carol@cohenbuckmann.com
ERISA was enacted before the computer age, and it has never been amended or interpreted to impose a specific duty on plan fiduciaries to maintain appropriate cybersecurity protections. However, fiduciaries should not have their heads in the sand about this issue. The duties of prudence and loyalty will likely be interpreted to include a responsibility to keep plan assets safe from hackers. A lawsuit recently filed against Estee Lauder Inc, its 401(k) plan committee, recordkeeper and custodian highlights some security flaws in plan distribution procedures and has the potential to make new law in this area.
The plaintiff in this case is suing because she lost $99,000 when a hacker obtained 3 unauthorized distributions from her account. She maintains that she only found out about the transactions from statements she received after the money had been transferred out by wire to three different banks. Neither the plan sponsor nor the recordkeeper processing plan distributions accepted responsibility for this breach. They refused to reimburse the participant for her losses.
How Did This Happen?
The system in place apparently did not include the simple step of sending an e-mail to the participant notifying her of the requests before paying the money out. We get these notices all of the time when we request password changes to our accounts and they are in the nature of: “Someone just requested a password reset for your account. If this was not you, please contact us immediately.” It also does not appear that the system had two-factor authentication, which has become increasingly common. In addition, the request to send the money to 3 different banks should have raised red flags that led to asking for confirmation from the participant. These simple steps might have prevented thefts from the participant’s account.
The defendants have apparently taken the position that they have no responsibility for this loss despite what appear to be gaps in the security system. The complaint does not indicate whether they have cybersecurity insurance in place, but this is something I strongly recommend to all of my clients and could have provided coverage for these losses.
Where Do We Go From Here?
It doesn’t seem likely that a court will hold that this participant must bear the entire cost of the security breach even though she had no role in causing it. Fiduciaries should expect that the court is likely to find the duty to keep plan assets secure to be a part of current fiduciary obligations. Failure to make good on these losses could also be viewed as an improper forfeiture of a vested benefit, calling the plan’s qualification into question. If there is no cybersecurity insurance coverage payment to be passed on, it appears likely that one or more of the defendants will be directed to reimburse the participant’s account for the losses.
It would be helpful if the Department of Labor and the Internal Revenue Service issued specific guidance in this area. For example, the Department of Labor could issue FAQs on the specific cybersecurity responsibilities of fiduciaries and the IRS could establish a procedure for correcting this type of loss under the Voluntary Correction Program (VCP) or in a ruling. In the meantime, this lawsuit is a wakeup call for plan fiduciaries who have been ignoring cybersecurity issues. They should view themselves as having an obligation to insure that their vendors’ security procedures as well as their own provide adequate protection for plan assets.