Can Your Plan Records Be Hacked? Plan Fiduciaries Need to Focus on Cybersecurity
Imagine you have a plan participant who suddenly finds that $99,000 has been stolen from her account by a hacker. Her only notice was confirmations she received after the money had been stolen. Now imagine that you are that participant. These are the facts of an actual lawsuit recently filed by a plan participant who was a victim of cyber theft. The plan fiduciaries and recordkeeper refused to reimburse her losses, and her retirement account literally disappeared.
Is anyone legally responsible to make up this kind of loss? If you are a plan sponsor or other plan service provider whose systems permitted this breach, you may well be, and you need to pay attention to maintaining and improving your system’s security.
What Is the Law Today?
ERISA was enacted in 1974, well before we entered the computer age. So it should not be surprising that the law never mentions cybersecurity in its list of fiduciary responsibilities. However, that doesn’t mean that plan fiduciaries aren’t obligated to protect both plan assets and their participant data. ERISA’s fiduciary responsibilities are broad and general. We read about breaches all the time, and even though there is no general federal cybersecurity law, ERISA’s duties of prudence and loyalty may well require putting security systems in place to protect both assets and data.
Online participant imposters looking to steal individual accounts is not the only concern. For example, assets might be stolen from the plan investment manager’s account or from the plan’s trustee or custodian by hackers.
It is probably only a matter of time before court decisions and IRS and Department of Labor guidance define a fiduciary’s cybersecurity obligations and potential liability for breaches. Even a non-fiduciary, such as a recordkeeper, might be liable on various theories, including breach of contract or violation of state laws. Meanwhile, the handwriting is on the wall, and fiduciaries should not be waiting for court decisions or administrative pronouncements to take action.
What Can Fiduciaries Do?
The plaintiff in the $99,000 lawsuit identified three specific flaws in the defendant’s system. The recordkeeper didn’t appear to have two-factor authentication for account transactions. The participant wasn’t notified and asked to confirm the distribution requests before the money was paid out. No red flags went up in the system to contact the participant when the withdrawals were directed to three different banks. These steps might have prevented the breach.
Fiduciaries should consult experts to make sure their in-house systems are as secure as possible. But that is only the start of their job. Fiduciaries should also:
- Make sure their service providers’ systems are secure.
- Insist that their service provider agreements permit them to audit their service provider’s systems.
- Include specific cybersecurity obligations in their service provider agreements.
- Be careful about agreeing to service provider contract provisions that may limit their remedies if there is a security breach.
- Not assume their existing fiduciary liability policy provides cybersecurity coverage.
Since no system is completely hack-proof, it is important to check your policy terms to determine if they include cybersecurity coverage. If not, update your policy as soon as possible. The terms should also obligate plan service providers to maintain their own coverage in their service provider agreements. Having good cybersecurity coverage can protect you and your plan participants in the event of a data breach.
Carol I. Buckmann, JD is the co-founding partner of Cohen & Buckmann, P.C. (www.cohenbuckmann.com). She is one of the top-rated employee benefits and ERISA attorneys in the U.S., and deals with some of the foremost issues in ERISA, including pension plan compliance, fiduciary responsibilities and investment fund formation.
The views expressed in this article are those of the author and do not necessarily represent the views of PenChecks Trust, its subsidiaries or affiliates.