Have you done your due diligence concerning the data-security practices of your 401(k) recordkeeper? If you are a 401(k) recordkeeper, have you seen an uptick in the concerns of 401(k) plan advisors about your data security practices? 401(k) plan recordkeepers hold a wealth of personal information that can be a prime target of cyberthieves.
Think about it. 401(k) recordkeepers normally have at least the following sensitive personal information:
- Social Security numbers
- Dates of Birth
- Addresses
- 401(k) account and transactional information
- Investment information
- Designated beneficiary information (and that individual’s personal information)
Websites are also maintained for employees to review their 401(k) balances and to make transfers. Employee 401(k) statements are also often made available through these websites.
While case law and federal regulations flowing from the Employee Retirement Income Security Act (ERISA) are heightening the duties and standards for plan fiduciaries in many ways, plan advisors cannot overlook the issue of data security when it comes to their 401(k) plan recordkeepers. In choosing a plan recordkeeper, plan sponsors and advisors should be focusing on the data security protection measures that these recordkeepers have in place or should have in place. Detailed questioning on data security is now a must and it cannot be ignored.
Similarly, 401(k) plan recordkeepers must make sure that they have detailed data security plans and protocols in place. The recordkeepers must be prepared to provide answers to a myriad of data security questions that plan advisors should be asking them.
The treasure trove of sensitive personal information that is contained in 401(k) records is an appealing target. Data security measures must be heightened by 401(k) plan recordkeepers, and plan advisors must be diligent in obtaining information about the data security protections in plans.