Plan sponsor employers and employees participating in 401(k) or other retirement plans should be aware of cybersecurity breaches and unauthorized plan distributions.
Vigilance may be even more critical because of the recent CARES Act that permits early retirement distributions without penalty for plan participants affected by the Covid-19 pandemic.
The heightened level of plan distributions coupled with the enhanced risk of electronic communications and the “new normal” of working remotely increases the exposure of participants’ highly confidential and personal data to cybercriminals.
Plan Sponsor Liability
Under privacy and data-security laws, the responsibility for the proper collection, storage, and use of plan participants’ personally identifiable information (PII) rests with the employer plan sponsor or trustees in the case of a multi-employer plan.
While financial responsibility for failure to comply with data protection and privacy laws can be shifted by contract to a third-party vendor (e.g. plan administrator), legal liability to an individual whose PII has been improperly collected, stored, used, or transferred remains with the plan sponsor.
Thus, in view of ERISA’s strict fiduciary requirements, a court may find that the plan sponsor has a fiduciary duty to protect the participants’ PII based on its fiduciary duty to make sure that plan is being prudently administered. Under ERISA, any finding that plan fiduciaries breached the applicable standard of care may result in personal liability for losses attributable to that breach.
Litigation against an employer and plan administrator for 401(k) plan distribution fraud was settled in March (Naomi Berman v. Estee Lauder Inc. (USDC, W.D. Cal.) Case No. 3:19-cv-06489, filed 10/9/19).
Terms of the settlement were not disclosed. According to the complaint, numerous security lapses resulted in the failure to identify and halt suspicious distribution requests and to confirm authorization for distributions with the plan participant before making distributions.
Another employer and the same plan administrator are currently in litigation with a participant in an Illinois district court for 401(k) plan cyber fraud (Barnett v. Abbott Laboratories, Illinois Northern District Court, 1:20-cv-02127, filed 4/3/2020).
According to the complaint, an unknown user accessed the participant’s account online, changed the password, and initiated a transfer to a new bank account. The participant further alleged that her employer and the plan administrator ignored basic security protocols in their interactions with the fraudster, from failing to enforce a security question routine to giving out her complete home address over the phone.
Plan Administrator and Custodian Liability for Cybersecurity Theft of Participant Accounts
In Pennsylvania, a participant sued his 401(k) plan, the plan administrator, and custodian in a federal district court for breach of fiduciary duty under ERISA claiming that they failed to establish prudent procedures to protect the plan and participants from cybersecurity theft. (Leventhal v. MandMarblestone Grp. LLC,).
According to the complaint, subsequent to a participant withdrawal of $15,000 from his plan account “unknown criminals” obtained a copy of the participant’s original withdrawal form by using an “unknown method of cyber-fraud possibly relating to the electronic transmission of that form.”
Thereafter, these criminals “posed electronically” as the participant’s office administrator and sent fraudulent withdrawal forms to the plan administrator and custodian requesting the transmittal of funds to a bank account that did not belong to the participant. As a result of the fraudulent withdrawal requests, the participant’s account in the plan was depleted of $400,000.
The district court concluded that the plan administrator is a fiduciary primarily because it was explicitly designated as the “named fiduciary for purposes of ERISA” in the plan administration agreement. The court also decided that the custodian is a fiduciary since the agreement provided it with “general administrative responsibilities” that included the ability to dispose of plan assets which is distinguishable from a bank that only receives deposits for the plan.
The district court then found that the plan administrator and custodian breached their fiduciary duties to plan participants by failing to act with the requisite prudence and diligence when they saw the “peculiar nature” and high frequency of the withdrawal requests.
In so holding, the court dismissed the argument that the contract provisions of the agreement declaiming liability precluded recovery for breach of fiduciary duty since such waivers of fiduciary duty are prohibited by ERISA.
The DOL ERISA Advisory Council recommends that due diligence about plan data security in the selection and monitoring of service providers (especially plan administrators) should include at least the following topics:
- What are the service provider’s processes and systems for dealing with cybersecurity threats and protection of personally identifiable information?
- Is there a privacy and security policy, and does the policy apply to data held by benefit plans?
- Is the policy clear with respect to storing personally identifiable information on laptops and portable storage devices? What is that policy?
- Is advanced authentication used? Can the service provider explain the process? Can you explain it?
- Are technology systems regularly updated?
- Does the service provider have policies on storing personally identifiable information including where it is stored, how long it is stored, and how it is eliminated?
- Are all personnel who come in contact with personally identifiable information trained on adequate protection of the information?
- Does the provider carry cybersecurity insurance?
- Has the provider experienced any security breaches?
Fulfillment of the fiduciary duty to monitor will help plan fiduciaries meet their obligation of procedural prudence under ERISA. Monitoring of the cybersecurity controls of third-party service providers, particularly the plan administrator, should occur on a regular basis and should be documented and involve experts if necessary (e.g., a periodic assessment conducted by counsel).
The plan fiduciaries should also make informed and reasoned decisions based on information they gather through monitoring activities.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Jeffrey D. Mamorsky is co-chair of the Global Benefits & Compensation Practice and co-chair of the Labor & Employment Practice’s ERISA & Employee Benefits Litigation group at Greenberg Traurig LLP. He concentrates his practice in the areas of compensation and employee benefits law.