State and local governmental plans, which are excluded from ERISA, are subject to idiosyncratic legal requirements, including specific investment restrictions. These plans are also not immune to the political winds blowing in that state. Nowhere is this more apparent than recent developments out of the States of Texas and Maine with respect to fossil fuel divestment. Investment managers of any governmental plan, especially those that take environmental, social and governance (ESG) factors into account, should pay close attention to these developments. Private equity and other fund managers, for the reasons stated below, should also take note.
On June 14, 2021, Texas Governor Greg Abbott signed into law SB 13. This new law, which goes into effect on September 1, 2021, generally prohibits state governmental entities, including the Employees Retirement System of Texas and the Teacher Retirement System of Texas, from directly or indirectly holding the securities of a publicly-traded financial services, banking or investment company that “boycotts” companies that (i) explore, produce, utilize, transport, sell or manufacture fossil fuel-based energy and (ii) do not “commit or pledge to meet environmental standards beyond applicable federal and state law….” The concept of “boycott” is not limited to divestment; rather, it picks up activity that is designed to inflict economic harm on the energy company. The exercise of certain shareholder rights could possibly amount to a “boycott” of a company.
The law also generally prohibits governmental entities from contracting with a service provider unless the contract provides a written verification from the service provider that it does not boycott energy companies and will not boycott energy companies during the term of the contract. This applies to contracts entered into on or after September 1, 2021.
Fiduciaries of these Texas governmental plans remain subject to countervailing fiduciary duties under Texas law, including the Texas Constitution. The new law crucially allows for breathing space between these core fiduciary duties and the state’s interest in protecting significant portions of its economy.
The law provides that these governmental entities are not required to divest from any holdings in “actively or passively managed investment funds or private equity funds.” However, the governmental entities are required to submit letters to the managers of these funds requesting that they remove from the portfolio financial companies that the state comptroller has designated as boycotting energy companies. The Texas governmental entities will alternatively request that the managers “create a similar actively or passively managed fund with indirect holdings devoid of listed financial companies.” Investment managers should be on the lookout for these letters starting this coming Fall.
Meanwhile, in Maine, the House of Representatives recently passed a bill that calls for the divestment of fossil fuel companies by the Maine Public Employees Retirement System (Maine PERS) and other permanent state funds by 2026. As with Texas, the law is sensitive to the overriding fiduciary duties that apply to the management of these assets. An official for Maine PERS recently testified that, “[p]ermanently striking broad portions of the financial market is incompatible with earning optimal returns for member retirements, will not change corporate behavior, and may not advance the social goals sought because investments are rarely one dimensional.”
Governmental plans invested in separate accounts or commingled funds managed by an investment manager have always posed risks to that manager, as these plans are subject to their own fiduciary duties and investment restrictions. Though the state laws applicable to governmental plans may contain ERISA-like language, we caution investment managers from relying on ERISA or DOL guidance as a failsafe way to manage governmental plan assets. As evidenced from the disparate approaches the States of Texas and Maine have taken, investment managers should pay close attention to the specific rules applicable to these plans to avoid running afoul of state law. With the calls for fossil fuel divestment growing louder in some quarters, and as other ESG issues come to the fore, careful due diligence on the part of investment managers is essential.
Please contact George Michael Gerstein to discuss these matters or other due diligence issues related to governmental plans.
ERISA-covered plans have entered the digital world. As the amount of confidential information about plan participants that is stored in multiple information systems, and shared among plan service providers, increases, so, too, do the legal risks. The U.S. Department of Labor (DOL) has now made cybersecurity risk an enforcement priority; the courts have started to wrestle with whether participant data is a “plan asset.” Plan sponsors and service providers should brace themselves.
Just this past February, the U.S. Government Accountability Office (GAO) issued a report that highlighted the practice of, and risks related to, sharing personally identifiable information (e.g., a participant’s social security number, date of birth and username/password) (PII), and “plan asset data” (e.g., retirement account and bank account numbers) within the plan ecosystem. The plan sponsor’s own IT infrastructure may be vulnerable to attack or misuse. Where the plan sponsor outsources plan administrative responsibilities to a service provider, such as recordkeepers, third-party administrators and custodians, participant PII and plan asset data could be exploited if the service provider is hacked or lacks appropriate internal controls.
The report specifically noted that cybersecurity risk comes in many different flavors and from many different sources. The risk could, for example, be in the form of malware, ransomware, privilege abuse, data exfiltration and account takeover. The source of the risk could come from criminal syndicates, hackers and even an organization’s own employees.
