Cybersecurity concern has grown in recent years as breaches of trusted databases mount.
In 2019, in a breach of Capital One’s database, hackers accessed over 100 million credit card applications. This followed a $700 million settlement against Equifax concerning the 2017 breach of its database in which hackers accessed 147 million accounts. Although this was one of the most newsworthy breaches last year, smaller scale breaches are happening all the time, and even impacted retirement plan recordkeepers.
In the past, when unauthorized withdrawals were made from plan accounts, the recordkeeper often was willing to make the participant whole even when it appeared all of its security procedures were followed. However, as the incidence of electronic theft becomes more common, record keepers are becoming less willing to do so.
A case filed in U.S. District Court in California against Estée Lauder will look at how responsibility, in the event of electronic theft, should be allocated between participants, plan fiduciaries, and service providers. In this case, a hacker made three unauthorized electronic transfers to three different banks from a participant’s account in the Estée Lauder 401(k) plan. These transactions reduced the balance from $90,000 to $3,800.
The record keeper, Alight Solutions LLC (formerly Hewitt Associates), refused to take responsibility for the losses. After the participant became aware of the theft through written confirmations and her quarterly statement, she informed Alight’s service center, the police, and the FBI. She completed an affidavit of forgery required by Alight. Ultimately, she was informed that Alight’s investigation of the matter had run its course and no funds had been recovered.
Interestingly, the Estée Lauder 401(k) plan has not, as of yet, been named as a defendant. At this point, when electronic theft occurs from a plan, the responsibilities of plan fiduciaries are not entirely clear. Notwithstanding, at a minimum, fiduciaries should review the process and procedures service providers have in place to protect their systems and determine that these measures are up to industry standards. In addition, plan fiduciaries should review service provider contracts to ascertain that these contracts spell out the respective responsibilities of participants, sponsors, and the service provider in the event of electronic theft.