Reproduced with permission. Published December 12, 2019. Copyright 2019 The Bureau of National Affairs, Inc. 800- 372-1033. For further use, please visit http://www.bna.com/copyright-permission-request/
$99,000 was stolen from my 401(k)—at least that is the allegation made by a plan participant in a complaint filed on Oct. 9, 2019, in the Northern District of California. The salient facts as stated in the complaint are as follows:
- Unauthorized distributions in the amount of $37,000 and $50,000 were made from participant’s 401(k) account in October 2016 and a $12,000 unauthorized distribution was made in September 2016.
- The participant first became aware of the October distributions when she received letters in October 2016 to confirm that the distributions had been made.
- The participant learned of the September distribution when she received her 2016 third quarter statement; she never received a confirmation letter for the September distribution.
- By the time the participant received the first confirmation letter, less than $4,000 remained in her 401(k) account.
- The distributions were sent to three different banks.
- The participant called the plan recordkeeper approximately 23 times between Oct. 24, 2016, and Jan. 2, 2017. She was told that the recordkeeper was investigating the distributions, then that the recordkeeper was unable to recover any of the withdrawn funds, and finally that she would not be made whole for her loss.
Regardless of the merits of the lawsuit or its resolution, the headline serves as a wake-up call for everyone involved in the defined contribution plan industry: regulators, plan sponsors, fiduciaries, recordkeepers, custodians, other service providers, as well as plan participants and beneficiaries. All play a role in the security of benefits.
Plan sponsors devote significant time and resources toward encouraging employees to save for retirement, to increase savings once they are deferring into their 401(k) plans, to educate participants on investing their retirement account and even on the benefits of rolling over plan benefit distributions after termination of employment. This is all well and good, yet all these efforts are for naught if retirement savings are wiped out by a hacker or identity thief. If employees do not feel their hard-earned retirement savings are secure, they will stop saving. The safety and security of plan assets should be top priority of plan fiduciaries and service providers. The industry cannot afford to wait for a government mandate or guidance to take further action.
To date, the Department of Labor (DOL) has not issued guidance specifically on the cybersecurity risks for retirement plans, but the issue has garnered some high-level attention:
- On Feb. 2, 2019, the Senate Committee on Health, Education, Labor & Pensions along with the House Committee on Education & Labor sent a joint letter to the General Accounting Office (GAO) requesting the GAO to examine the cybersecurity of the private retirement system in the U.S.. Noting the critical nature of the issue, the letter said that defined contribution plans are “a tempting target for criminals who could hack into plans and individual’s accounts to access information, commit identity fraud, and steal retirement savers’ nest eggs.”
- In 2017 the SPARK Institute’s Data Oversight Board established standards to help recordkeepers communicate with plan sponsors about the recordkeeper’s cybersecurity capabilities using 16 identified critical data security control objectives.
- In 2016 the ERISA Advisory Council asked the Department of Labor to provide guidance on how to evaluate cybersecurity risks for plans and recordkeepers.
The Investment Company Institute reported aggregate retirement assets in the U.S. as of June 30, 2019 amounting to $29.8 trillion. Of this, $9.7 trillion was in IRA accounts and $8.4 trillion in defined contribution plans—$5.8 trillion of the latter in 401(k) plans. Whether bank robber Willie Horton really said it or not, “that’s where the money is” and will continue to be—a great big target for cyber criminals.
Lawsuits tend to garner the attention of plan sponsors and fiduciaries, so perhaps the publicity associated with this lawsuit will prompt the entire industry to prioritize retirement plan security.
It’s important to not overlook the Health Insurance Portability and Accountability Act (HIPAA), which is instructive here, especially given plan sponsor familiarity with it. HIPAA established rules designed to protect the privacy and security of protected health information in group health plans and its regulations mandate a thorough examination of the information flow and require identification of vulnerabilities therein. It is up to each individual group health plan to determine what measures are appropriate and necessary in their own circumstances in order to maintain privacy and security. HIPAA, however, does not apply to retirement benefit plans. As important as it is to maintain the privacy and security of protected health information, it is more critical to protect retirement plan data and assets. Absent other guidance, applying the HIPAA processes by analogy is probably a good place to start—but keep in mind that HIPAA does not contain a magic bullet, nor will targeted guidance contain a magic bullet that will ensure the safety and security of retirement savings.