Thus, the GAO report warned, “[t]he sharing and storing of this information can lead to significant cybersecurity risks for plan sponsors and their service providers, as well as plan participants.” Poor risk controls can lead to the leaking of usernames, passwords and social security numbers, which can lead to the unauthorized access of participant accounts, and, fatally, the illicit draining of a participant’s retirement savings. The misappropriation of participant PII or plan assets by virtue of a cybersecurity attack may not be expressly addressed in ERISA, but its effect on a participant may indeed result in “the great personal tragedy” Congress sought to prevent in enacting ERISA.1
The GAO ultimately made two recommendations: (1) the DOL should formally state whether cybersecurity for ERISA-covered retirement plans is a plan fiduciary responsibility under ERISA; and (2) the DOL should develop and issue guidance that identifies minimum expectations for mitigating cybersecurity risks to plans and the relevant service providers.
A mere two months later, the DOL issued a series of cybersecurity tips and best practices for plan sponsors, service providers and participants. Specifically:
- Tips for Hiring a Service Provider, to “[h]elp plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.”
- Cybersecurity Program Best Practices, to “[a]ssist plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks.”
- Online Security Tips, to “[o]ffer plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.”
Useful as the tips and practices may be, the big reveal is that the DOL indicated that ERISA’s duty of prudence encompasses “an obligation to ensure proper mitigation of cybersecurity risks.” This means that a responsible plan fiduciary, when determining whether to hire and retain a service provider, should consider the service provider’s cybersecurity risk controls, and should document such consideration as part of its overall evaluation of the service provider.
The upshot of the DOL’s April 2021 cybersecurity tips and best practices is that it puts employers on notice that both the DOL takes this seriously and that plaintiffs could attempt to use this new guidance as a basis for fiduciary duty breach claims. Moreover, service providers can expect detailed questions on cybersecurity in RFPs and RFIs. Plan sponsors will seek more transparency, whereas service providers may be reluctant to divulge too much on their cybersecurity defenses to guard against inadvertently offering up the keys to the castle. The balance of the two will become market practice.
The DOL is ramping up enforcement in this area. Plan sponsors should also gird for class-action lawsuits with allegations of breaches of ERISA’s duty of prudence when participant PII or plan asset data is misused. For these reasons, employers and plan service providers should carefully consider the DOL guidance.
A related string of litigation also poses a risk to plan sponsors and service providers. These suits argue that participant PII and plan asset data constitute “plan assets,” and that using such data for marketing purposes amounts to a breach of fiduciary duties. Some of these suits have targeted both the plan’s sponsor and recordkeeper. So far, the courts have rejected these claims.
In one case,2 plaintiffs brought an action against the plan sponsor and recordkeeper alleging that participant data (e.g., names, contact info, investment history, etc.) constituted “plan assets,” and, therefore, the recordkeeper’s purported sharing of this information with affiliates to cross-sell non-plan retail financial products to participants amounted to violations of ERISA. In granting the recordkeeper’s motion to dismiss, the court ruled that “participant data does not meet the statutory definition of ‘plan assets’….”
In a similar case,3 plaintiffs brought suit against the plan administrator alleging, inter alia, breach of fiduciary duty over the plan’s recordkeeper access to participant information (e.g., investment choice, account size, etc.) and use of that data to market products to the participants. In granting the motion to dismiss, the court stated, “[p]laintiffs cite no case in which a court has held that such information is a plan asset for purposes of ERISA….[t]his Court does not intend to be the first.” Moreover, the court rejected the argument that “releasing confidential information or allowing someone to use confidential information constitutes a breach of fiduciary duty under ERISA.”
Cybersecurity is quickly becoming an important risk area for ERISA plan sponsors. Protection of participant PII and plan asset data against privilege abuse, account takeovers and other vulnerabilities to a participant’s information and account raises the specter for DOL enforcement action and litigation. Service providers should anticipate a greater focus on their cybersecurity measures by plan sponsors and expect that such measures could be an important basis to be hired and retained as a plan service provider. Both employers and plan service providers should also consider whether it is complying with other applicable privacy laws (to the extent such laws are not preempted by ERISA).
1 Nachman Corp. v. PBGC, 446 U.S. 359, 374, 100 S. Ct. 1723, 1733, 64 L. Ed. 2d 354, 366 (1980).
2 Harmon v. Shell Oil Co., No. 3:20-cv-00021, 2021 BL 126207 (S.D. Tex. Mar. 30, 2021).
3 Divane v. Northwestern Univ., No. 16 C 8157, 2018 BL 186065 (N.D. Ill. May 25, 2018), aff’d, 953 F.3d 980 (7th Cir. 2020).
Governmental plans largely operate at the behest of their respective state legislature. It is, therefore, unsurprising that state governmental plans will take disparate approaches to ESG. Interestingly, various plans have pushed back against new legislation that requires a certain action be taken, as the case with Maine. Further complicating the analysis are state constitutional provisions that impose broad fiduciary duties, similar to those in ERISA.
The Employee Benefits Security Administration is charged with protecting the benefits of about 154 million participants in employer-sponsored...