Participants whose 401(k) plan accounts are stolen by criminals may never recover their lost benefits. I have previously written about lawsuits against Estee Lauder, Colgate Palmolive, and others in which participants sued to recover substantial lost retirement savings. There is no federal law guaranteeing these benefits, or even requiring that parties who deal with retirement plan data maintain cybersecurity insurance. Criminal charges may be filed if benefits are stolen, but are unlikely to result in recovery. Plan sponsors, recordkeepers and the government can and should do more to protect retirement savings from cybertheft.
ERISA Claims Face Hurdles.
Although fiduciaries have responsibilities under ERISA to protect plan benefits and data, it is not clear what they must do. Covered welfare plans are subject to HIPAA’s privacy and security rules as a floor of protection, but there are no laws or regulations mandating the minimum steps that 401(k) and other retirement plan fiduciaries must take to protect plan assets and data. The Department of Labor has provided very helpful guidance for plan sponsors and recordkeepers on best cybersecurity practices, but these are not binding.
In the absence of clear rules and binding guidance, a court faced with a claim by a participant whose benefits were stolen will inquire into the facts and circumstances. This inquiry may or may not end in a determination that there has been a breach of fiduciary responsibility and a fiduciary obligation to restore the loss. Different courts might come to different conclusions on similar facts. Further, recordkeepers have been the source of recent breaches. Traditionally courts have not viewed their services as fiduciary in nature, although in a recent decision involving Paula Disberry and Colgate Palmolive (2022 BL 452922, S.D.N.Y., Dec. 19, 2022), the claim that a recordkeeper who sent her benefits to an imposter was a functional fiduciary survived a motion to dismiss. To make matters worse, a plan’s required ERISA bond provides recovery only in the case of fraud or embezzlement by plan fiduciaries and fund handlers, and not for losses due to fraud by unrelated parties.
Can state laws fill this vacuum?
The judge in the lawsuit involving Paula Disberry suggested that plaintiff should have brought state law negligence claims, and it would be appropriate to add such claims in suits against recordkeepers. However, state law claims will vary from state to state, and reliance on them, even if successful, will not result in uniform treatment of participants who are victims of cyberfraud.
Widespread Data Breaches Spotlight Another Risk.
Plan data is valuable in its own right. In recent days, the news has carried stories of major data breaches at CALPERS covering over 70,000 participants as well as breach of participant data at auto-portability provider Retirement Portability Network. These breaches put participants at risk that their data will be used by criminals to engage in other types of identity theft, such as opening credit card accounts or claiming unemployment or other benefits under their name.
California retirees have sued the service provider whose system was breached under various California statutes. (Berry v. Pension Benefit Information LLC, N.D. Cal, June 30, 2023) Note that ERISA doesn’t cover state government plans, though state law may impose similar obligations on those who run the plans. It is interesting to note that the plaintiff did not name CALPERS or its employees as defendants.
In the data cases, the companies paid for credit reporting services of affected participants, but is that enough? The ERISA Advisory Council has heard testimony from industry stakeholders and others about the dangers of these data breaches. There are no ERISA regulations for reporting such a breach when HIPAA does not apply, and If there is a time gap between the breach and the time affected participants are notified, there will be a period in which participants don’t even know that they should be monitoring their accounts.
What Resources Are Available to Protect Participants?
Plan fiduciaries can:
Investigate a recordkeeper’s cybersecurity practices and procedures, and whether it has third party audits of its systems, both before hiring a provider and on an ongoing basis. Make sure the vendor uses two-factor authentication or more robust login security.
Maintain adequate cybersecurity insurance. Head of EBSA Lisa Gomez recently advised all plan sponsors to maintain cybersecurity insurance. Some consultants advise that the appropriate amount is “as much as you can afford.”
Investigate the insurance coverage of service providers.
The largest recordkeepers may offer some form of cybersecurity warranty. Choosing a recordkeeper that provides a warranty is helpful, but these warranties have coverage limits and exclusions that should be reviewed.
Negotiate indemnification provisions covering at minimum hacks due to the provider’s negligence or willful misconduct.
Ask about past breaches, how soon plan sponsors were notified, and how they were handled.
Be familiar with the Department of Labor’s Best Cybersecurity Practices guidance. These are tips, not legal guidance, but they are a roadmap of steps it is advisable to take.
Know that employee training is crucial. Recent cases have involved situations in which recordkeeper employees have assisted criminals in changing account passwords and mailing addresses for distribution checks. Sponsors should ask about the training every vendor with access to plan data provides, and train their own employees with access to data as well.
Have regular third party audits of their own systems.
Plan sponsors should also consider suing recordkeepers under the terms of their service contracts on behalf of the participant when there is a breach due to their negligence or willful misconduct. Plan sponsors are direct parties to these contracts; participants are not.
We Need federal Solutions.
The lack of clear rules about the responsibilities of those who handle plan assets and plan data puts participants at risk. This is a problem crying for a federal solution. Here are some suggested changes for agency and/or Congressional action:
Require plan recordkeepers to maintain a minimum level of cybersecurity insurance.
Require plan sponsors or recordkeepers to replace stolen benefits when the participant was not a party to the loss by, for example, sharing passwords or not using available multiple factor authentication.
Extend HIPAA-like obligations to keep data secure and private to retirement plans.
Require all recordkeepers to have their systems audited by third parties on a regular basis.
Require the Department of Labor to develop model cybersecurity language for retirement plan service agreements. This would be particularly helpful for smaller plan sponsors without outside ERISA counsel.
Amend ERISA to provide for federal insurance to guarantee lost benefits not reimbursed through other means. This could be funded by an annual premium payable by covered plan sponsors.
Participants need to save more to help close our national retirement savings gap. If participants have no clear recourse if their benefits or data are stolen, it is likely to discourage plan participation and ultimately impact retirement readiness.