Employee Data & Cyber Threats: Retirement Plan Issues for The Times

Bonus Cyber Question: What are some things that a plan fiduciary committee should consider doing in 2020 to become better educated about risks to participant balances from unwanted attacks?

 

Jenny Eller: Fiduciary committees should ask for data regarding the percentage of participants in the plan who have not logged on to their on-line 401(k) or similar account.  Also ask what the provider can do to reach out to those folks and think about ways the committee can do the same.  Consider educating participants about getting engaged.

 

Bonus Data & Employee Access Question: Plan providers have been offering IRA rollover services to plan participants for years.  Why is there now new interest in whether this is ok?

 

Jenny Eller:  You are correct.  In fact, the DOL issued guidance about IRA rollovers in 2005 and never mentioned data or access as a plan asset.  I believe that the focus on rollovers and on other services offered to participants (sometimes with the help of participant data, and sometimes not) is a result of the DOL fiduciary rule, which would have covered most rollover recommendations.  While the rule was vacated by a federal court, it changed the way people thought about these conversations.  

With Guest
Jennifer Eller, 
Principal, Co-head Fiduciary Practice
Groom Law Group

In her practice, Jennifer Eller advises financial institutions on the design and delivery of products and services to the retirement plan marketplace, and advises large corporate and public plan sponsors on all aspects of ERISA fiduciary compliance.

Jenny writes and speaks frequently on fiduciary issues, appearing at conferences held by the Fiduciary Risk Management Association, the Practising Law Institute, and the ALI CLE among others.  

Jenny is co-head of Groom’s Fiduciary Practice Group. In her role as practice group co-head, Jenny is responsible for ensuring that the strategic direction and new initiatives of the Fiduciary Group position Groom to serve the needs of its financial, corporate, and public plan clients. 

NEW: Episode Transcript

Rick Unser:

Well, Jenny, thanks for joining me on the podcast. I am really looking forward to what you have to say about what could be the topic of our time or the topic of the coming decade, which is a data in cybersecurity. So thanks for joining me.

 

Jenny Eller:

Thank you so much. Rick. As I told you when we first talked, I love podcasts, so I'm pretty excited to be here with you.

 

Rick Unser:

Very cool. Well I'm looking forward to a fun conversation. I guess maybe from a level set standpoint here as we start thinking about things like data which has seemed to over the last year or so, gather more significance than ever in our little world of retirement plans. What's the broader landscape out there and how does that, I guess work or, or what are some of the general business practices around how companies are using data of their users or of their customers or whatever the right word is that you would attach to that?

 

Jenny Eller:

Yeah, absolutely. I mean it's fascinating, right? Like we all sort of started things like Facebook or you know, other sort of social media things. Just just as they came out and then over time and really fit fairly recently, we've all started talking about data, not only sort of big data and how our information can be used in very interesting ways like on Amazon or Google, but also what does that mean for our personal privacy. I mean that I think is really the, as you said, the issue of the age nor at least certainly one of them. So what we're seeing kind of big, big picture is that you've got Europe with their sort of real data privacy, GDPR activities and then you have in the United States particularly, you have sort of some of the more proactive States like California with its data privacy law. It seems certain that other States will follow in Congress, you know, that they've had hearings and there's interest, there's a huge education process in the United States in terms of the, at the federal level. So, you know, there is, I think very much an understanding of the issues or at least the noticing that there are big issues around data that are much, much broader than they are in the retirement space. And that like everything else, retirement plans and the retirement space are absolutely impacted by data. And these are going to be the issues that I think plan fiduciaries and plan sponsors have to deal with really should be now and, and have to deal with in incoming years.

 

Rick Unser:

You know, it's funny you mentioned Amazon and you know, I've sat through some presentations from record-keepers and, and, and similar folks where it's like, Hey, you know, once we have your participant data, we can make this an Amazon like experience, you know, we'll send them the right cues when they log onto the website. They'll have all this, these things that are current and relevant to them about next steps or action points they should be taking on their journey to retirement. And I think for a long time, or I guess, you know, just for the last couple of years, I think a lot of employers, a lot of plan sponsors have been like, wow, you know, that's pretty cool and Oh this would be great. And you know, very intuitive and, and now I think as you were saying, I think that the switch has starting to flip a little and it's like, okay, well what does this mean to us? This is all well and good, but is this what should be happening in our retirement plan?

 

Jenny Eller:

Right? No, absolutely. And we all have this sort of love, hate relationship with our own data and what people do with it. We want everything to be intuitive and we, you know, we click on the ad that just happens to be the thing we want. We like the fact that, you know, Amazon or, or other companies know how to recommend stuff to us and we find it a little creepy. So, you know, we all have that reaction. And, and the creepy factor is something that I think right now most American adults sort of have that feeling. But don't take a lot of hard steps to protect our data. We don't, you know, object very vociferously. We don't write Congress and say, you should do something about this. So I don't think as sort of American consumers of information in the broad universe, we have a good idea individually or collectively of what we want to happen. And I think the exact same thing is, is the case in the retirement services space.

 

Rick Unser:

So help me connect the dots here. How does this go from creep factor to potential fiduciary issue for employers about how they're, I don't know what the, even what the right word is here, but, but how their participant data is being used.

 

Jenny Eller:

Right. Well, I mean you can paint a picture of some things that I think my plan sponsor clients would, for the most part say, boy, that would be really great and helpful. Trans sponsors are certainly recognizing that participants have financial lives that are much, much broader than their 401k plan. And that, you know, we sort of had a move from, gee, if we could only get participants advice or managed accounts in their four one K plan, then that would really help and really make the defined contribution plan, you know, much more valuable resource folks. And I think, you know, now people are seeing wow, you know, things like how to deal with debt, how to save for college, you know, disability insurance, life insurance, all sorts of financial decisions have to be made by adults. And I think many of my plan sponsor clients would say we would like to do something that would help across those areas.

