfere with the plan fiduciary’s access to participant/plan data.
- Specifically delineated requirements for security controls, testing, and continuous improvements.
- Restrictions on changes to the service provider’s controls that would adversely impact data protection.
- Restrictions on unauthorized subprocessing.
- Disaster recovery requirements, including that a disaster does not relieve the service provider of its data security obligations.
- Audit rights and reporting obligations so that the plan fiduciary can actually verify the service provider’s compliance with the data security requirements.
- Legal hold requirements in case any plan/participant-related litigation arises.
- Data breach procedures and remedies, including with respect to notifying affected individuals. Note that many companies will want to control any such notifications (at the service provider’s expense). Additionally, plan fiduciaries often consider specifically excluding data breach liability from the limitations of liability set forth in the outsourcing agreement.
One particular complication in the retirement plan administration setting is that an outsourcing relationship is often sticky and can last for well over a decade. Thus, plan fiduciaries that already have recordkeeping and other outsourcing agreements in place may consider reviewing and, as practical, renegotiating those agreements to update or add data security requirements. To further complicate matters, the plan administrator—frequently a fiduciary committee rather than the plan sponsor—is often the contracting party under the outsourcing agreement, such that the plan sponsor is one step removed from the service provider’s contractual obligations. When a problem arises, the plan sponsor may find itself largely dependent on the rights and assistance of the retirement plan fiduciaries, despite the fact that the plan sponsor will be an interested party to the resolution of any data security event. In this regard, the standard terms of a data security attachment may be inadequate and consideration could be given to addressing the following:
- Including an obligation that the service provider cooperate with or assist the plan sponsor in addressing the data security event.
- Extending remedies for a data security event to the plan sponsor (e.g., equitable relief or reimbursement).
- Extending any audit or reporting rights of the plan fiduciaries to the plan sponsor as well.
Furthermore, the plan sponsor may be part of a family of related companies with similar concerns about dealing with the fallout of a data breach. Therefore, any rights of the plan sponsor could be broadened to include the plan sponsor’s affiliates, particularly its ultimate parent.
Service providers often propose their own “standard” data security and privacy provisions early in the contracting process. While these standard provisions may end up as the foundation for an eventual agreement, close review and careful negotiation can be important parts of a prudent process. Plan fiduciaries should work closely with their employee benefits and outsourcing counsel to ensure that any agreement meets the needs of the retirement plan and the plan participants.
If you have any questions about your outsourcing arrangements in light of these considerations, please reach out to the authors or your Morgan Lewis contact.