Data Insecurity: It’s Not Just the Hack

Data Insecurity: It’s Not Just the Hack

Employers need to pay attention to how retirement plan providers use participant data – and start establishing limits on how that data can be used.

Data and data security are hot topics; for example, the Equifax data breach affected over 143 million Americans, triggered Congressional hearings and caused C-suite heads to roll at Equifax.

Although big data breaches and hacking grab headlines, employers should be paying attention to many completely legal – and commonplace – practices that are happening every day (without any headlines), but can have a significant impact on your employees.

Retirement plan providers are subject to fairly weak rules regarding internal sharing of your employee financial information. These providers can, with few constraints, share your employees’ sensitive financial data with other business units that have nothing to do with your retirement plan. So, employees’ retirement data can be used to target employees to cross-sell brokerage and insurance products. This allows providers to target employees with higher account balances and those incurring distributable events – market segments that may be particularly lucrative.

Access to confidential participant data clears the way for targeted sales campaigns designed to achieve the provider’s sales goals. Age, account balance, contribution rate, zip code, beneficiary relationship and account type are just a few of the demographic elements that are used to develop highly effective campaigns designed to steer plan participants into financial products that have not been discussed with the plan sponsor. Agents are trained to sell. They (and their sales supervisors) are evaluated based on sales results and the desire to help plan participants is compromised by the necessity to satisfy and exceed assigned goals. While there are certainly agents who are committed to doing the right thing, the requirement – and the incentives – to sell product ultimately takes priority.

Additionally, investment advisors are very mobile professionals, and regularly move from firm to firm. There are strong incentives for these advisors to take employee information with them and few practical constraints to identify and prevent this misappropriation of your employees’ data. Indeed, your retirement plan providers have a strong interest in sweeping misappropriation of employee data under the rug – publicity about such misappropriation would draw attention to the vulnerability of that data.

There is a stark difference in the U.S. legal system between the treatment of personal financial data and health data.

Under HIPAA, entities with personal health information (“PHI”) are subject to stringent rules regarding internal access and uses of PHI, reporting of breaches of PHI and penalties for such breaches. This is simply not the case for retirement plan providers.

There is a growing recognition that data represents an extraordinarily valuable economic resource; indeed, some consider data the most valuable resource of the 21st century. Until more robust restrictions are imposed, retirement plan providers have powerful motivation – and plenty of opportunity – to harvest that resource for their benefit.