Modern recordkeeping systems for defined contribution plans are internet based. HR personnel and individual plan participants can access their accounts online and account activity is online driven. Telephone voice response systems provide another technological avenue for access and conducting transactions. The reality of electronic recordkeeping makes retirement benefits vulnerable to cybersecurity threats.
As an ERISA lawyer I’m often asked about fiduciary issues, such as am I a fiduciary, who is a fiduciary, is my service provider a fiduciary, what are the responsibilities and liabilities of a fiduciary, what are the responsibilities and liabilities of plan service providers, etc. Nothing in ERISA imposes a specific duty to safeguard plan records and access to data. What ERISA does is impose a broad prudent man standard of care on plan fiduciaries. Surely that standard of care extends to the duty to safeguard and secure plan records and plan assets. The prudent man standard requires a fiduciary to “discharge his duties with respect to a plan solely in the interest of the participants…for the exclusive purpose of…providing benefits…with the care, skill, prudence and diligence under the circumstances then prevailing that a prudent man acting in a light capacity and familiar with such matters would use in the conduct of enterprise of a like character and with like aims …”
Current ERISA regulations that permit the electronic disclosure of certain plan documents includes a privacy standard, require the plan administrator to take “appropriate and necessary measures reasonably calculated to ensure that the system for furnishing documents … protects the confidentiality of personal information relating to the individual’s accounts and benefits (e.g., incorporating into the system measures designed to preclude unauthorized receipt of or access to such information by such individuals other than the individual for whom the information is intended).”
Plan fiduciaries generally do a good job of implementing policies, procedures, and systems to ensure compliance with mandates as well as to ensure avoidance of prohibitions. That part is fairly easy. The difficult issues in plan administration usually fall between what is mandated and what is prohibited—which is where protecting the security of participant account information and assets falls. So, what is a prudent course of action to be undertaken by plan administrators, plan sponsors and employers? Certainly not to sit around and wait for specific guidance. In the meantime, here are a few suggestions:
- Review those dusty HIPAA privacy and security procedures with retirement plans in mind.
- Review all service provider agreements for cybersecurity provisions.
- Talk with service providers about their cybersecurity measures currently in place as well as plans to improve those measures.
- If necessary, amend service provider contracts to reflect cybersecurity obligations.
- Monitor service providers to ensure they are keeping up with security technology.
- Require that service providers maintain cyber insurance to cover losses in the event of a breach.
- Review fiduciary insurance policies to ensure cybersecurity issues are covered and add cyber insurance if not covered.
- Institute new procedures designed to prevent the unauthorized access to plan and participant records, no matter the form in which the records are maintained.
- Institute new procedures designed to prevent unauthorized transaction activity, regardless of the manner activity is directed.
The above steps are directed at the employer/plan sponsor/plan administrator (generally the same entity) as they are the first line of defense and where the buck stops. These steps apply equally if not more so to service providers, recordkeepers, and custodians, because they are more likely to have the primary day to day responsibility for plan records and assets, and their systems maintain these records.
Plan participants and beneficiaries are not absolved of responsibility, as phishing schemes are another avenue for criminals to gain access to participant accounts. Participants and beneficiaries are not powerless—they can:
- Regularly check their account to ensure there has been no unauthorized activity.
- Question any activity they do not understand, or they do not recall authorizing.
- Create strong passwords.
- Keep contact information up to date.
Don’t wait for the regulators, don’t wait for case law, don’t even wait for legislation. If a company thinks it important enough to offer a 401(k) plan to its employees or to provide services to these plans, does it not, at the very least, have a moral obligation to ensure benefits are secure? If unable or unwilling to do so, then it is time to get out of the business.