The Department of Labor recently posted the report of the ERISA Advisory Council on Privacy and Security Issues Affecting Employee Benefit Plans. The report contains some good due diligence questions for plan sponsors to ask their service providers about privacy and security of personal identifiable information (PII), especially for retirement plans. While banks and other financial institutions are bound by certain federal laws to protect PII (e.g., under the Gramm Leach Bliley Act), TPAs not associated with financial institutions may not be subject to comprehensive regulations in this area.
Plan sponsors looking for general information and some resources on this topic may find the report of interest.