DOL eDisclosure regs

[Belgarath]

So I'm just curious, not being even remotely tech-savvy by today's standards. Let's say you (plan sponsor, and/or recordkeeper/TPA in conjunction with plan sponsor) decide to avail yourself of these new regs. Does it open up big potential holes for a breach of security, when a gazillion participants are receiving e-mails stating that their statements are available, and providing a hyperlink or instructions, etc. on how to access them? A lot of participants have internet access that isn't as secure as perhaps what they have at work, and it may be easier for passwords to get stolen, ghosted, whatever?

It just seems like in a general way, the more things are done via internet-based applications, the more potential security breaches come into play. Just wondering what folks think about this aspect, entirely aside from whether the process is better/worse/indifferent from an administration viewpoint.

[Peter Gulia]

Belgarath, I think you’re right to see a risk; but the required analysis is not different from everything a fiduciary must consider.

 

Following 29 C.F.R. § 2520.104b-31 treats a retirement plan’s administrator as having furnished the covered document.  It does not excuse or relieve anything else.

 

ERISA requires a fiduciary to use at least as much care, skill, caution, and diligence as would be used by someone who is “familiar”—that is, experienced—with the needs of a similar retirement plan and with the fiduciary’s role in serving such a plan.

 

If a prudent-expert fiduciary would consider the risks you mention, an administrator must consider those risks.

 

Yet, a fiduciary may (and often must) consider many factors, which might include managing plan-administration expenses.

 

A fiduciary might find the potential advantages of a default-electronic-disclosure regime outweigh the potential harms.

 

In some circumstances, nudging use of electronic systems might help improve security.  Some service providers use records about when, from which internet service provider and connection, and which computer equipment an individual has accessed the plan’s website.  A lack of such a baseline about what’s expected from the individual might make it easier for an impostor to get through with fewer challenges and weaker controls.  An individual who has never used the computer system might suffer the weakest controls.

 

If an administrator starts a default-electronic-disclosure regime, it might in the initial notice (which must include the individual’s specified electronic address the administrator will use) explain security risks so the individual has that information before she decides whether to allow the electronic regime.

 

Beyond risks from the individuals, a fiduciary must consider the controls and security of the recordkeeper’s and other service providers’ systems, again using at least as much care, skill, caution, and diligence as would be used by someone who is experienced in managing the needs of a similar retirement plan.