The Department of Labor, as part of its cybersecurity initiative in 2021, published best practices and tips for fiduciaries to consider when contracting and monitoring recordkeepers and other plan service providers.  The attention to cybersecurity and data privacy at the federal level has put a focus on many aspects of cybersecurity and data privacy in these agreements, as we have discussed on this blog.  

More recently, several states have enacted stand-alone comprehensive data privacy laws or made significant changes to existing state comprehensive data privacy laws.  ERISA Plans and plan fiduciaries should be aware of these data privacy laws when contracting with vendors.  Although many of these laws exclude employee data from their scope, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), contains a number of unique contractual requirements, which could potentially apply to recordkeeping and other benefit agreements.  Effective January 1, 2023, the CCPA applies to the personal information of California employees, contractors, and job applicants, although there are certain exceptions for protected health information under HIPAA or personal information subject to the Gramm-Leach Bliley Act. On July 14, 2023, California Attorney General, Rob Bonta, announced an investigative sweep requesting information from certain California employers on CCPA compliance in this area. Therefore, organizations that are subject to the CCPA and have employees in California may want to consider focusing on their obligations with respect to employees.

For considerations on how these laws affect vendor agreements, please see our global privacy blog’s full analysis.