 

Jenny Eller:

We recognize that looking at the fluoro one K plan in a vacuum isn't particularly helpful to our participants. So what could we do that looked different? And it turns out you can do a lot right there. There are not only sort of calculators, there are everything from kind of questionnaires and apps and different kinds of pie charts and, and lots of things that you can do to help participants with their broad financial life. And I think people believe that a more holistic approach is better. And when you have at your fingertips, you know, people's age and salary and account balance and you know, demographic information, all that sort of stuff, you have the capacity to deliver something that is on the level of, of you know, Amazon or Facebook or some of those larger experiences that participants just like everybody else has have kind of come to expect and know how to operate.

 

Jenny Eller:

So there's a lot of good there. There's a lot of really helpful ways that, that we can imagine working with our employees to, you know, give them a better understanding of all sorts of aspects of their financial lives. And that all sounds really good. And I think for the most part, my plan sponsor clients have looked at a lot of this stuff and said, boy, this would be really helpful. We'd really like for our participants to have access to this and we think it could be really useful. So that's kind of one picture that's just like, boy, I like these ads on, you know, the Washington post that I see. It's exactly what I, what I'm interested in. I liked that Amazon delivers to my page things that are of interest to me. And then we sort of pivot. And as a plan fiduciary you think, well I'm already held to the highest legal standard under us law in terms of how I deal with my plan and plan participants.

 

Jenny Eller:

I want to be able to give them a better experience and a better ability to manage their financial lives. But I don't want to be held to that high standard to their entire financial lives. So if I, but if I provide a set of, you know, services that all are delivered say through the website that they go to, to look at their 401k plan balance cause that's a very good access point. Where are the lines, where do I as plan fiduciary as plan sponsor sort of stop being responsible for vetting the arrangement. How do I, you know, kind of open the door and let people go and, and, and look around and figure out what would be helpful to them but, but not own it all. And for participants, all this stuff could be really useful, but we have the same level of, of, you know, skepticism or concern about how our data is being used in this realm is as we do anywhere else that imagined.

 

Rick Unser:

So you mentioned lines in this whole conversation and I think that's an interesting way to think about it because I would agree. I mean, you have a lot of employers who, you know, let's just use the word benevolent employer. Hey, we care about our employees, we want them to have successful retirements. You know, we want them to be financially well, you know, we, we don't want them to be stressed and we want to provide them with resources and support and everything we can to, whether it's just as a part of our overall benefits package or our recruiting and retention strategy or just, Hey, you know, we just good old fashioned care and want to help them. And I would agree with you as well that a lot of people are partnering with their record-keepers, if not as the sole resource, but certainly one of the primary resources to kind of help in that arena. You know? So as you think about those lines, are there ways that you're seeing employers who kind of have that benevolence to them, that they're potentially, again, as these lines are either maybe being drawn or constructed today where you're seeing them kind of potentially step over those or where maybe the plaintiff's firms would say what, you clearly stepped over this and now we're going to Sue you?

 

Jenny Eller:

Right. Well I would argue, I mean I agree with everything you said. And also I think a, an employer who let's say is really focused on their company's bottom line, I think they would still end up in the same place in terms of saying, my workforce will be better able to do what I want them to do. If they have a better financial hygiene and the more ready people are to retire, the less likely they are to need to stay in a job at retirement age. So I think retirement readiness, well I think most employers are absolutely benevolent in the sense that they want good things for their workforce and they want their workforce to be kind of in the best position possible in all kinds of ways. I think it's not just those folks. I think it is financially savvy. Employers who want what's best for their employees and what's best for the company and kind of could all come together and say this is an investment that we think will be beneficial to all.

 

Jenny Eller:

So there's that and then, and then you are in this place of, okay, where, where are the lines? How far can we go and what is it that we should be doing to, you know, to kind of maximize everybody's benefit. So, so here a real core question is, you know, what's the nitty, are we talking about data? What particular pieces of data are we talking about data that that is unique to participants? Are we talking about access to participants through the employer's 401k or, or benefit, you know, website or structure. What is the thing that makes this conversation, that drives this conversation? And I think it's both of those things. I think it is both data and access. As I mentioned, you know, when you think about first of all your 401k plan balance for most people today as we move away from a defined benefit universe, at least in this country, most people, their 401k balance is by far the largest pot of money that they're ever going to have, right?

 

Jenny Eller:

You might have a home and you might have a 401k balance and and so it is, it is the largest financial asset that most folks have. Maybe it's an IRA, but, but in general, that defined contribution plan. So you have that and then you have the data that goes along with it. You have people's age, you have people's salaries, you have peoples, you know, demographic information, social security numbers, all that sort of stuff. So you sort of starting with information that is useful beyond the four corners of the plan. And so one big question that comes up is, well, what is that data? Is that data an asset of the plan? Is that data something that those individual participants own? Is that data? Much of which is sort of created by reason of the employer having a 401k plan. If that data, you know, the employers plan or the employers information, their asset is the record-keeper say who has created the website, pull the information together and maybe done things with it that are taking it beyond the initial information that they were given.

