A breach of consumer data at one of the nation’s few retirement plan portability providers is raising concerns among some lawyers about the safety of offloading participant account balances and data to third-party firms.
Retirement Clearinghouse LLC announced the phishing attack last month, sending more than 10,500 letters to individual retirement account holders informing them that their names, Social Security numbers, and account IDs had been exposed.
As Congress and industry leaders modify 401(k) frameworks to better ensure workers’ benefits follow them from job to job, the latest breach is highlighting potential cyber vulnerabilities not only within the industry, but for companies that take custody of participant accounts when no one else will.
Autoportability firms that temporarily safeguard low-balance assets when workers quit their jobs are only expected to gain popularity after Congress permanently removed legal barriers for them to operate last year under the new SECURE 2.0 Act (Pub. L. No. 117-328). Benefits often go missing and fail to generate compounding interest when they’re left behind and dumped into highly conservative IRAs.
Milliman Trust Co. LLC announced its intent to launch what could be only the nation’s second autoporatability services firm earlier this year. The company is expected to begin client testing the product soon.
“This is a problem that’s been percolating in the retirement system for a long time,” said Carol Buckmann, an employee benefits attorney and co-founder of the firm Cohen & Buckmann PC. “It can involve an extensive, costly search, and it may turn up no results.”
‘Lucrative Target’
Retirement Clearinghouse, or RCH, has coalesced a group of recordkeepers to participate in its Portability Services Network. Boasting names such as Fidelity, Empower, and Vanguard, the network is automatically ferrying workers’ assets between these entities as workers switch to different jobs, ensuring that benefits grow and don’t get lost over time.
The recent cybersecurity incident, however, may reveal problems lurking in a system that lets employers rid themselves of small balances and entrust them with others, particularly without the express consent of the worker beneficiary. It’s already caught the attention of at least one personal injury law firm that already appears to be building a case for victims of another public teacher retirement system data breach in California this week.
“This is an incredibly lucrative target for criminals to go after, but, absent suing the company you do or used to work for, there are few avenues participants and beneficiaries have to be repaid,” said Kelly Geary, national executive risk and cyber practice leader at EPIC Insurance Brokers & Consultants, a subsidiary of Edgewood Partners Insurance Center Inc.
The SPARK Institute Inc., which represents many of the nation’s largest 401(k) recordkeeping firms, has tapped Groom Law Group Chartered in Washington to conduct a study into the practice of recordkeepers themselves footing the bill when participant assets are stolen, said Tim Rouse, the group’s executive director.
“We’ve been taking these concerns very seriously for a number of years now,” Rouse said. “Ultimately, we want these assets to remain in the system and continue to grow, but we have to keep them safe from fraud and abuse.”
‘Not Even Close’
Autoportability firms are no more the target of bad actors than recordkeepers or employers themselves, according to RCH President, Founder, and CEO Spencer Williams. The breach his company experienced amounted to what he called a mostly unremarkable “phishing expedition,” made more serious by a partner company’s “legacy” security standards and one of his own employee’s lack of oversight.
Earlier this year, one of RCH’s 80 or so workers received a hoax email made to look like it was from
In that worker’s deleted emails was a message from a third-party administrator with an attachment that had personal identifiable information for several thousand individual retirement account participants.
“We know they opened the email that had that attachment in it, but we have no way of knowing if they opened the attachment itself,” Williams said. “But you always have to assume that they did.”
It was that pair of mistakes—an outside company sending an un-encrypted email attachment with sensitive information, and an RCH worker failing to treat that data as a critical weak point in the overall security threshold—that allowed the breach to occur, Williams said.
Williams said the company is working with
All corporate emails have since been scrubbed of personal data, and RCH is conducting additional internal training and engaging with partners about upping their security protocols for shared data.
“At no point in time was the ability to access funds compromised,” Williams said. “It wasn’t even close.”
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.