As if there aren’t all ready far too many acronyms in our business with which to deal, a recent third circuit court case on website privacy policies and cyber security tells us we may yet have another.
Remembering that ERISA does NOT preempt the application of other federal law (like the SEC, Anti-Money Laundering, and the Patriot Act rules-just to name a few), which we continue to learn to integrate into our practices, we now may find ourselves needing to deal with the Federal Trade Commissions standards as well.
The issue arises from something as innocuous as the website privacy policies which are so commonplace on retirement plan vendor websites (you know, those things know one ever reads or pays attention to). Well, it appears to matter to the Federal Tead Commission.
Cybersecurity and data privacy issues are a growing concern for retirement plans and their vendors. There has been much written about these issues recently, and we have always felt that there really is an ERISA fiduciary standard that applies to the handling of a plan’s data.
Well, it looks like the federal courts now will recognize the FTC’s authority to govern such matters as well. Here’s how it works:
- The Federal Trade Commission Act prohibits “unfair or deceptive acts or practices in or affecting commerce,” under 15 U.S. Code § 45.
- An unfair trade practice is one which “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
- The FTC has taken the position that cybersecurity practices fall within its jurisdiction under this clause.
This all came to head in the case of FTC-v.-Wyndham-Worldwide, where the FTC brought suit against Wyndham for its misleading data privacy policy, and its faled data privacy practices. These failed practices lead to serious data breaches. In the court’s ruling , they found that Wyndham “unreasonably and unnecessarily” exposed consumer’s electronic data to unauthorized data and theft, while misrepresenting their security practices in its privacy policy.
There is quite a “list of horribles” in which Wyndham engaged, including its failing to
- adopt “adequate information security policies and procedures;”
- use “readily available security measures”—such as firewalls—to limit access between Wyndham’s other corporate networks; and
- employ “reasonable measures to detect and prevent unauthorized access” to its computer network.
What should we take from all of this, on the retirement plan side? Consider knowing what’s in your privacy policy; do what you say you are doing in the policy; and consider adopting reasonable cybersecurity practices.