 

Jenny Eller:

You know, is it the record keepers data, is it everybody's data? And this is not a different question than we we see in other areas of data privacy. The lines are very much blurred. So, you know, one thing is what are we talking about? We're talking a little bit about data and then I also think we're talking about access. We're talking about the fact that, you know, for many of us the defined contribution plan because of its place in our financial lives and the way that it's evolved to have those services be delivered on a website, people can generally log in. Although we should talk about that. Fewer do than you'd imagine. So you know, those I think are the two key things. And then you sort of drop back and say, okay, from a legal standpoint, when you talk about, you know, who we think should own what. That's a very much a legal question in terms of, as we think about, you know, who should be liable and where are the lines one currently unanswered legal question is whether that data is a plan asset, whether the ability to access plan participants is a plan asset. And until those questions are are answered, there is going to be a lot of uncertainty in this space.

 

Rick Unser:

And please correct me if I'm wrong here, but I think what the plaintiff's bar is gearing up for, and you know what we've seen folks like Jerry Schlichter say in some of the suits that he's now crafting are, well yeah, participant data is a plant asset and he doesn't make law. I understand that, but am I correct in that sort of the direction that the plaintiff's bar has heading and if that is the case or if that becomes the, I don't know, I'm not gonna use the word law, but if that becomes sort of part of settlements or other things, what implications does that have? What does that mean for the broader community, for employers, for participants in this whole retirement support and conversation about how do we help people?

 

Jenny Eller:

Yeah. Great. Great question. And I think you're exactly right. I mean I think the legal question is there and it should be answered and honestly the most recent sort of try at answering this, the legal question, the court determined that data is not a plan. Asset participants might have some sort of privacy, right? To the extent there is a, you know, legally, legally cognizant will privacy, right? But the way Arista thinks about whether data is a plan asset has to do with property rights. So you know, courts are going to decide that, but you're absolutely right. I think that right now the more active area involved what plan fiduciaries are doing on the basis of the settlement. So there are three cases that I'm aware of that were fee cases that had settlements. Those settlements have, you know, large monetary aspects to them. And then there are non-monetary things that the, that the plan sponsor plan fiduciaries have agreed to do, including those settlements tend to have some language that says the plan fiduciaries will contractually prohibit the record keeper from engaging in trying to, to offer non-planned services to plan participants unless the plan participant asks for it unless they initiate that conversation.

 

Jenny Eller:

So those settlements now have created a, a real interest in, well gee, those settlements are aware of fiduciary has agreed to do these certain things. Does that, does that set the bar now does that say that's what a prudent fiduciary would do? A number of years ago settlements started saying, you know, you'll do an RFP for your record-keeper well in the same question came up, well that's in the settlement, has that now set the bar for what a prudence that you Sherry should do. So I think that's what a lot of plan fiduciaries are sort of looking at and saying, well gee, if I don't do this I might get sued. And I think it's definitely moved the needle.

Jenny Eller:

Let me unpack that a little bit as well cause I think there's a couple things there that I'd love for you to elaborate on. So I'm not an attorney. I try to have conversations with smart attorneys like you and I always embarrass myself at some point, but I don't really know and I couldn't really explain to an employer property rights and how that would relate to plan data. So maybe if you could just elaborate on that a little bit in terms of how did the two of those go together and maybe what peace of mind would that bring an employer to say, okay, well I'm hearing a bunch of noise, but it seems like we've got something that we can stand on if someone was to call into question what we were doing with participant data. Right. So here's an example. Say you have, you as a plan service provider has access to a bunch of participant data.

 

Jenny Eller:

I dunno, claims data, how old people were when they made a claim, what the claim was for some other information like that. And you take it all and you take everybody's name off of it and you crunch it in a bunch of different directions and you come up with trends. You know, participants who are between X years old and Y years old tend to have claims information that looks like this, that could not have been done without the actual claims data and experience. But there was a lot of work that went into moving it from just names, ages, dollars, numbers to something that somebody can use. So, you know, of course looking at that have, you know, to the extent they've looked at it, and certainly in, in our discussions here, there's something that's been added to that. And that brings into question whether, you know, you could say, well gee, but for those participants in their data, this would never have been possible.

 

Jenny Eller:

But merely that list of data didn't give you the trends. Right. It had to be crunched. So that's one example of here's how data, which you might say, you know, belongs to the plan, moves a few steps away. In terms of the question about, you know, how might I think about plan data and, and whether it's a plan asset, you know, we could talk about that all all day long. You could step past it and say maybe that legal question. Well we don't want to concede. I certainly don't want to concede that all data is a plant asset because I think that's a mistake. You know, you could step past that and say whether or not data is a plant asset. If we moved to the access plan, fiduciary certainly have the ability by contract to attempt to set limits or requirements or to set up how that data and access to participants is going to be used.

 

Jenny Eller:

So you could say it's a little bit beside the point. I'm not willing to concede that they land assets, but it may be that at the end of the day plan, fiduciaries, plan sponsors know, gee, you know, I can contract with other folks about what my participant experience is going to be like. And I think the hardest questions that plan sponsors are going to face going forward is what are my obligations when I'm in the midst of those contract discussions? How do I have to think about things? Because remember I'm the plan sponsor. I'm trying to make my participants the most financially savvy, happiest people I can, whether because I loved them or because I love the bottom line or both. And so if I had my druthers, I'd make sure that they had the best experience possible and people can disagree about what the best experience possible is, but that's not all they have to think about. Now if you have, you know, lawsuits like are being filed saying, you know, you did the wrong thing with participant data and with access to participants. Now as a plan fiduciary, I have to think about more than what do I think is going to be best for participants? I have to think about what the plaintiff's bar is going to think is going to be best.

 

Rick Unser:

Yeah, and to your point, I think the direction the plaintiff's bar has going is this concept of non-solicitation, which coming back to what you said earlier, I think really meshes the data and the attempt or the ability to sell additional things outside of whatever the recordkeepers providing as a, as a core record keeping service. I think that's what they're looking at and trying to draw some lines and create the narrative around damages, et cetera, conflicts of interest, whatever it might be that will become the next sort of battleground. Whether successful or unsuccessful to be determined in this whole evolution of retirement plan litigation.

