Cyber security concept. Lock symbol from lines and triangles, point connecting network on blue background. Illustration vector
The Labor Department should develop additional guidance to protect consumers' data privacy, according to the Government Accountability Office.
"Retirement plan sponsors, typically a person's employer, share participant information, including personally identifiable information (PII), with service providers, such as asset managers and record keepers, who help administer the plan," GAO states in a just-released report.
However, these providers may also use PII and other information "to market financial products and services or, in some cases, sell this information," according to GAO's review of 31 service provider privacy disclosures, the report states.
"As more entities gain access to participant data, the chance that their information may be inadvertently exposed increases, putting participants at greater risk of identity theft or other fraudulent activity," according to the agency.
Service providers that GAO interviewed noted, however, that greater use and sharing of participant information helped them to more effectively target products and services that might benefit participants, according to the report.
While federal agencies and states have taken some steps to protect consumer data privacy, Labor has not taken actions against retirement plans for sharing participant data.
The Employee Retirement Income Security Act of 1974 "does not address data privacy explicitly, but DOL officials said that the agency believes that ERISA's duties of prudence and loyalty should sufficiently deter plan sponsors and service providers from unauthorized uses of participant data," GAO's report continues.
Labor also issued cybersecurity guidance in April 2021 that discussed data privacy "as a component of cybersecurity," the report states. However, "DOL's guidance does not include detailed information about good practices for sharing data about plan participants."
Additional guidance, GAO states, "would better position plan sponsors and service providers to understand acceptable uses of participant data and the circumstances in which they should obtain permission to use or disclose information about participants, particularly given potentially differing state requirements."
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.