A federal watchdog agency is investigating the use of 401(k) data to market extra financial products to savers, an emerging industry practice to keep consumer costs down that has critics calling foul over privacy concerns.
The US Government Accountability Office confirmed this week to Bloomberg Law that it is in the process of asking industry associations, plan service providers, privacy advocacy groups, and relevant federal agencies about plan data sharing practices with an eye to obtaining information on cross-selling and third-party sales. A growing number of plans allow their recordkeepers to promote financial education and wellness products to participants in exchange for low investment management and advisory fees in their underlying plans.
Participant data has emerged as a hot-button issue in federal benefits law as courts grapple with whether to treat workers’ account balances and retirement ages with the same discretion as actual plan assets—the dollars and cents held in trust. A 2022 letter from two labor oversight congressional committees requested that the GAO address the issue because “retirement plans are largely free to do what they want with the information they collect.”
“As a consumer, I’m not someone who is terribly concerned about my data being sold,” said Kendra Isaacson, a principal at Washington lobbying firm Mindset and former congressional staffer who helped draft the 2022 letter. “There’s a way it can be used for good, but I still don’t know exactly how it’s used. Unless you’re really in that world, I’m not sure many people do know how it’s being used.”
Key questions investigators are asking include how retirement data is collected and shared, the potential benefits and risks of current practices, and how both private-sector providers and regulators protect consumer data, a GAO spokesperson told Bloomberg Law via email.
Officials said they couldn’t comment on the timing of the investigation, but it appears to be in the early stages, according to industry groups who have already been contacted by the GAO.
The nonprofit, independent agency typically issues public reports once investigations have concluded with clear objectives and recommendations for Congress and administrative agencies.
Data Assets
Recordkeepers, investment managers, and benefits advisers have collected troves of valuable information on participants, but ambiguity remains over what they can do with it. Lawmakers requesting the GAO report said they wanted to “examine the need for federal data privacy laws for retirement plans,” a notion that could throw a wrench in an unsettled area of the law.
Data privacy litigation has so far centered on whether personally identifiable information and other saver stats qualify as “plan assets” in the traditional sense, but there are problems with that, since it can’t be equally allocated to participants and beneficiaries or quantified in annual reports to the US Labor Department.
“The issue of whether plan data is a plan asset is a red herring,” said Michael L. Hadley, a partner at Davis & Harman LLP who represents the American Benefits Council. “We need to meet participants where they are, and data is an important component of that. It comes from a lot of sources.”
No court has ruled that data are assets, but at least four university annuity 403(b) plan excessive-fees cases have ended in settlements expressly prohibiting the use of data for cross-selling purposes unless participants ask about other financial products a firm sells. Cybersecurity broadly remains unsettled in the courts, said Will Hansen, chief government affairs officer at the American Retirement Association.
ARA, ABC, and other industry groups that may be featured in the GAO’s report told Bloomberg Law they are committed to working closely with investigators as they do their work, but representatives cautioned against the need for a law or additional regulatory scrutiny.
The US Labor Department issued subregulatory guidance on cybersecurity “best practices” for both plan sponsors and service providers in 2021, a move that previewed the launch of a targeted auditing campaign that has measured plans’ defenses against outside digital attacks.
That DOL guidance was updated earlier this year to clarify that data security measures apply to welfare plans as well. The 1996 Health Insurance Portability and Accountability Act (Pub. L. No. 104-199), better known as HIPAA, already protects participant data in employer-sponsored health and welfare plans, but no such privacy law exists in the retirement space.
Selling products within the framework of an existing plan is a “viable way for a service provider to provide other services,” said Hansen. “My gut is telling me that, since no plan sponsor has complained to me about this, there’s a good system in place.”
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.