Cybersecurity for Retirement Plans Front and Center
The government has both weighed in on the need for guidance on retirement plan cybersecurity and quickly issued nonbinding guidance for plan sponsors, fiduciaries, service providers, and participants. There has also been a development in one of the retirement plan cyberloss cases we have been following.
In the middle of March, the U.S. General Accountability Office (GAO) issued a report titled “Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans.” (GAO 21-25). The report conclusions indicate “[The Department of Labor (DOL)] has not established minimum expectations for protecting PII [personally identifiable information] and plan assets.” The report goes on to clarify “Until [the] DOL clarifies responsibilities for fiduciaries and provides minimum cybersecurity expectations, participants’ data and assets will remain at risk.”
In mid-April, the DOL issued informal guidance noting that “Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.” The DOL’s guidance includes three separate documents:
Tips for Hiring a Service Provider. These range from confirming that the provider is properly insured against participant account theft, asking about the provider’s information security standards, and inquiring about past security breaches and the provider’s response to them. It also suggests seeking contractual confirmation of the plan sponsor’s notification timeframe in the event of a breach. Although these tips are provided in the context of hiring a service provider, plan sponsors should also review the highlighted areas with existing service providers that maintain plan records and participant data.
Cybersecurity Program Best Practices. This provides a list of cybersecurity best practices for plan service providers, including implementing a formal and documented cybersecurity program, ensuring that assets or data stored in a cloud or managed by a third party is subject to independent security reviews and assessments, and encrypting sensitive data. This list will also likely be a resource for plan sponsors in the review of current and future service providers.
Online Security Tips. This is directed at plan participants and beneficiaries and includes seven familiar cybersecurity items, including registering their online accounts, regularly checking account status, using strong and unique passwords, avoiding free Wi-Fi, and reviewing information on identifying and avoiding phishing attacks. Plan sponsors should consider communicating these tips to their participants or having their recordkeeper do so.
Although this DOL guidance is informal, it can be expected that the DOL will use it in future audits to assess plan fiduciaries’ efforts to evaluate and monitor service providers’ cybersecurity measures.
In its ongoing review of service providers, CAPTRUST has routinely asked questions about cybersecurity issues. Going forward, these questions will be expanded to include all items identified by the DOL. Plan fiduciaries should also ask their service providers to report on whether their cybersecurity programs meet each of the DOL’s best practices along with how each of the service provider hiring tips is addressed. Responses can then be reviewed by information technology, legal, and other resources.
We previously reported on a cybertheft of $137,000 from a participant’s account in the Abbott Laboratories 401(k) plan. The cyberthief convinced the recordkeeper to provide a one-time code to access the account. The cyberthief then added a new SunTrust bank account and processed a distribution to the new account. The participant sued both the plan sponsor and the plan recordkeeper, Alight Solutions.
Abbott Laboratories was dismissed from the suit last fall because there were not sufficient allegations that Abbott breached its fiduciary responsibility. Bartnett, the participant whose account was looted, then filed an amended complaint against Abbott, this time contending that it was a breach of fiduciary responsibility to initially hire and then retain Alight Solutions as the plan recordkeeper. A number of prior cybersecurity incidents at Alight were identified that allegedly should have put Abbott on notice that Alight was not a suitable service provider. The claims against Abbott were again dismissed. It was noted that Alight was hired before the reported issues at Alight occurred. Additionally, although examples of Alight’s prior issues were provided, there were no allegations that Abbott failed to monitor Alight’s work on the Abbott plan. Bartnett was given the opportunity to file another amended complaint. Bartnett v. Abbott Laboratories (E.D. IL 2021)
Participant Data Is Not a Plan Asset
Fiduciaries of Shell Oil Company’s 401(k) plan were sued for failing to take reasonable steps to protect confidential participant data, which allowed Fidelity, the plan recordkeeper, to use that data to sell nonplan retail financial products and services. Fidelity was also sued for misappropriation of confidential participant data to sell other services.
A key element of the claims against Fidelity is whether participant data is a plan asset. If participant data is a plan asset, it would be a fiduciary breach for Fidelity to use it for Fidelity’s own benefit and not for the sole benefit of plan participants and beneficiaries. If not, there would be no breach. Fidelity filed a motion to have the claims against it dismissed. The court reviewed ERISA’s definition of plan assets as well as the few other decisions that have touched on this issue. It concluded that participant data is not a plan asset. Accordingly, the claims against Fidelity were dismissed. Harmon v. Shell Oil Company (S.D. TX 2021)
This lawsuit recalls the terms of a settlement recently reached by a major university stipulating that participant data will not be used by plan service providers to cross sell unrelated services to plan participants. In that settlement, the plan sponsor was required to direct the plan recordkeeper to not use any data gathered in plan servicing operations to sell unrelated services to plan participants.
ERISA Retaliation Claim Proceeds
Under ERISA it is illegal to retaliate against plan participants for exercising their ERISA rights. Claims of this type are frequently brought as an add on to a wrongful discharge claim—and are frequently dismissed. In a recent case, a 58-year-old employee was fired. He filed suit alleging employment discrimination based on his age and improper retaliation for raising concerns about his 401(k) plan account.
