For years, there has been a persistent trend toward outsourcing retirement plan recordkeeping and other administrative responsibilities. Although historically more prevalent for defined contribution plans, this outsourcing trend has been accelerating for defined benefit plans thanks, in part, to the prevalence of frozen plans (i.e., no more benefit accruals) and the potential for administrative cost savings. But service providers will be quick to remind plan fiduciaries that lightening the administrative load does not include transferring fiduciary duties. When selecting and monitoring a service provider, one key issue facing retirement plan fiduciaries is their duty with respect to the privacy and security of plan participant data.
As we previously discussed, managing and administering retirement plans also mean managing and protecting an extensive trove of personal data. Although there is no overarching privacy law governing retirement plans, fiduciaries must adhere to the “prudent expert” standard of care in fulfilling their duties, and, in the current environment, it can be expected that courts will be sympathetic to assertions that privacy and security of plan participant data are within the scope of those duties. Given that fiduciaries are personally liable for their fiduciary breaches and considering the cost of a data breach can be in the millions of dollars, the sensible course of action for retirement plan fiduciaries is to be continuously diligent and attentive regarding data privacy and security. This extends to diligence and care in the structuring of the outsourcing agreement.