On April 14, 2021, the Department of Labor (“DOL”) issued three documents that provide cybersecurity guidance for plan sponsors, fiduciaries, recordkeepers, and plan participants. Cybersecurity has become an increasingly important topic for plan sponsors and committees, given the fiduciary requirements to act in the interest of plan participants and to prudently select and monitor service providers, in addition to general risk management considerations. While the guidance was not issued under a formal notice and comment process, it lists actions the DOL recommends that plan fiduciaries and committees take to safeguard data and monitor service providers – and potentially indicates the steps that the DOL would view as the minimum necessary to satisfy applicable fiduciary obligations.
A recently filed lawsuit against a trust company serving as a 401(k) plan trustee, the second of its kind in the last few months, highlights the need for plan sponsor diligence in protecting participant data and accounts in an increasingly electronic world. We only have one side of the story so far, the allegations in the complaint, but the trustee is charged with permitting a thief to get almost $125,000 from the business owner’s account. This was done through phone, email and bank accounts not associated in the trustee’s records with the owner’s account. It took several weeks for the trustee to notify the business owner, and the trustee only did so when it received and prevented a second fraudulent distribution request. The trust company has not yet restored the account.
An Illinois district court issued a split decision in a case involving the cybertheft of retirement plan assets, allowing the plan administrator and plan sponsor to be dismissed, but requiring the recordkeeper to defend allegations that it breached its fiduciary duties under the Employee Retirement Income Security Act (ERISA). Bartnett v. Abbott Laboratories, et. al. (N.D. Illinois, Case No. 1:20-cv-02127) is one of several recent lawsuits filed against plan sponsors and recordkeepers for allowing cyber-thieves to pilfer large distributions from participants’ retirement plan accounts.
Heide Bartnett, a former employee of Abbott Laboratories (Abbott) and participant in Abbott’s 401(k) plan, alleges that a hacker accessed her 401(k) account online, changed the password, added a new bank account and requested a $245,000 distribution from the 401(k) plan’s recordkeeper, Alight Solutions LLC (Alight) to be deposited into the newly added account. The imposter also called Alight several times to ask questions about the distribution.