Data breaches at pension funds: mismanagement?

Earlier, there were serious data breaches at two other major pension funds in our country, the Pension Fund for the Metal Industry (PME) and the Pension Fund for Health Care (PFZW).

What was the problem?

At PME and PFZW, a survey was conducted by a company using certain software. The software company experienced a data breach in which data from the market survey company and its customers were leaked. These pension funds administer the pensions of thousands of participants.

Although both PME and PFZW claim that only telephone numbers, names and e-mail addresses were involved, income data, age and gender were also leaked. Participants in these pension funds have been receiving unsolicited phone calls from strangers.

At ABP, this involved mass objections to the conversion of pensions. The accrued pensions of participants and pensioners will be converted to a new, more uncertain contract. Participants are – rightly – objecting to this. The conversion will affect their rights. The legislature considered that no objection could be made to this under the Pensions Act (Pensioenwet). It is possible to object, however, under European law.

Reply all

The ABP did not address these complaints and sent a ‘reply all’ to all objectors. The data breach meant that all the objectors’ e-mails were in the public domain.

These data breaches are a very serious and obviously a major violation of privacy laws, including European privacy laws. While it’s impossible to really be protected against this kind of attack and carelessness, we are talking about pension funds in which the participants are obliged to participate and transfer a substantial portion of their salary (as much as a fifth).

Pension fund boards can certainly be blamed. They are ultimately responsible. To date, these failures have not resulted in any consequences for directors. That must and will change. In other countries, pension fund directors have resigned for the smallest mistake. Perhaps personal liability is an option. At present, directors are hiding behind the pension fund, which with assets of hundreds of billions can litigate endlessly.

It also does not bode well for data processing in the new Pension Act. Many experts – including myself – warn of the dangers involved. These data breaches do not make me any less concerned.

More information

If you would like legal advice, or have other pension-related questions, please do not hesitate to contact us.  Our experts are ready to help you.