After a group of trade associations voiced concerns over the Department of Labor subpoenaing large swaths of retirement plan information, including participants' personally identifiable information, during ERISA investigations, a high-ranking department official defended the regulator's actions, noting that it has broad subpoena authority and works diligently to safeguard the information it obtains.
"The agency is careful to request the data it needs to complete its investigations and has systems and protocols in place to prevent the loss of (personally identifiable information, or PII) and protect all data during use, transit, and storage," said Timothy D. Hauser, deputy assistant secretary for program operations of the Labor Department's Employee Benefits Security Administration, in a letter sent Tuesday and reviewed by Pensions & Investments. "In many cases, PII is critical to resolving factual issues, pursuing leads, and resolving the scope and nature of ERISA violations."
Mr. Hauser's letter was sent in response to a Sept. 20 letter addressed to Labor Secretary Marty Walsh by a collection of 10 trade groups: U.S. Chamber of Commerce, SPARK Institute, Small Business Council of America, Securities Industry and Financial Markets Association, National Association of Professional Employer Organizations, National Association of Insurance and Financial Advisors, Insured Retirement Institute, Investment Company Institute, ERISA Industry Committee, and American Benefits Council.
The groups said they were concerned with the Labor Department's "use of its subpoena power over a service provider to obtain, without consent, plan participants' confidential information and personally identifiable information (PII), including names, home addresses, phone numbers, email addresses, social security numbers, banking information, asset information, investment information, beneficiary information, and contribution levels."
Moreover, "We are extremely concerned that by demanding the release of large amounts of unredacted plan-related information, including PII, DOL is creating substantial risk regarding participant data security," the groups wrote.
The letter references the Labor Department's investigation into record keeper Alight Solutions' cybersecurity practices. That investigation began in 2019 after EBSA discovered Alight processed unauthorized distributions as a result of cybersecurity breaches relating to its ERISA plan clients' accounts, the agency has said in court filings.
Alight has fought the department in court, but in August, the 7th U.S. Circuit Court in Chicago upheld an October 2021 ruling by a U.S. District Court in Chicago that found that Alight must turn over requested documents to the Labor Department.
The trade groups said they are concerned that the Alight subpoena and litigation "now marks the beginning of a new policy direction where the DOL collects PII and other unredacted information from more service providers on millions of Americans without any finding of a fiduciary breach and all without the input or consent of critical stakeholders, namely plan sponsors and participants."
In response, Mr. Hauser said service provider investigations are complex and when a service provider refuses to "cooperate with investigations for protracted periods, as has recently been the case in at least one important cybersecurity investigation, the result can be further delay."
However, Mr. Hauser added, "An ongoing investigation does not mean that EBSA has not identified any violations. The subject of an investigation will generally be notified of a determination by letter once the investigation is completed."
One of the major concerns the trade groups outlined in their letter is that "the safety and security of this data depends, in large part, on the care taken by individual DOL enforcement members who obtain or have access to this data. There is little information available to the public about how DOL secures and protects the information it collects, who within DOL has access to the data, and when and how such information is securely purged from DOL's systems."
The trade groups suggested that the Labor Department "collect only necessary data" and "promptly destroy data and information once it is no longer needed," among other items.
For its part, EBSA fully recognizes the seriousness of safeguarding PII that the agency obtains during investigations, Mr. Hauser said.
Tim Rouse, executive director at the SPARK Institute, which represents retirement industry players such as record keepers, investment advisers, mutual fund companies and benefit consultants, said in an email that while the industry respects the department's regulatory authority and responsibility to validate compliance through their audits, "We believe a better process is necessary and welcome the opportunity to discuss with the department our thoughts on how collectively we can work together to achieve that common goal."
Kent Mason, a partner with law firm Davis & Harman who serves as outside counsel to the American Benefits Council, took issue with several parts of the Labor Department's response.
One instance was Mr. Hauser saying that "given the large cybersecurity breaches that have occurred over the past few years, cyber criminals likely already have many participants' personally identifiable information. In light of the severity of the threats, it is crucial for service providers to have strong control systems and cybersecurity procedures that prevent criminals from using this PII to access participants and beneficiaries' account balances."
Later in the response, Mr. Hauser referenced the department's April 2021 cybersecurity guidance for plan sponsors, plan fiduciaries, record keepers and plan participants.
In an email, Mr. Mason said, "We completely agree that service providers need to maintain strong cybersecurity systems, but I was frankly stunned that DOL is downplaying the importance of protecting participants' PII by making the unsubstantiated claim that such PII is already widely in criminals' hands. DOL seems to be saying that we have already lost the battle to preserve the confidentiality of participants' PII, so our focus should be elsewhere. This is extremely disappointing coming from a federal agency."
