The Department of Labor, as part of its cybersecurity initiative in 2021, published best practices and tips for fiduciaries to consider when contracting and monitoring recordkeepers and other plan service providers. The attention to cybersecurity and data privacy at the federal level has put a focus on many aspects of cybersecurity and data privacy in these agreements, as we have discussed on this blog.
More recently, several states have enacted stand-alone comprehensive data privacy laws or made significant changes to existing state comprehensive data privacy laws. ERISA Plans and plan fiduciaries should be aware of these data privacy laws when contracting with vendors. Although many of these laws exclude employee data from their scope, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), contains a number of unique contractual requirements, which could potentially apply to recordkeeping and other benefit agreements. Effective January 1, 2023, the CCPA applies to the personal information of California employees, contractors, and job applicants, although there are certain exceptions for protected health information under HIPAA or personal information subject to the Gramm-Leach Bliley Act. On July 14, 2023, California Attorney General, Rob Bonta, announced an investigative sweep requesting information from certain California employers on CCPA compliance in this area. Therefore, organizations that are subject to the CCPA and have employees in California may want to consider focusing on their obligations with respect to employees.
For considerations on how these laws affect vendor agreements, please see our global privacy blog’s full analysis.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.