People are typically more worried about social media companies inappropriately sharing their personal information than they are about hackers accessing their 401(k) accounts. But the latter could have more enduring consequences.

What’s more, your plan administrator probably won’t be liable for what’s stolen, thanks to service agreements that are carefully crafted to protect against procedural lapses by third parties. That leaves either the employee or the employer holding the bag.

Who’s Responsible?

Service agreements often contain language stating that losses are reimbursable only if “occurring through no fault of your own.” Agreements also might include a requirement that the participant adhere to the administrator’s recommended security practices, and provide the administrator discretion to make a liability determination based on the unique circumstances of each case.

Unfortunately, plan participants sometimes contribute to data breaches. How? Some people are careless with plan documents, account statements and passwords. In other cases, current or former family members may be to blame.

For example, in a noteworthy 401(k) theft case, a participant moved after his divorce, but he failed to inform his employer about his change of address. Meanwhile, the participant’s ex-wife intercepted a letter sent by the plan administrator to his former address. The letter contained enough information for the ex-wife to change the account password, access the account and steal all of his retirement savings. The plan sponsor was held blameless because the participant had failed to notify the employer of his move, as required.

Safety Precautions

How can employers protect against identity theft and minimize their potential liability? Start by reviewing the rigor of your internal security procedures and those of your plan’s service providers. Service providers should generally have a Service Organization Control (“SOC”) No. 1 report, which is an examination by an independent third party over the adequacy of internal controls encompassing operations. The SOC report contains a critical section noted as Complementary User Entity Controls (CUECs). These are the controls that the employer and its employees should have in place to complement the service provider’s control and “close the loop” for the entire internal control environment.

Obtaining a SOC report, however, is only a component of what should be a robust vendor management program implemented by an employer of all its service providers. A strong program involves the continuous review of its service providers to mitigate any risks.

The employer should also have developed and implemented a cyber security program, which we have discussed in previous blogs. (Check out “Cybersecurity: It's Not Just an IT Issue” and
“What are the Two Most Essential Elements of Data Security?”) Such a program will allow the employer to identify and mitigate risks associated with its retirement plan.

Also consider holding a training session to educate employees about the risks of stolen plan data. Sharing stories of recent account breaches can help get your employees’ attention. Once they’re engaged, take the opportunity to review best practices in data security — including those recommended by your plan administrator — and required administrative procedures under your plan document.

Examples of simple precautionary measures that participants can take include:

• Using strong passwords and changing them regularly,
• Avoiding the use of the same usernames and passwords for multiple websites,
• Taking advantage of two-factor authentication whenever possible,
• Not allowing Internet browsers to “remember” login information, and
• Never sharing login information with anyone, including family members.

Advising participants on maintaining good security practices is an ongoing process. This issue needs to stay on participants’ radar, so they remain vigilant by adapting to evolving hacking threats and improvements in data security measures.

Outside Expertise

Our employee benefit plan specialists can help review the security procedures you and your plan service providers currently have in place and recommend areas of improvement. We can also conduct training sessions to help participants understand what’s at risk and how they can safeguard against hackers. Contact us for more information.