With more and more retirement plan services moving online, a recent case arising in the U.S. District Court for the Southern District of New York, Giannini v. Transamerica Retirement Solutions, LLC (“Giannini”),[1] highlights the importance of cybersecurity and anti-fraud considerations for plan fiduciaries and service providers alike.
In Giannini, the plaintiff was a retirement plan participant who filed suit in a proposed class action against Transamerica Retirement Solutions, a third party administrator/recordkeeper, after the company notified him of a data breach exposing the plaintiff’s personally identifiable information (“PII”). The plaintiff alleged that the breach occurred because unauthorized parties were able to access PII due to a Transamerica system configuration change, which left sensitive information such as social security numbers and retirement fund contribution amounts exposed. The plaintiff also alleged this data breach affected over 11,000 retirement plan beneficiaries and caused spam emails, spam calls, fraudulent credit card and bank account inquiries, and fraudulent purchases made in his name.
The plaintiff brought claims for negligence, breach of contract, breach of implied contract, breach of fiduciary duty (though not under the Employee Retirement Income Security Act of 1974 (“ERISA”)), and other violations of state business laws, alleging that Transamerica failed to exercise reasonable care in securing and safeguarding PII. Transamerica moved to dismiss, arguing that the plaintiff had no standing because, in actuality, there had been no hack and no resulting misuse of the plaintiff’s data. Instead, Transamerica stated in its motion to dismiss that there was a “coding error” that meant that plaintiff’s retirement plan and tax information may have been accessed by administrators for plans other than the plaintiff’s. Based on this error, Transamerica agued it is not plausible that they caused the harm claimed by plaintiff. Ultimately, the plaintiff voluntarily dismissed his suit.
Although plaintiff’s proposed class action did not involve ERISA claims, it is entirely conceivable that he could have styled his suit as an ERISA class action with claims against Transamerica (to the extent that he alleged Transamerica served as a functional fiduciary to the plan), and even against the fiduciary committee overseeing the plan for failure to monitor Transamerica adequately (even if Transamerica were found not to have been a fiduciary). This illustrates the need for fiduciaries, service providers, and even recordkeepers to institute policies and procedures meant to protect plan assets from fraud and cybersecurity risks.
The claims in Giannini, as in the case of many other claims brought against plan fiduciaries and service providers, dovetail with the Department of Labor’s increasing focus on cybersecurity to protect plan participants from fraudulent account activity and highlights the importance of the issue. In light of that case and the DOL’s stated interest in cybersecurity issues, there are a few steps that fiduciary committees and service providers should consider taking:
- The DOL has published “Tips for Hiring a Service Provider with Strong Cybersecurity Practices.” Plan fiduciaries should familiarize themselves with these tips, and service providers would be well-advised to review them too.
- Fiduciary committees should be sure to ask all current service providers about their procedures for monitoring cybersecurity and potential fraud and should include questions about cybersecurity procedures in RFPs, and should require notice of any cybersecurity breach suffered by the service provider even if not related to the committee’s plan. Fiduciary committees should also inquire into a service provider’s history with cybersecurity issues and learn how any past issue was resolved.
- Fiduciary committees may also want to require service providers to maintain cyber liability insurance in the case of cybertheft.
- Fiduciary committees should monitor service providers on an ongoing basis by requesting information on any updated cybersecurity procedures, and they should document having made these inquiries (for example, in minutes of fiduciary committee meetings).
- Fiduciary committees may also consider instituting policies and procedures memorializing when and how they will monitor service providers.
- Fiduciary committees should review carefully indemnity provisions in the applicable service agreement to ensure that cyber security breaches are covered and that the plan and its participants have adequate remedies in the event of a breach.
- Recordkeepers should consider instituting advanced security measures to protect participant accounts, such as two factor authentication for accessing online account information and passwords that would need to be used to provide information over the phone.
- Recordkeepers should be on the lookout for “red flags” like for things such as frequent failed attempts to log onto a participant’s account, a sudden change of address and distribution request, etc.
- Recordkeepers may wish to institute procedures providing for a delay between the time a participant changes his contact information on file and the time the recordkeeper processes a distribution, and then ensure that its employees follow that procedure.
- Recordkeepers generally take the position that they are not a fiduciary to the plans they serve; nevertheless, they should also be aware of the possibility that they could be held liable for theft of plan assets either as a functional fiduciary under ERISA or under a state law theory.
- Both recordkeepers and fiduciary committees should consider maintaining protocols for handling cybersecurity issues.
[1] Case No. 7:21-cv-10282 (Dec. 2, 2021, S.D.N.Y).