 

Jenny Eller:

I think you're exactly right that the framework that I think the plaintiff's bars trying to set up and we really only seen one case, right? The case that was filed recently I think by the Schlichter from Harmon I think is the plaintiff's name. And so we've really only seen the one I expect that we will see more. And and the settlements, they definitely focus on this idea that if somebody is trying to sell participants additional non-planned services. I think the tricky part about that is, you know, a few years ago we might've talked about making available to participants individualized investment advice and the rules around how you do that, right? When we're making that available to participants, are we selling them something? I mean someone somewhere. Yes, but the focus from the plan sponsor perspective has been, again, how can I put my participants in the best position possible to understand therefore Onk to be financially savvy and now and as folks are realizing, gee, you know that probably involves something a little broader.

 

Jenny Eller:

I think it's, it's not the full story to say, well if you offer someone or make available a non-planned service, you know, the focus there should be on, on whether you can solicit from them, you know, this service, I think at least some part of the picture is what are we making available? What are we telling participants that they don't know? What information are we providing them? It seems to me that just to say, you know, what we're talking about is listening, not the participants about non-planned services just isn't the complete picture, especially when you're looking at it from the plan sponsor point of view, which is I try to help these people become more financially viable. Yeah,

 

Rick Unser:

And let me ask you one more question here and kind of wrap up the, maybe the data part of this, which is okay. To the extent an employer's been listening to this and gone, man, you know I feel really good about all this great stuff we're doing for employees. Now you've got me nervous, you know, now you've got me really second guessing myself or thinking, making me think twice about the way that we have things structured with our service partners without ceasing and desisting because I don't think that's really a viable option. What would you suggest is maybe next steps or a way that an employer can start to get their arms around how their participant data is being used or, or what the ruling of engagements are in terms of how they can be interacting with employees?

 

Jenny Eller:

Right, right. Well I think that is making people nervous, that's for sure. And I think it's making people nervous from two aspects. One is, boy, this complicates what I'd really like to do and the other, which is related but is one of the ways it complicates. What I'd really like to do is I as a plan sponsor have to think about the liability that that I might be subject to as a result of, again, what my plan sponsor clients think is I'm trying to do the right thing for my participants. So I mean I'm a broken record in the sense that as an of fiduciary lawyer, what I tell people is information and process is super, super important. So I do think it is important to ask questions. I do think it is important to understand what are the tools available, what would be useful to plan participants?

 

Jenny Eller:

What are the ways that those tools are communicated and how does it work? What are the costs, what are the benefits? Is there any kind of indirect compensation taking place? How does everything work? And there are some times when I think, you know, with some of my plan sponsor clients, we've looked at, all right, look, we think that there are some core services that we as the plant's fiduciary are responsible for understanding and evaluating. And there are some other things that we don't think have a place in our contract with our plan provider. We don't want to give oversight to them, we don't want to be responsible for them. And we don't think that any compensation the provider receives should be taken into account in the providers overall compensation related to its services to the plan. There has to be a line somewhere. And I heard Jerry Schlichter on your program essentially I think say you know what the right thing to do from him.

 

Jenny Eller:

His perspective was to, you know, have participants go out and get that information somewhere else and have the plan kind of stay out of it. And, well, I think, you know, he's given his, his prescription there. You know, I think that's a frustrating answer to many of my plan sponsor clients who don't think that there are as good avenues for participants to get that information as, as they might be able to provide. So I think that's, you know, for many folks I think that's frustrating and not particularly buyable. So I would say if you're going to go into this, you need to ask for a lot of information. You need to take it pretty slow. Try to try to figure out how you can document a process which is thorough and, and, and defensible within the box that you want to put it in. And then how do you distance the plan fiduciaries responsibility from the other elements that you really don't think are your responsibility.

 

Rick Unser:

That makes sense. And let me just, one thing you brought up there that I think is interesting and also relevant in this whole conversation is to the extent a record keeper is earning additional revenue from providing some of these services. And let's say some of these services are, let's call it, within that circle that you've drawn, that the plan would feel they have some, you know, again out on put words in your mouth here, but the, the, the plan would feel, or the fiduciaries would feel they have some responsibility to oversee, monitor or understand whatever the right word is. How do you account for that additional revenue? I mean, is that something that a plan or a plan fiduciary would need to be thinking about to say, okay, you know, we need a report from our record-keeper on, I'm just going to pick on rollover for a second. You know, how many people rolled over to your proprietary IRA? What revenue did you receive from that? How many assets? I mean, is that where we're headed or, or a my way overthinking that and making a bigger issue out of it then than needs to be?

 

Jenny Eller:

That's a great question. And, and I don't know if it's where we're headed. I hope not. And I certainly think that it is not the only way to draw that line. So if you say, all right, there's some access data, whatever it's called, may or may not be a plan asset, but there is some value to it and I think we could all agree to that. There's value to it in a few different ways, right? You could establish value by saying, well, which I think is what you described. What is the benefit to the provider of that access, the ability to use the data, et cetera. What do they make? That's one way to establish value. You could say, all right, if I have something of value and let's just say for the sake of discussion, it's a plant asset. Well I should be able to go sell it, right?

