4 February 2024

Data breaches at pension funds: mismanagement?

By Prof. Hans van Meerten

Last year there was another incident: the e-mail addresses of hundreds of ABP participants were made publicly available. ABP is the largest mandatory pension fund in the Netherlands, administering the pensions of civil servants, with estimated assets of 500 billion euros.

Earlier, there were serious data breaches at two other major pension funds in our country, the Pension Fund for the Metal Industry (PME) and the Pension Fund for Health Care (PFZW).

What was the problem?

At PME and PFZW, a survey was conducted by a company using certain software. The software company experienced a data breach in which data from the market survey company and its customers were leaked. These pension funds administer the pensions of thousands of participants.

Although both PME and PFZW claim that only telephone numbers, names and e-mail addresses were involved, income data, age and gender were also leaked. Participants in these pension funds have been receiving unsolicited phone calls from strangers.

At ABP, this involved mass objections to the conversion of pensions. The accrued pensions of participants and pensioners will be converted to a new, more uncertain contract. Participants are – rightly – objecting to this. The conversion will affect their rights. The legislature considered that no objection could be made to this under the Pensions Act (Pensioenwet). It is possible to object, however, under European law.

Reply all

The ABP did not address these complaints and sent a ‘reply all’ to all objectors. The data breach meant that all the objectors’ e-mails were in the public domain.

These data breaches are a very serious and obviously a major violation of privacy laws, including European privacy laws. While it’s impossible to really be protected against this kind of attack and carelessness, we are talking about pension funds in which the participants are obliged to participate and transfer a substantial portion of their salary (as much as a fifth).

Pension fund boards can certainly be blamed. They are ultimately responsible. To date, these failures have not resulted in any consequences for directors. That must and will change. In other countries, pension fund directors have resigned for the smallest mistake. Perhaps personal liability is an option. At present, directors are hiding behind the pension fund, which with assets of hundreds of billions can litigate endlessly.

It also does not bode well for data processing in the new Pension Act. Many experts – including myself – warn of the dangers involved. These data breaches do not make me any less concerned.

More information

If you would like legal advice, or have other pension-related questions, please do not hesitate to contact us.  Our experts are ready to help you.

Prof. Hans van Meerten

Prof. Hans van Meerten

Lawyer

Professor Hans van Meerten is a specialist in the field of pension law, financial law and EU law.

Related blogs

7 February 2024

Pension accrual of ‘bogus self-employed persons’ and ‘platform workers’

Last year, the Swedish EU presidency published a draft proposal for a European directive to protect platform workers and combat bogus self-employment.

Read more

4 February 2024

Data breaches at pension funds: mismanagement?

Last year there was another incident: the e-mail addresses of hundreds of ABP participants were made publicly available. ABP is the largest mandatory pension fund in the Netherlands, administering the pensions of civil servants, with estimated assets of 500 billion euros.

Read more

27 January 2024

Supreme Court on amending a pension supplement scheme

On 21 April 2023, the Supreme Court delivered an important ruling on amending a provision in a pension scheme about the granting of supplements (price indexation).

Read more