401(k) Data Breaches Expose Regulatory Gaps for Recordkeepers

A recent leak of more than a thousand Walmart 401(k) participants’ Social Security numbers underscores long-standing regulatory gaps that make it hard to hold plan service providers accountable when human error causes a breach.

The Walmart incident was the result of an employee of plan recordkeeper Merrill inadvertently disclosing the sensitive information in an email, according to a report last month from Merrill’s parent company Bank of America. It marks the latest in a long series of retirement plan breaches involving third-party service providers.

The US Labor Department’s first-and-only cybersecurity guidance for retirement plans in 2021 was aimed at its ...