University of Miami Law Review


Gregg Moran


Although the drafters of the Employee Retirement Income Security Act of 1974 (“ERISA”) likely could not have anticipated the data security issues of the twenty-first century, ERISA’s duty of prudence almost certainly requires employee benefit plan fiduciaries to protect sensitive participant data in at least some manner. This Article suggests the Department of Labor should issue a regulation clarifying fiduciaries’ data security obligations. Given that fiduciaries are in the best positions to recognize their plans’ individual security needs and capabilities, the regulation should not attempt to micromanage fiduciaries’ substantive data security policies; rather, it should focus on the procedures by which they adopt their substantive policies. In addition to promoting specially tailored policies for protecting sensitive participant data, this regulation would resolve much of the confusion surrounding the application of ERISA to the data security field