Cybersecurity concern has grown in recent years as breaches of databases mount. This year, in a breach of Capital One’s database, hackers accessed over 100 million credit card applications. This followed a $700 million settlement against Equifax concerning the 2017 breach of its database in which hackers accessed 147 million accounts.
In the past, when unauthorized withdrawals were made from plan accounts, the record keeper often was willing to make the participant whole even where it appeared all of its security procedures were followed. However, as the incidence of electronic theft becomes more common, record keepers are less willing to do so.
A case filed in U.S. District Court in California against Estee Lauder will look at how responsibility, in the event of electronic theft, should be allocated between participants, plan fiduciaries and service providers. In this case, a hacker made three unauthorized electronic transfers to three different banks from a participant’s account in the Estee Lauder 401(k) plan. These transactions reduced the balance from $90,000 to $3,800.
The record keeper, Alight Solutions LLC (formerly Hewitt Associates), refused to take responsibility for the losses. After the participant became aware of the theft through written confirmations and her quarterly statement, she informed Alight’s service center, the police and the FBI. She completed an affidavit of forgery required by Alight. Ultimately, she was informed that Alight’s investigation of the matter had run its course and no funds had been recovered.
Interestingly, the Estee Lauder 401(k) plan has not, as yet, been named as a defendant. At this point, when electronic theft occurs from a plan, the responsibilities of plan fiduciaries are not entirely clear. Notwithstanding, at a minimum fiduciaries should review the process and procedures service providers have in place to protect their systems and determine that these measures are up to industry standards. In addition, plan fiduciaries should review service provider contracts to ascertain that these contracts spell out the respective responsibilities of participants, sponsors and the service provider in the event of electronic theft.