How Careful Are You with Managing Participants’ Data?

In today’s digital world, we all have a lot of data and personal information stored online – information like e-mails, phone numbers, personal contacts, and even financial asset values and information. Most of us trust companies (like banks, financial institutions, social media, and tech firms) to manage and protect this information and provide us with it in a matter of seconds. This raises some concerns about “who has access to this data,” and how can they protect it.

In this video, we talk about sensitive financial data in retirement plans and how everyone – vendors, employers, and employees should be protecting it.

Specifically – does your organization have guidelines to protect employees' data? Who’s responsible for this data – the employer, the vendor, the employee?


Video Transcript:

Hey, this is Alex Assaley with AFS 401(k) Retirement Services. As most of you know, every day, our team is working to create high-quality, valuable, and compliant retirement plans for your organization and your employees. Our team just participated in our trade association, The National Association Plan Advisors Fly-In Forum, where a hundred advisors from all across the country came here to the DC area to talk about legislative and regulatory policy in retirement plans.

And there are two pretty significant bills, one in the Senate, and one in the House, working their way towards perhaps becoming law that will have significant enhancements and impact with respect to 401(k) and 403(b) plans. But I wanted to touch on a topic that the Department of Labor spoke about at the event, which is around participant data. So, there have been a couple of court cases around this as to whether participant data things like your employees, email addresses, and their personal contact info is something that vendors can have access to and use to solicit or sell products and services, or if it's a plan asset. And this is important with the growing evolution of retirement and financial advice merging together.

But also, with the threat of data and cybersecurity so far, there hasn't been clear guidance or really a roadmap from the pending lawsuits or litigation that's happened in these cases. And the Department of Labor is not opined on whether participant data are assets owned by the plan.

Our advice to retirement committees and plan sponsors is to be thoughtful, vigilant, and have proactive governance on how you are managing your participant, and your employee's data that goes inside their 401(k) plan. Make sure you have controls in place to protect it and understand if your service providers are using it in any way, shape, or form. And then finally, the Department of Labor put out guidance last year around cybersecurity.

It's imperative that retirement committees, that advisory firms like ours, and practitioners within the industry are going through this guidance and analyzing your service providers, analyzing your internal processes to ensure you're complying with the recommendations and guidance from the DOL with respect to cybersecurity.

This is something that we're working on continuously with many of you. And if you have thoughts, questions, or feedback, I'd love to hear your opinion. Love to hear from you. Thanks! See you soon! See you soon!