Website Privacy a Fresh Concern for Plans

By ASPPA Net Staff • September 30, 2015 • 0 Comments
ERISA does not preempt the application of all federal laws and regulations to retirement plans — and that includes website privacy standards set by the Federal Trade Commission.

In a recent post on his Business of Benefits blog, Robert Toth, Principal at Toth Law, discusses a recent court ruling on website privacy policies and cyber security that serves as a reminder of the importance of addressing these matters and being in compliance with applicable rules.

Toth writes that it now appears that the federal courts will recognize the FTC’s authority to regulate website privacy and cybersecurity. He points out that the Federal Trade Commission Act forbids “unfair or deceptive acts or practices in or affecting commerce,” such as a practice that causes or is likely to cause substantial injury to consumers and that they cannot avoid, regardless of any beneficial effects that practice may have for consumers or competition.

Toth notes that in Federal Trade Commission v. Wyndham Worldwide Corporation (No. 14-3514, Aug. 24, 2015), Wyndham was accused of failing to adopt adequate information security policies and procedures, not using “readily available security measures” to limit access between its corporate networks and failing to take reasonable steps to detect and prevent unauthorized access to its network. The 3rd U.S. Circuit Court of Appeals ruled that Wyndham misrepresented their security practices in its privacy policy and that it “unreasonably and unnecessarily” exposed consumers’ electronic data to unauthorized data and theft.

The upshot, Toth says, is that a company should be aware of and follow what its privacy policy says, and consider adopting reasonable cybersecurity practices.