 

Jenny Eller:

What would somebody else pay me for it? That's a very different calculation of value and the other value that I think, you know, if you are a plan sponsor and you believe that this financial wellness, whatever, whatever you want to call it, that there are aspects of this that are truly beneficial to your participants and I think that's a value that has to be taken into account, right? You could imagine a scenario where you say, okay, the plan is getting some value because or plan participants at the very least they're getting some value by this set of additional things that are you know, made available. There are tools, there are all sorts of things that that go along with this ways for them to understand their financial lives in a much better way. If if that is something of value then it also to be taken into account and so you could imagine a situation where the sponsor says, okay, we get something of value through this negotiation on behalf of our participants and in exchange for that thing of value you plan service provider get something of value in the access to plan participants.

 

Jenny Eller:

We don't think that the follow on from that in your example the revenue off of IRA rollovers, we don't think that's actually the relevant thing for us to take into account. Here's why and you try to have a a a pretty well documented conversation about value. I would submit again under a Reese's fiduciary standards that if you have a process, if you are thorough about it, and if you document where you end up, that ought to help you, ought to take you a long way in, in a prudence, you know, proves litigation. So I think that we have to be careful to say that we don't automatically say there's one measure of value in all this conversation. If it were easy to value people's data, then everybody would get a check from Facebook every month.

 

Rick Unser:

Maybe I'm making a naive statement here as well, but one thing I've consistently heard from attorneys is if as a plan fiduciary, you can document and create a narrative that all of these decisions that you've made you believe to be in the best interests of your plan participants, that goes a long way as well.

 

Jenny Eller:

It does, absolutely does. And I worry that in this, you know that the, the easiest approach in many ways is the one that says, we're not going. We as plan fiduciary is you're not going to go down this path of trying to help our participants in their broader financial lodge and we have a, you know, a growing retirement readiness and retirement security crisis in this country. So it can't be the answer that we're going to keep doing what we've been doing.

 

Rick Unser:

Yup. Well said. Let me pivot us to the, the cyber part of this conversation because I think data cybersecurity, cyber risk cyber threats, I think those kind of go hand in hand in a certain way. And I guess, let me start you out with, I think there's big bad stuff that's out there that I think people hear about and make headlines. And then I think there's kind of the real nitty gritty of what's actually happening at the ground level where there actually is risk and there are some documented cases of cyber risks or, or cyber instances that were, were participant data or participant assets have been exploited because of some of those risks. I don't know if I framed that perfectly well, but take that however you want to. You want to go to to kind of kick us off here on the cyber side?

 

Jenny Eller:

Yeah, sure. I mean I think at the, at the end of the day when we talk about cyber as it relates to you know, employee benefit plans, we're really talking about a couple of different things. We're talking about essentially hacks, you know the, the U S government just indicted a number of people in connection with the Equifax hack. So there is a large data repository that has been the subject of a cyber related attack where you know, millions of bits of data were compromised and are now available for sale on the dark web presumably. And I think plan sponsors spend a lot of time or have and understandably have spent a lot of time worrying about that, worrying that you know, the plan is somehow going to get hacked, the plant provider's going to get hacked, the plan trustee's going to get hacked and there's going to be a disappearance of, of assets or data in that way.

 

Jenny Eller:

And I will tell you that I am not aware and I think the FBI has confirmed that they're not aware of any case involving a large financial institution providing retirement services where the financial institution, you know, has, has been hacked in the sense that that data or that money or those participants information has been, you know, taken by a, a cyber criminal. So I think that's a lot of what people worry about. And it's something that is absolutely important to worry about because it seems like it's a matter of, of when, not if, right. I mean if Equifax, if all of these folks can get hacked, it's certainly possible and perhaps probable that that will happen. And so as a plan fiduciary, I think you have to be conscious of making sure that as you work with various vendors, you're, you're, you know, appropriately vetting their capacity.

 

Jenny Eller:

But I think that's sort of enough said about that part of the cyber risk. The next part I think is, is the more day to day more mundane and honestly for individual participants, the much more likely, and that is an attempt to steal money from a participant's account. And that's by some means of fraud. Often it is related or contributed in some way to a sort of a cyber fraud. So, so we talked about Equifax to the extent that someone's social security number and name and date of birth was compromised in some way, whether through that hack or some other hacker, their individual data was stolen in some way. That person then to the extent that they participate in the retirement system, they then, you know, could lose money in their account because somebody now has their data and that's the thing that is, is I think less talked about and more concerning. Yeah.

 

Rick Unser:

And, and I kind of draw that parallel too. I feel like there's a lot of plan sponsors that worry about being the next subject of a class action lawsuit and don't maybe pay as much attention to some other little things that they might get tripped up by the department of labor or the IRS or in their annual audit. That is probably a little more likely to happen to them.

 

Jenny Eller:

Yeah, right. The risk of class action versus your, your risk disability bond one's a little bit more exciting and terrifying and one's more likely for certain. Yeah. And you know, there's just some really interesting stuff around this, you know, fraud that that sort of takes place and targets participants that folks, you know, I think most plan sponsors know this, but a larger percentage than you would expect of individual participants have never logged in and established an online account in their 401k plan. They have one, they, if they have a plan, they participated in the plan and many people think, well, if I never law that, then I'm, nobody can steal my money. The financial institution won't have any information about me. I don't have to tell them anything and I'm good to go. And some plans it's as high as 65% of people have never logged on and those are the people that are absolutely the most vulnerable because if you haven't logged on, somebody else can log on in your place.

 

Rick Unser:

And I think that is a surprising number because again, when I think about people that are sitting in the proverbial boardroom or conference room making decisions about 401k plans and reviewing these reports, you know, these are people that are usually pretty digitally engaged, whether it's just as part of their work requirements or just general behaviors. I think the idea that, you know, what do you mean you don't have a 401k profile set up or what do you mean you've never gone on and logged on and checked your account balance in the last five years? I think there, there's always a little, I think surprise when you look at numbers like that just because of the general profile of people that are again, making those decisions about retirement plans.

