Jump to content

If one has the participant’s e-mail address, why not just attach the document to be furnished?


Recommended Posts

 

As BenefitsLink this morning reported, tomorrow’s Federal Register will publish notice of a proposed rulemaking under which fiduciaries of an ERISA-governed retirement plan could furnish some ERISA-required communications under a notice-and-access regime with a notice that the communication is available at a plan-maintained website.  Relying on the new regime would require, among other conditions, having an electronic address for the person entitled to the communication to be furnished.

 

If that electronic address is an e-mail address (rather than a smartphone number):

 

Is there a reason why a plan’s fiduciary should not attach to the e-mail message a .pdf of the document to be furnished?  (One could do this besides posting the document on a website.)

 

Is there ever a situation in which attaching a .pdf could be harmful to the e-mail’s addressee?

Peter Gulia PC

Fiduciary Guidance Counsel

Philadelphia, Pennsylvania

215-732-1552

Peter@FiduciaryGuidanceCounsel.com

Link to comment
Share on other sites

The recipient's mailbox may be full (or close to full) and the added size of the attachment could cause the message not to be received.

PDF files are a common vector for transmission of malware and viruses. If the sender's PC is infected, they could be unwittingly transmitting the infection to the recipient.

These both seem like very remote possibilities. The size of a properly created PDF is usually not more than a few dozen KB, and the second threat can be reasonably mitigated with appropriate security measures. 

Free advice is worth what you paid for it. Do not rely on the information provided in this post for any purpose, including (but not limited to): tax planning, compliance with ERISA or the IRC, investing or other forms of fortune-telling, bird identification, relationship advice, or spiritual guidance.

Corey B. Zeller, MSEA, CPC, QPA, QKA
Preferred Pension Planning Corp.
corey@pppc.co

Link to comment
Share on other sites

Mike Preston, thank you.  Many people imagine tomorrow's proposed rule as about communications that lack an individual's information (and even nonpublic information of other kinds); but a fiduciary would want to use prudent care with a communication that includes sensitive information.

Peter Gulia PC

Fiduciary Guidance Counsel

Philadelphia, Pennsylvania

215-732-1552

Peter@FiduciaryGuidanceCounsel.com

Link to comment
Share on other sites

Would any of the plan communications have ANY participant information in them?  Other than an asset statement, what else would have someone's name on it?

QKA, QPA, CPC, ERPA

Two wrongs don't make a right, but three rights make a left.

Link to comment
Share on other sites

My query did assume the communication would not have in it any addressee's name or other personal information.

So I'll try inviting comment again:

Is there a reason why a plan’s fiduciary should not attach to the e-mail message a .pdf of the document to be furnished?

Or am I right in my working assumption that there's no good reason not to attach a .pdf (assuming a reasonable size)? 

Peter Gulia PC

Fiduciary Guidance Counsel

Philadelphia, Pennsylvania

215-732-1552

Peter@FiduciaryGuidanceCounsel.com

Link to comment
Share on other sites

On 10/24/2019 at 4:46 PM, Peter Gulia said:

My query did assume the communication would not have in it any addressee's name or other personal information.

So I'll try inviting comment again:

Is there a reason why a plan’s fiduciary should not attach to the e-mail message a .pdf of the document to be furnished?

Or am I right in my working assumption that there's no good reason not to attach a .pdf (assuming a reasonable size)? 

 

1 hour ago, Gilmore said:

Couldn't that be accomplished under the old safe harbor that I believe is still available?

Correct.  The proposed rule is an additional method for electronic delivery, and does not replace or change current safe harbor [§ 2520.104b–1(c)]

The big difference here is that the old safe harbor is opt-in and the new safe harbor is opt-out.  

If a pdf has malware or a malicious script, does it matter whether it is emailed or downloaded from a website?  I don't think so but I'd have to consult our IT folks on that one.

The only statement that would be specific to the individual is the benefit statement.  Is there a greater risk of it ending up in the wrong hands if you email the statement or upload it in such a way that only the intended participant has access?  If you send such emails securely (encrypted emails), the risk should be about the same, but it may be more convenient to upload to a website that the participant can access.

 

 

Link to comment
Share on other sites

Yes.  Under the existing-law rule or the proposed rule, a fiduciary is at least permitted to attach a document to an e-mail.  My query was about whether there are reasons not to do so.

 

The existing-law rule allows sending communications to a work e-mail address the participant is expected to check as a part of her regular work.  It allows also using a non-work e-mail address if there is a clear affirmative consent.  What some like about the proposed regime is that an employer can give its employee an e-mail address that need not be about work.  And a participant’s assent would be inferred from the absence of an opt-out after notice. 

Under the proposed rule, an e-mail would point to a website from which the participant can retrieve the communication.

 

I think it would be better for an e-mail to have both the pointer to a website and an attachment of the communication.

 

If I were a recipient, I’d welcome the convenience of opening a document with a mouse click or two, and being spared the bother of entering a username, password, and other identifiers to go to a website, especially if I have no other purpose for using the website.

Peter Gulia PC

Fiduciary Guidance Counsel

Philadelphia, Pennsylvania

215-732-1552

Peter@FiduciaryGuidanceCounsel.com

Link to comment
Share on other sites

2 hours ago, Peter Gulia said:

If I were a recipient, I’d welcome the convenience of opening a document with a mouse click or two, and being spared the bother of entering a username, password, and other identifiers to go to a website, especially if I have no other purpose for using the website.

I agree, but if you utilize the special consolidation rule you will not be sending out a notice of availability for every notice.  You would get annual notice that you can go to this website to view and download XYZ notices.  The way I have seen this interpreted, you will not get a notice when each one is updated/posted, you would just get an annual notice that this is where you go to get this group of notices.  This will probably get some attention during the comment period though, so who knows if it will stay like this for the final rule.

§ 2520.104b–31(i) Special rule for consolidation of certain notices of internet availability.

Notwithstanding the requirements in paragraphs (d)(4)(ii) and (iii) of this section, an administrator may furnish one notice of internet availability that incorporates or combines the content required by paragraph (d)(3) of this section with respect to one or more of the following covered documents:

(1) A summary plan description, as required pursuant to section 104(a) of the Act;

(2) A summary of material modification, as required pursuant to section 104(a) of the Act;

(3) A summary annual report, as required pursuant to section 104(b)(3) of the Act;

(4) An annual funding notice, as required pursuant to section 101(f) of the Act;

(5) An investment-related disclosure, as required pursuant to 29 CFR 2550.404a–5(d);

(6) A qualified default investment alternative notice, as required pursuant to section 404(c)(5)(B) of the Act; and

(7) A pension benefit statement, as required pursuant to section 105(a) of the Act.

 

 

Link to comment
Share on other sites

10 minutes ago, Peter Gulia said:

RatherBeGolfing, thank you for your profoundly helpful thinking!

Always happy to contribute!

I know a lot of organizations are really digging into this one because of the short comment period, so it will be interesting to see what shakes out.  23 days and counting...

 

 

Link to comment
Share on other sites

On 10/30/2019 at 9:32 AM, RatherBeGolfing said:

If a pdf has malware or a malicious script, does it matter whether it is emailed or downloaded from a website? ...

It matters in that they are completely different as far as protection goes.  I would guess that most folks consider downloading to be less vulnerable because browsers have such intense scrutiny with respect to protections. Email programs are much less rigid and can therefore be abused easier.  For example, phishing is much more prevalent in email environments, although not unheard of in a browser environment.

Link to comment
Share on other sites

  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...