Impact of State Privacy Laws on Vendor Agreements

The Department of Labor, as part of its cybersecurity initiative in 2021, published best practices and tips for fiduciaries to consider when contracting and monitoring recordkeepers and other plan service providers.  The attention to cybersecurity and data privacy at the federal level has put a focus on many aspects of cybersecurity and data privacy in these agreements, as we have discussed on this blog.  

More recently, several states have enacted stand-alone comprehensive data privacy laws or made significant changes to existing state comprehensive data privacy laws.  ERISA Plans and plan fiduciaries should be aware of these data privacy laws when contracting with vendors.  Although many of these laws exclude employee data from their scope, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), contains a number of unique contractual requirements, which could potentially apply to recordkeeping and other benefit agreements.  Effective January 1, 2023, the CCPA applies to the personal information of California employees, contractors, and job applicants, although there are certain exceptions for protected health information under HIPAA or personal information subject to the Gramm-Leach Bliley Act. On July 14, 2023, California Attorney General, Rob Bonta, announced an investigative sweep requesting information from certain California employers on CCPA compliance in this area. Therefore, organizations that are subject to the CCPA and have employees in California may want to consider focusing on their obligations with respect to employees.

For considerations on how these laws affect vendor agreements, please see our global privacy blog’s full analysis.

Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their