 

Jenny Eller:

Yeah, it's a great point. And when you sit back and think about it for most people, your defined contribution plan and most people have more than one and it's hard enough to deal with one. Right. You know, most people don't practice any better cyber risk hygiene with respect to their retirement plans than they do with respect to anything else and probably less, I mean you hear, we hear about all the time my identity got stolen. People contact their bank, they call their credit cards almost nobody calls their retirement plan provider when the largest balance they're ever going to have is sitting right in there for plan sponsors. I think you're exactly right. Sort of understanding that that's the case when we think about, you know, participant education campaigns, things like are you logging in? There are some for years plan sponsors were would sort of say, look, I want to make it as easy as possible.

 

Jenny Eller:

I know maybe people aren't logging in. I don't want this two factor authentication thing. It's too hard. Right? This is going to be a deterrent and and that's not an unreasonable thing to think. Now I think very much the tightest turned and people will say, well look, safety is more important and, and are sometimes nervous about encouraging plan participants to log in. Well what if I encourage them to log in and something happens to their account? You know, that's, that's not an unreasonable thing to think. I think the research and the data shows us that you're safer if you do log in. E disclosure, missing participants, all this stuff is related. If you are you know, if you're, if you're, if it's not easy to interact with your account or if you're not encouraged to you know, to, to, to use good practices you know, there's, there's a greater level of risk and I think it's those kinds of things that, you know, that plan sponsors and plan fiduciaries ought to be thinking about.

 

Jenny Eller:

I get asked all the about cyber risk policies and you know, they, they, they can be useful. I think it's more a set of practices. I'm not a big fan of policies that people write up and then sort of stick in a book and, and don't look at it again, you know? But I do think, you know, we have identified practices that that plan fiduciaries might want to think about and understanding, you know, how engaged their participants are thinking about how to better engage participants. And this gets back to, you know, people worry about liability that they might plan. Sponsors worry about liability. They might incur, well, gee, what if I encourage my participants to log into their accounts because that keeps them safer from this kind of fraud. But then I'm more likely to have a lawsuit that says, you know, I let somebody else market things to them. You know, it's pretty, pretty complicated, but a lot of things that plan sponsors can do and like everything, you have to certainly weigh the risks and the benefits.

 

Rick Unser:

And coming back to a statement you made a minute ago, I don't think, and I would agree with you that there has not been a major hack or major institutional loss of data or anything that has affected the retirement industry. I guess are there specific examples of where individuals though have been exploited, damaged, lost money due to various cyber or other kind of nefarious activities?

 

Jenny Eller:

It happens pretty frequently. The easiest example to use is there, there's a case out there right now where a participant in a plan essentially after the fact learned that there her entire account balance in three separate tronches I think had been drained by someone who had gained access to her account through fraud. And I'm not quite sure what happened around that or it's about a a hundred thousand dollars. The facts are always complicated. There's another case where I think that plan sponsor was impacted somehow. I mean we hear about them frequently and it's, you know, often the provider, the record keeper who most of them have really sophisticated ways to try to address and are constantly, you know, working on how to address this sort of fraud. They talk about voice recognition and you know, you can now go on a lot of record keepers and sort of get your voice on file so they can tell us it's you or somebody else.

 

Jenny Eller:

Sometimes they can tell if somebody is logging in from a different, you know, IP address. That's important. The many of these outfits that, that make a business of trying to get money out of participant accounts are international. Many of them aren't sophisticated organized crime entities from West Africa and Eastern Europe. And you know, it's, it's a real business. And so there are absolutely cases and we'll see kind of what happens. And the interesting thing about, about Arista is the law really does not contemplate a situation where money can disappear from a participant's account and no one be liable. And you can imagine a situation where everybody meets their standard of care. The participant essentially has no standard of care, right? They just sort of are along for the ride. They don't really have any legal obligations. The service provider has a contractual, usually standard of care and they can often meet it and then the plan sponsor has a legal obligation to select the service provider with care, they can meet that obligation.

 

Jenny Eller:

So you can be in a situation where every single person met their standard of care. Even the highest duty known under us law under ERISA and money disappears from the account. There's not a good solution in the law for that liability. Think the way that it may play out is that what the participant has, if anything, is a claim against the plan for benefits. So that essentially means that everybody else that that's then going to become a liability of the plant, which means everybody else in the plan would be responsible to make that up.

 

Rick Unser:

And I'm sure somebody thought of this, I'll just ask the question. I mean every plan has to carry a fidelity bond and a Rissa bond, whatever. I'm not an expert in, you know, have those bonds or structure or the language in there, but I don't know, I mean, I've been led to believe over the years that that bond is in place to protect against theft or fraud. Would a fidelity bond or an Arista bond, is this something that a claim could be brought against a, you know, a bond like that? Or is that, doesn't it doesn't contemplate this type stuff?

 

Jenny Eller:

I mean, they're just, they're out of date for the purpose. So bond fidelity bonds cover people who quote handle plan assets and what it means to handle plan assets. You know, it looked a lot different 40 years ago than it looks today. So, you know, typically I think you could, I could imagine solutions in the future, which would update the bonding rules, which would, which would make them much more expensive. Which would, you know, there's already cyber insurance. We're seeing some types of plans have standalone policies versus, you know, an ANet kind of inclusion in the corporate plan. You could imagine, you know, what it really calls for is insurance. Right me. And this is a risk that you would pool. So you could imagine some sort of insurance mechanism to deal with this because it's, it's hard to believe. It's hard to imagine that the threat is going to go away. We have seen since 2013 you know, an exponential increase in the types of attacks and, and the, the number and the way that that folks are being targeted. So this does not something that's going to go away and the solutions will, will need to be found, but I don't think they exist in the current structure.

