Summary of the Article
A recent breach exposing over a thousand Walmart 401(k) participants’ Social Security numbers highlights regulatory gaps that impede accountability for plan service providers. The incident, caused by a Merrill employee’s email error, underscores the frequent vulnerability of retirement plans managed by third-party providers. While the Department of Labor’s 2021 cybersecurity guidance targets plan sponsors, the responsibility often falls on them rather than the service providers. Legal actions against companies like JP Morgan and Alight Solutions are testing the extent of fiduciary liability under ERISA. State data privacy laws and industry standards offer additional avenues for holding recordkeepers accountable, but experts call for more robust ERISA-specific regulations to safeguard sensitive data effectively.
Walmart 401(k) Data Breach Exposes Regulatory Gaps
A significant data breach affecting over a thousand Walmart 401(k) participants has brought attention to the regulatory shortcomings that make it difficult to hold plan service providers accountable when human error leads to a breach. The incident occurred due to a mistake by an employee of Merrill, the plan recordkeeper, who inadvertently disclosed sensitive information in an email. Merrill’s parent company, Bank of America, reported the breach last month, marking the latest in a series of retirement plan breaches involving third-party service providers.
The Role of Third-Party Vendors in Data Breaches
The US Labor Department issued its first cybersecurity guidance for retirement plans in 2021, focusing primarily on plan sponsors, who have a fiduciary duty to the participants and beneficiaries of the plans they manage. However, recent breaches indicate that third-party vendors are often responsible for data mishandling. Large recordkeepers handling vast amounts of personally identifiable information and assets can easily expose this data to bad actors through simple mistakes.
Contractual Loopholes and Fiduciary Obligations
Service providers typically avoid fiduciary obligations in their contracts, bypassing direct Department of Labor (DOL) oversight. The DOL’s stance is that it is the plan sponsors’ responsibility to prevent data breaches, as emphasized by Joseph Lazzarotti, a principal at Jackson Lewis P.C. Lazzarotti likened a retirement plan to a chain, with multiple entities involved, including the employer and the recordkeeper, where data moves from one to the next. The ultimate responsibility for data protection, according to Lazzarotti, falls on the plan sponsor.
Legal Challenges and Fiduciary Liability
Lawsuits from the DOL and plan participants against recordkeepers like JP Morgan and Alight Solutions challenge the existing regulatory framework. Under the Employee Retirement Income Security Act of 1974 (ERISA), fiduciary liability can extend to other parties if they are found to have exercised control over plan assets during a breach. A recent lawsuit against JPMorgan alleges that the company failed to prevent a breach affecting 451,000 participants. However, federal courts have not defined whether data is considered a “plan asset” under ERISA.
State Privacy Laws and Industry Standards
Outside of ERISA, state data privacy laws and banking regulations provide mechanisms to hold recordkeepers accountable for breaches. These laws require companies to inform data owners of breaches and can revoke licenses if negligence is found. Industry standards also play a role in setting expectations for data protection. The 2021 DOL guidance was partly based on norms established by the Society of Professional Asset Managers and Recordkeepers.
The Need for ERISA-Centered Cybersecurity Regulations
Existing frameworks like the Securities and Exchange Commission’s Regulation S-P and the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model offer technical controls to safeguard data. However, experts argue for a dedicated ERISA-centered regulation to clarify the responsibilities of recordkeepers and third-party service providers. Carol Buckmann, a Cohen & Buckmann P.C. partner, highlighted the need for formal regulations rather than informal guidance to ensure robust data protection measures.