Robert Lees worked as an executive marketing director for Imagemaster, a commercial printer in Pittsfield Charter Township, Michigan, for six years until he was fired in 2019. Following the market turmoil at the end of 2018, in February 2019, he sent an email to the plan sponsor asking about his 401(k) plan account and inquiring whether he could diversify the account’s investments or withdraw a portion. As part of that inquiry, he asked to review his account. Apparently, the plan did not permit participant direction of investments.
Mr. Lees was told that he could not take a partial distribution or diversify his account. Forty days later he was fired. The plan sponsor tried to have the claim dismissed. The judge declined. Mr. Lees’ questions about the 401(k) plan and his account were protected behaviors under ERISA, and he was fired only a short time later. This sequence of events supports the retaliation claim and warrants a trial to determine whether Lees was fired as a result of his questions about the 401(k) plan. Lees v. Imagemaster Printing, LLC. (E.D. Mich. 2021).
U.S. Government Garnishes Lawyer’s 401(k) Accounts
Martin Shkreli made headlines a few years ago when he dramatically increased drug prices. He was later convicted of stealing millions of dollars from one company to pay investors in his failed hedge funds. His lawyer, Evan Greebel, was convicted of wire and securities fraud for his role in helping Shkreli’s scheme. Greebel was sentenced to 18 months in prison and ordered to pay more than $10 million in restitution.
During his law practice, Greebel worked at two law firms where he participated in 401(k) plans. He accumulated more than $125,000 in one plan and more than $775,000 in the other. Following his conviction, the government reached out to the plan recordkeepers and garnished his plan account balances. Greebel objected, taking the position that he did not have free access to his plan balances. Overruling his objection, the court found that as a terminated participant in the 401(k) plans, Greebel had immediate access to the plan assets. The garnishments were enforced. United States of America v. Greebel (E.D. NY). Note that although 401(k) plan assets are not subject to claims or attachment by creditors, they can generally be seized to pay obligations to the federal government.
Fee Litigation Continues
The flow continues of new claims and settlements in cases alleging fiduciary breaches through the overpayment of fees and the retention of underperforming investments in 401(k) plans. In a shift, this quarter there were several reported cases where motions to dismiss were denied and the litigation process will proceed. Recall that in a motion to dismiss, the judge assumes that everything stated in the complaint—a case’s initial filing—is true. A claim will be dismissed only if the judge concludes that it cannot succeed, even when viewed through this lens favoring the plaintiff. A thorough and well-documented fiduciary process is essential to defending these cases.
DOL Will Not Enforce New Pecuniary Factors Rule for Investment Selection and Proxy Voting
As previously reported, last year the DOL issued formal guidance that plan fiduciaries must use only pecuniary, or financial factors, in the selection of plan investments and when voting proxies. This followed the DOL’s deliberations on issuing guidance for the selection of environmental, social, and governance (ESG) investments. This guidance had a chilling effect on the use of ESG investments within retirement plans.
After President Biden was elected, he issued an executive order directing all federal agencies to review regulations promulgated during the Trump administration to identify any that may be inconsistent with protection of the environment, among other things. Subsequently, on March 10, the DOL issued a notice that it will not enforce two recently enacted rules impacting ESG investments—“Financial Factors in Selecting Plan Investments” and “Fiduciary Duties Regarding Proxy Voting and Shareholder Rights.”
Although the rules are not being enforced, it is important to note that the rules were finalized and are still technically in place, so they cannot simply be ignored. The DOL’s current position of not enforcing the rules does not open the door for plan fiduciaries to select investments based on objectives other than providing retirement benefits for plan participants and beneficiaries. The fundamental ERISA rule that plan assets must be used only for the exclusive benefit of plan participants remains unchanged. Also, the DOL is not the only possible challenger. The legal community has pointed out that plan participants could sue, pointing to the regulation that is on the books, and a defendant may have to be able to show they followed a prudent fiduciary process if they used nonpecuniary factors in selecting and monitoring plan investments.
DOL Guidance on Investment Advice—IRA Rollovers
In April, the DOL issued frequently asked questions on its new class exemption regarding the provision of investment advice. This guidance is primarily directed at financial services firms that advise individuals on rolling over plan assets to individual retirement accounts (IRAs). In this guidance the DOL notes that rollover recommendations are a primary concern due to financial services firms’ strong economic incentive to recommend rollovers. The DOL also observes that rolling money over from a plan to an IRA is often the single most important financial decision a plan participant makes. Key takeaways from this guidance that will be of interest to plan sponsors and fiduciaries include:
- Individual advice to roll assets out of a plan is considered fiduciary advice and covered by the fiduciary rules if, in addition to meeting other requirements, the advisor has an ongoing relationship with the investor. An ongoing relationship includes an intended ongoing relationship with the investor following a rollover.
- Boilerplate disclaimers will not in and of themselves be effective in removing or limiting the advisor’s fiduciary responsibility or liability.
- Financial institutions must acknowledge in writing their financial professionals’ fiduciary status.
- Financial institutions must document their prudent analysis of the reasons a rollover recommendation is in the best interest of the retirement investor and provide that documentation to the investor. Details to be included are set out in the guidance and include alternatives to a rollover (e.g., leaving money in the plan), comparative fees and expenses, and comparative services.