 

Rick Unser:

And just to pull on a string there for a second that you just mentioned, fiduciary liability insurance. Yeah. This probably doesn't fall in that world. Maybe share any thoughts you have there. Correct me if you think I'm wrong, but there there is this animal called cyber liability and I think some have said that this could be covered, I guess. Have you seen any experiences with cyber? And I think what I heard you say was, in some cases you've seen the plan actually get cyber insurance versus relying on the broader, if it exists, cyber insurance policy of the company. So again, unpack that how you may and correct any misstatements I might've made.

 

Jenny Eller:

Yes, we are seeing some plans and some types of plans in particular have their own cyber policies. Taft-Hartley plans for instance, which, you know, don't have a a single plan sponsor that, that they're likely to be covered under, under their insurance. So those policies exist, those policies are I mean there are a variety of them, but you know, they're really focused on there being some sort of breach and there are documented cases of, you know, plan offices having ransomware attacks and that sort of thing. So, you know, that involves the coverage for experts to come in and sort of, you know, fix that kind of kind of thing. I heard more about that then. You know, claims involving individuals who have suffered a loss. Although, you know, you could certainly write a policy that covers that. When, when a plan sponsor, you know, there's a corporate policy, often retention might be higher than, you know, then an individual participant loss. So that deductible, right. Is, is higher than, than you'd likely, you know, be looking at if you just covered it. So I haven't seen a lot of of insurance solutions come to play, but again, you know, they're, they may well evolve in that direction.

 

Rick Unser:

One more question I guess on that end, I'm an employer, I get a call or somebody stops in my office and I'm an HR or whatever and Hey, I have $75,000 missing from my retirement account after maybe doing a little investigation. Yep. Okay. You're right. I mean, do you write them a check and all is good or is there maybe a more thoughtful way that you would need to go about kind of figuring out what to do there?

 

Jenny Eller:

Right. So when that happens, I certainly advise people first thing, take a deep breath because nobody comes calm, land your office and says, Hey, just letting you know, I'm going to go back to work now. But, but you know, you got this, people are freaked out, right? So it's a very stressful thing. And, and it really depends. We have seen sponsors cover it. We have seen sponsors say, Hey, can this be paid out of plant assets? We have seen sponsors go to the service provider and say, Hey, what happened? I mean, there's a lot of digging. One of the things folks might've heard about is cyber guarantees where your, your plan provider says, look, here's a list of things that we think planned participants and plan sponsors ought to be doing to protect their accounts. And if people do all these things and there is still a, a loss to someone's account, then we, the provider will make that participant hole.

 

Jenny Eller:

And you know, I think that those things are, can be really helpful in terms of allocating responsibility in advance of a problem. I think what, what they really show is how little responsibility we expect planned participants to take for, again, what is very likely to be the largest amount of money they will ever have in one place. And so one of the things that I think needs to happen is that plan sponsors, providers need to, the government need to try to communicate to plan participants that they have some level of responsibility. You know, in some ways we've created a, a defined contribution system, which, which, where we encourage people to sort of set it and forget it. And that doesn't, you know, that's the opposite. What you do when you're engaged. And, you know, I certainly think from a policy standpoint, what we want our participants who are engaged with their retirement plan so that they're thinking about, you know, am I going to be ready to retire?

 

Jenny Eller:

Is this the right way for my assets to be invested? Do I need help to know that? All of those things, am I, am I paying attention to what's happening? And we of course worry that participants will make bad choices with their investments on the basis of small market or large market corrections or changes. And that is an issue. But where participants are really not responsible for engaging with their with their account you know, it's, that's a tough place because they are really on the front lines of keeping their, their accounts safe. So I just think that is a a thing that is going to have to change. And it's gonna change I suppose when, you know, unfortunately when there are enough people who say, yeah, I lost my retirement plan. Or, you know, I had this horrible thing happened to me and we really hope that that doesn't happen. But I will tell you, people every day are the victim of this kind of fraud.

 

Rick Unser:

Yeah. And that's, I mean, I can't even imagine that. And that is an unfortunate statement to have to make in this day and age. You mentioned some of the record-keeper guarantees or policies, let's just say around making good for losses like that. I mean, if an employer really wants to kind of wrap themselves in that blanket of protection, are there things that they should be looking for in those statements or policies? Are there questions they should be asking to make sure that they are what they seem to be on the surface. And I'm not suggesting they're not, but I, you know, I think over the years as this business has become more competitive and I think as all service providers are looking for ways to stand out in a, a sales presentation this is certainly one that I've heard. But I'd be curious from a legal standpoint if there's any more or less strength based on any of the particulars that might be within a statement or policy like that.

 

Jenny Eller:

Yeah, good question. I do think that you know, some providers have them but don't kind of roll them out. Don't include them, perhaps don't update people when, you know they're sort of somewhere hidden or on the website, not even hidden, you know. So I think it's important to ask like, what are the rules? In what instances will you cover losses that participants suffer as a result of some sort of fraud? And to understand what they are. I mean, some of them require a pretty substantial level of effort or at least a more substantial level of effort. Then we, we fear most participants, you know, put towards it and, and you can kind of understand that, right? Like again, these are individuals are on the front lines of protecting their accounts. You sort of wouldn't say, Hey mr bank, I'm never going to log in.

