A recent leak of more than a thousand
The Walmart incident was the result of an employee of plan recordkeeper Merrill inadvertently disclosing the sensitive information in an email, according to a report last month from Merrill’s parent company
The US Labor Department’s first-and-only cybersecurity guidance for retirement plans in 2021 was aimed at its primary enforcement target: plan sponsors, who take on a fiduciary duty of prudence and loyalty to the participants and beneficiaries of the plans they oversee.
Yet the recent spate of 401(k) and pension data breaches reveal that third-party vendors are often solely responsible for information falling into the wrong hands. Huge recordkeepers that handle thousands of workers’ personally identifiable information and millions of dollars of assets under management can inadvertently deliver that data to bad actors with the click of a button.
These covered service providers usually write off fiduciary obligations in the contracts they sign and thus can effectively skirt direct DOL regulatory oversight.
The DOL’s message is that it remains up to recordkeepers’ plan sponsor clients to do everything they can to prevent data breaches from happening, said Joseph Lazzarotti, a principal at Jackson Lewis P.C. in Tampa, Fla., who co-leads the firm’s privacy, data, and cybersecurity practice group.
“There’s the analogy that you’re only as strong as the weakest link in the chain, and a retirement plan is like a chain,” Lazzarotti said. “There’s the employer, there’s the recordkeeper—there are all these entities that are part of that chain, and data may move from one to the next.”
The buck stops at the plan sponsor, as it always has, according to Lazzarotti. This is aligned with state and federal privacy laws that have historically treated the owners of data as responsible for its safekeeping, he said.
Filling Regulatory Gaps
Lawsuits the DOL and plan participants have brought against recordkeepers such as JP Morgan and Alight Solutions recently are testing that theory. Fiduciary liability under the Employee Retirement Income Security Act of 1974 can extend to other parties to a retirement plan if participants can prove that those entities were exercising control over plan assets when a breach occurred.
The suit filed last month against
Federal courts haven’t settled the question of whether data is a “plan asset” the same way money is.
Recent resolutions in the US District Court for the Southern District of Texas and the US Court of Appeals for the Seventh Circuit rejected fiduciary claims against employers whose recordkeepers cross-sold their participants products using plan data. A similar case against Vanderbilt University’s 403(b) plan ended in a settlement that prohibited plan recordkeeper Fidelity from contacting participants about additional products.
Legal frameworks outside of ERISA leave more room for recordkeepers to be taken to task if they experience a breach. State data privacy laws force companies to inform data owners of breaches, and state and federal banking regulations can undercut companies’ licenses if they’re found negligent in a breach.
Industry standards are another less formal option. The guidance the DOL issued in 2021 was partially based on industry norms the Society of Professional Asset Managers and Recordkeepers created eight years ago, said Tim Rouse, the organization’s executive director.
“Neither the federal government nor industry are immune from cyber attacks and breaches, and we all are constantly upgrading our systems to protect against such attacks,” he said.
Cybersecurity Frameworks
Existing standards like the Securities and Exchange Commission’s Regulation S-P and the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model offer clear technical controls that can be put in place to safeguard sensitive data, but commitment is required from information technology professionals, compliance personnel, and executives.
“I do think we need an ERISA-centered remedy here, and some ERISA-centered guidance that we’re really missing,” said Carol Buckmann, partner at Cohen & Buckmann P.C. “This has sort of been a tendency of the DOL for awhile, we were getting these informal pieces of guidance, which allowed them to act quickly, but they don’t have the same force of law as regulations.”
A regulation would be ideal to provide clarity for recordkeeper and other third-party conduct when safeguarding plan participant data and assets held by a 401(k), but it doesn’t seem like a top priority for the DOL’s Employee Benefits Security Administration, she said.
“The participants of a 401(k) are the ones at risk, but the plan administrator has to be the one who bears the brunt of inherent liability,” said Brian Edelman, CEO of FCI Cyber, a cybersecurity technology company. “The message is out there that says you need to be prepared in the face of a breach, or you may as an organization be a double victim: a victim of the bad actor and a victim because you didn’t do what was right.”
To contact the reporters on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.