Cybersecurity: A Plan Sponsor Obligation
A recently filed lawsuit against a trust company serving as a 401(k) plan trustee, the second of its kind in the last few months, highlights the need for plan sponsor diligence in protecting participant data and accounts in an increasingly electronic world. We only have one side of the story so far, the allegations in the complaint, but the trustee is charged with permitting a thief to get almost $125,000 from the business owner’s account. This was done through phone, email and bank accounts not associated in the trustee’s records with the owner’s account. It took several weeks for the trustee to notify the business owner, and the trustee only did so when it received and prevented a second fraudulent distribution request. The trust company has not yet restored the account.
For purposes of discussion, we assume all this is true. Fine, you may say, but what has this have to do with the plan sponsor’s obligations, since it was the outside trustee who was allegedly negligent? (We use the term “plan sponsor” here to refer to the responsible plan fiduciaries.) The main reason is because of two overlapping fiduciary duties under ERISA. One of the duties is to protect participant data, including ensuring the plan records are kept secure, and the other is to prudently select and monitor plan service providers, like the trustee in this case. In the situation described above, the thief appears to have obtained access to the participant’s account information – presumably, through a breach in the plan information storage or communication systems – so he could steal the money.
Protection of plan and participant data involves three parties (we sometimes refer to this as the cybersecurity three-legged stool): the employer, the service providers and the participants. The plan sponsor must take steps to protect its own systems and records. A breach there could open up a plan account to theft. To the extent they maintain plan and participant data and administer or direct certain aspects of plan operation, service provider records, systems and procedures are of paramount importance, as this case shows. Participants need to exercise care in how they interact with the plan, especially if they do so through an email system or by telephone.
For both the first and the second of the three legs, the plan sponsor has a fiduciary obligation to ensure its own systems are secure and to engage and retain service providers who take cybersecurity seriously, who have systems in place to protect data (for example, dual authentication processes) and who periodically test those systems to check for vulnerabilities and ways to improve. As to the participants, the plan sponsor’s role is less fiduciary and more a product of risk management. That is, it makes sense for plan sponsors to provide employees with training on how to recognize and avoid phishing or other attempts to gain access to their personal information.
Cybersecurity is complex and we don’t mean to diminish the difficulty with this short discussion. At the same time, if what the business owner alleges is true, it is a subject that must be considered carefully, deeply and periodically, just like the selection of investments and other operational issues of the plan you sponsor.