Brief Takeaway
As a result of the Coronavirus Aid, Relief, and Economic Security Act ("CARES Act"), plan sponsors and service providers across the country are bracing for a flurry of participant activity with respect to distributions, loans, and other account transactions. Many plan sponsors and service providers are actively working to support participants by facilitating access to retirement account funds through COVID-19 related loans and hardship distributions. However, it is important to recognize that the uptick in participant distribution and loan activity also presents an opportunity for cybercriminals and fraudsters to take advantage.
A recently-filed lawsuit, Bartnett v.
I. Introduction
On
The complaint describes detailed factual allegations regarding the efforts of the Cyber Thief to compromise the plaintiff's account, as well as the interactions between the Cyber Thief and Alight, which operated the Plan's participant website and phone line and was responsible for issuing plan distributions. The complaint notes that the basis of these allegations is an internal investigation report prepared by Alight that was turned over to local law enforcement in response to a subpoena, and then subsequently obtained by the plaintiff.
II. Overview of the Alleged Cyber Theft
Cyber Thief's Interactions with Defendants
According to the complaint, the Cyber Thief already had certain personal information about the plaintiff before attempting to access the participant's Plan account, including the last four digits of her social security number and her date of birth. The Cyber Thief presumably also had access to her email to receive the authentication codes.
On
Upon gaining access to the plaintiff's account, the Cyber Thief changed the account password and added direct deposit information for an unknown SunTrust bank account to the plaintiff's account.
Two days later, an unknown person (presumably, the Cyber Thief or an accomplice) called the participant phone line from a phone number not previously associated with the participant's account and reported being unsuccessful in processing a distribution online. The interaction did not result in a distribution being issued, as Alight required a seven-day waiting period between adding a new account and allowing distributions to that new account.
Eight days later, on
Plaintiff's Interactions with Defendants
Throughout the complaint, the plaintiff claims that despite her alleged preference to receive notices about account activity by email, the defendants sent notices relevant to the theft by regular mail.
The plaintiff alleges that the defendants notified her about the addition of the
Similarly, the plaintiff alleges that following the initiation of the unauthorized transfer of
Notably, the complaint also states that days after the Cyber Thief gained access to the plaintiff's online account and changed her password, the plaintiff's husband—after successfully answering security questions—regained access to the online account and changed the password. The complaint notes that the plaintiff was notified via email of these changes, which suggests that her email account may have been compromised, with the Cyber Thief possibly intercepting prior communications when the Cyber Thief was aware his or her actions triggered email notices.
The plaintiff notes that she discovered and reported the theft to the plan sponsor on
Investigation
Local law enforcement in
III. Implications
Greater Cybersecurity Risks in the Pandemic Era
The Bartnett case provides another reminder that retirement accounts are not immune to cyberattacks. [See Groom Alert: New Case Raises Difficult Questions About ERISA Remedies for 401(k) Account Thefts]. In fact, retirement accounts may be particularly attractive targets for cybercriminals given the significant amount of assets held in such accounts.
In this new pandemic era, cybersecurity threats are greater than ever as millions of people across the world employ technology at unprecedented levels for business and personal matters. But while millions are practicing social distancing, cybercriminals continue to employ a variety of fraudulent means, which includes deceptive methods like those used in the Bartnett case—to defraud and steal.
Notably, in response to the growing threats, on
Considerations for Fiduciaries and Service Providers
The Bartnett case provides reminders of several important considerations that might be incorporated into plan processes:
First, plan fiduciaries responsible for plan administration are well served to understand how account activity is triggered (e.g., additions of permitted bank accounts, phone numbers). Plan fiduciaries could also evaluate whether there are other practical practices that could balance the need for accessibility to funds with the protection of plan participants.
Second, plan fiduciaries and service providers can collaborate to implement processes to safeguard information. Plan fiduciaries can also review service providers' cyber security capabilities and procedures at the RFP stage as well as during their ongoing monitoring process. It is important to remember that there may be no one "right" way to implement safeguards and each plan, with its own unique participant demographics, may have its own interests to balance.
Third, although plan fiduciaries and service providers are not obligated to educate participants about cybersecurity, and are not required to create documents like a data security or privacy statement, it may benefit a plan and its participants to provide education on cybersecurity to help ensure that participants are part of the process of protecting access to a participant's account. The complaint suggests that it was the hacking of the plaintiff's own personal computer and email account that may have led to the retirement account being accessed.
Fourth, plan fiduciaries and service providers can review their insurance policies (e.g., fiduciary insurance, cyber insurance) and fidelity bonds for scope of coverage and other guarantees. In particular, a close review of such policies can be beneficial to understand the scope of coverage, including whether social engineering or fraud losses like those described in Bartnett are covered.
While the complaint in Bartnett is styled as a breach of fiduciary duty claim under ERISA that would presumably fall within the coverage of a fiduciary insurance policy (barring any exclusions), claims for loss from cyber fraud will not necessarily always be brought as ERISA fiduciary claims. In those situations, plans often look to their cyber insurance policy or fidelity bond for coverage of losses where a proper individual authorizes a transfer of funds but is criminally induced to do so by an impersonator on the telephone or by email. However, some cyber insurance policies and fidelity bonds do not cover social engineering losses unless special endorsements are added. To avoid unpleasant surprises later on, plan sponsors and plan fiduciaries can work with their counsel and insurance brokers to make sure that the desired coverage is included in their respective insurance policies and fidelity bond.
- New Lawsuit Alleges Fiduciary Breaches by Plan Sponsor and Recordkeeper for Quarter Million Dollar Cybertheft
Originally published
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
20006
Tel: 202857 0620
Fax: 202659 4503
E-mail: slherisse@groom.com
URL: www.groom.com
© Mondaq Ltd, 2020 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source