 

Jenny Eller:

I'm never going to call you if somebody steals my identity and, you know, good luck keeping my accounts safe and we wouldn't really stand for that. And, and so, you know, I think that it is important for plan sponsors to understand what, what goes into the, the guarantee. Is there one, what does it look like? When is it updated? You know, what if you can find out, you know, what has been the experience? Has this been used? Have people successfully, you know, gotten money back as a result of it. And then what can we do to ensure that participants understand what they're supposed to do? What can we do to help participants? Is there, you know, can we move from a default, which is your, I dunno, your social security number and your birth date to something that's a little bit more difficult for somebody to, you know, to hack into our, their structure.

 

Jenny Eller:

Are there things the plan sponsor can do? And some of those are pretty tough to so I think this is an area where there is more work that a plan sponsor can put in then then many are planned. Sponsors work very, very hard when it comes to plans. People spend a lot of time and there's often not a lot of bandwidth. But I think it's one of those things, it doesn't get a lot of attention until there's a, there's an event. And so I do think it's, it's very useful to try to kind of, you know, make some inquiries dusted off, take, take a review of it, figure out is it, is this something that could, could reasonably be, you know, be undertaken by participants? Are these things that we as a plan sponsor have the ability to do? Are we doing them? And I think if you're in a position to be evaluating different record-keepers, it's appropriate to ask them questions about their capabilities on all fronts, but including in terms of, of the cyber guarantee or in terms of their experience in terms of their ability and interest in educating participants could certainly see capabilities in this area being a differentiator. And as you have, as there's more sort of market consolidation and the record keeper world, you know, this is going to be an important thing and already is,

 

Rick Unser:

No, I would agree and I think, like you said, I, one thing that I would imagine would probably be pretty important as you think through this is, is someone who has never logged on and never done anything with their account or has not gone through the multifactor authentication or whatever. Do they have the same protection as somebody who maybe has gone through all that? And I, that was kind of the first thing that came to mind as you were, as you were describing some things employers should be thinking about. Well, you've shared a ton of great information today. I know we could keep going for hours on this, but in the big picture, is there anything that we've missed on kind of the data conversation or on cyber issues that you think would be really important or relevant for employers to think about or be aware of before we wrap up?

 

Jenny Eller:

I think that what I would say is if you're a plan fiduciary, if you're a sponsor and you're looking ahead to what what you're trying to accomplish in 2020 and I encourage by a plan sponsor clients to have a, you know, have a calendar, have an agenda, have a set of goals, what is it we're trying to accomplish? With the plans this year as fiduciaries. I would look on that. And if, if there's not, if it's not pretty heavy on data tech, cybersecurity fraud, I would rethink it a little bit. And I would think about priorities. I think it's it's very, these grooves of sort of what we do every year and evaluating the target date fund providers is important. And, you know, looking at plan fees is important than, and you know, company stock is a perennial issue. There are, we get into habits.

 

Jenny Eller:

And, and I think it is absolutely time to, you know, bring in some new habits. And, and sometimes that means new expertise sometimes, you know, we talked to folks and they say, look, we just don't have anybody on our committee or on our team that is really comfortable with this stuff. Well, we could think about adding someone, right? Should we think about adding someone to our fiduciary committee that has, you know, a, a, a tech background that knows about this stuff that is focused on it for the company. I, I think it's really important to be, to be moving in that direction and from, and I think that covers both cyber and beta. I think these data issues, we're gonna see more cases. I think it's pretty unfortunate. I don't actually think this is making fiduciary is better. I think this is making pretty Sherry's, you know, more nervous. But there are certainly, it's not gonna go away. And so I think that questions about access and data are critical to be asking and, and I would encourage folks to turn towards them and, and kind of open our arms and tackle them.

 

Rick Unser:

And that's a really good point. And I think one of the things that we get asked by a lot of plan sponsors is who should sit on our committee? You know, how should we think about if we have a committee, how do we think about it? Is it still made up of the right people? If we're maybe forming committee or putting something together for the first time how do we think about who we should invite or engage? And that's a really good point. I mean, based on all of the things we've just talked about, there are a lot of incredible expertise that exist within companies because this is not unique. I mean, Hey, people send wires all the time. People have to deal with big data and privacy issues in many different areas of a business. So I think that's a, that's a really good takeaway for plan sponsors as well. Just something to think about. Well, Jenny, thank you so much for sharing everything you did. I really appreciate your time and the expertise you brought to the conversation, and certainly as we tackle this again, sometime in the future, would we'd love to have you back.

 

Jenny Eller:

Great. Well, thanks so much. This has been fabulous. And I would love to talk anytime.

Recap, Highlights, and Thoughts

Originally, this was going to be a cyber liability episode, but based on a recent conversation with plaintiff’s attorney Jerry Schlichter and some subsequent litigation, thought it might be good to expand our horizons to include participant data. My guest today, Jenny Eller, Principal and co-head of the Fiduciary Practice at Group Law Group brings her experience and perspective to the conversation. We first dive into the data side of the conversation with some general thoughts on the business practices around data, whether it is a plan asset, and why it could be a hot topic for the foreseeable future. Then we make a soft pivot to cyber risks, share thoughts on where employers might be worrying too much and where maybe they are not worrying enough. Jenny also makes some interesting points on how ERISA doesn’t even contemplate some of the losses we are experiencing in plans today and what plan sponsors can to to protect their plan, participants and themselves. Good stuff! 

 

Before we get started, I am so excited to share that with some help, I finally got the website in much better working order. Check it out when you have a chance. To see prior episodes click on “Podcast Episodes” on the top and if for any reason you are not subscribed you can take care of that while you are there as well.  

Thanks for listening!​​

Sincerely Your Host, 

Rick Unser

Listen Free & Subscribe

  • Twitter - White Circle
  • LinkedIn - White Circle
  • YouTube - White Circle

info@401kfridays.com   |   725 S. Figueroa St. 35th Floor, Los Angeles, CA 90017