The cyber security of health plan information is often at the forefront of many plan sponsors’ minds because of the strict requirements of HIPAA, but a recent lawsuit emphasizes the importance of retirement plan cyber security as well. In the lawsuit, a participant alleges that an unknown person stole $99,000 out of her 401(k) account by initiating three unauthorized distributions to three separate banks. She did not receive notice of the distribution at the time, instead only receiving notice later through mail. The plan investigated these unauthorized distributions, but ultimately did not recredit the participant’s account.
The participant’s lawsuit alleges that the retirement plan failed to institute reasonable safeguards that would have prevented the theft, and thus the plan sponsor breached their fiduciary duties of loyalty and prudence. The lawsuit suggests that the plan could have required authorization from the participant before making any large distributions, provided more timely notice of any distribution by phone or email, and employed a system to flag suspicious distribution requests. The participant is asking the court to require the plan sponsor to restore the stolen money to her 401(k) account, plus any missed investment earnings.
While the lawsuit has not yet been decided, it does highlight the importance of cyber security and implementing safeguards to protect participants’ retirement accounts.