Benefits lawyers are trying to determine how new identity theft rules labeled the “Red Flags Rule” will impact employee benefit plans. To get familiar with the rules generally, you can go to the Federal Trade Commission’s Red Flags website here. There are published articles which you can access here entitled “What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft,” as well as similar ones for telecom companies and utility companies, but nothing yet regarding employee benefit plans.
A number of law firms have posted analysis of how the rules impact employee benefit plans, including this one by Pillsbury here. However, White & Case has had some ongoing discussions with the FTC and has posted its findings here and here.
Regardless of what the FTC has to say about this, many practitioners would argue that plan fiduciaries generally have duties to protect participant information under ERISA’s fiduciary rules. Thus, the FTC’s rules might serve as a starting place for fiduciaries to assist in building some processes and procedures into their current systems to protect plan participants and beneficiaries against identity theft.