Everyone is well aware of the prevalence of cyber-attacks. News about cyber-attacks on large companies usually goes viral and the costs associated with these attacks can be enormous. With the ever-increasing risk of cyber-attacks, everyone needs to be focused upon cyber security.
Your third-party administrator (“TPA”), the firm that prepares your Form 5500, has access to sensitive data regarding your employees. This data, referred to as “personal identifiable information” or “PII,” may include social security numbers, addresses, dates of birth, dates of hire, account balance information, beneficiary information, and bank account information. There are laws that govern identity theft in the workplace. The Fair and Accurate Credit Transactions Act (FACT Act) says that any employer, even a sole proprietor with one part-time employee, needs to safeguard PII. Failure to do so, can lead to a fine or a lawsuit.
However since FACT Act doesn’t apply to 401ks and other qualified retirement plans, protection of this data remains largely ignored by small TPA firms. Trustees of retirement plans have an obligation to protect the plan, which includes protecting the plan from identity theft and cyber-attacks. As cyber-attacks and identity theft weren’t around when ERISA was created 39 years ago, thus it is not clear whether a plan trustee would be held responsible if a TPA firm was the subject of a cyber-attack or if an employee’s identity was stolen from a TPA firm.
Since there are no specific federal or state laws that mandate protection of PII by TPAs, most don’t have a data security plan. TPAs routinely email, scan or fax distribution/loan forms to their clients to sign. Unfortunately, these forms have Social Security Numbers and banking information on them which make them prime targets. TPAs will say that everything they send is password protected to make sure that forms containing PII can’t be opened by unauthorized persons.
There is one fundamental flaw with password protection. Chances are there are many files on a TPAs computer that aren’t password protected. Since 2002, most copiers, printer, scanners and fax machines contain hard drives, which can store thousands of images copied, scanned, faxed or printed. That means everything that has been printed, scanned, copied, or faxed is stored on that machine’s hard drive and can be accessed by anyone.
In order to protect your employee’s identity information, you should review your TPAs cyber security procedures. Here are some things to consider when reviewing your or your TPAs cyber security procedures:
- A description of how your TPA protects your PII;
- The TPA’s agreement to use industry best practices with regard to storing PII;
- An IT professional should conduct regular audits of TPA’s data security systems and practices;
- The contract you sign with your TPA should give you the right to review your TPA’s security measures at anytime;
- TPA should immediately notify you of a data security breach regardless of whether PII was compromised or not;
An identity thief, can do a lot with the information gathered from a TPA Firm. Besides stealing someone’s identity and obtaining credit cards in their name, identity thieves can take all of the money in someone’s 401k or pension plan. If you are in the process of switching TPAs or thinking of doing so, you should ask each TPA to provide you with their cyber security procedures.