Are Cybercriminals Stalking Your 401(k) Plan?
September 17, 2020
At least two pending federal cases deal with attacks on individual 401(k) plan accounts. The fact patterns are similar: a participant submits an electronic benefit withdrawal request to the employer or the plan's record keeper. The request is passed on to the plan's custodian for implementation.
The custodian, as holder of the plan assets, then transfers the requested funds to the participant's bank account. This is a routine transaction and the distribution has been implemented as intended.
SO, WHAT IS THE PROBLEM?
What follows is not routine, because a cybercriminal has fraudulently obtained a copy of the withdrawal request and the participant's associated personal information. The fraudster then poses as the participant and submits an additional electronic withdrawal request. This request is processed and paid on behalf of the plan; however, the funds are transferred to an account designated by the imposter. Additional unauthorized withdrawals may follow.
THE TWO PENDING CASES
In Leventhal v. The Marblestone Group LLC et al., a Pennsylvania case, the participant, a lawyer and a principal in a law firm that sponsored the 401(k) plan, incurred an uninsured loss of over $400,000 in a series of unauthorized withdrawals resulting from an "unknown method of cyber-fraud." The lawyer filed an action against the plan's record keeper and custodian alleging breaches of their ERISA fiduciary duties.
The case survived a motion to dismiss as the trial court determined that the allegations of fiduciary status and fiduciary misconduct of both plan service providers were adequate as a matter of law.
Note: The Leventhal case may be unique in that the law firm sponsoring the plan was not sued for its role in the unauthorized account withdrawals. Because Leventhal was a principal in the law firm sponsor of the plan, suing the firm would be tantamount to suing himself! Any non-owner participant would likely join the employer-sponsor as a co-defendant.
Berman v. Estee Lauder Inc., a pending California case, illustrates a more likely approach. The participant in Berman sued both the employer and the record keeper for processing a series of fraudulent transactions that depleted her 401(k) account. The alleged misconduct included:
- failure to confirm distribution authorizations,
- failure to provide timely notices of distributions by telephone or email, and
- failure to recognize suspicious distribution requests (which, in this case, included multiple distribution requests involving transfers to different banks).
WHAT CAN YOU DO TO SAFEGUARD YOURSELF?
The assets of 401(k) and other retirement plans represent a significant financial asset and present an inviting target for cybercriminals. Information openly available in the public record identifies these plans, their sponsors, and related information that may be useful to cyber-thieves.
Employers who sponsor these plans are almost always plan fiduciaries and likely targets of suits over unauthorized plan withdrawals. Plan sponsors should consider their own cybersecurity protective measures and make sure that plan service providers have taken appropriate steps to secure the confidentiality of participants' personal information.
Plan service providers may want to implement additional steps in processing plan withdrawal requests. Implementing an additional verification step could not only prevent cybercrime but also could establish a better defense based on the provider's claim of non-fiduciary status.
WE CAN HELP
GCT is available for any questions or concerns that you may have. For details on specific cybersecurity measures and appropriate contract protection, do not hesitate to contact the Golan Christie Taglia lawyers who can assist: