Jump to content

Should a summary plan description explain cybersecurity?


Recommended Posts

I’m wondering whether a 401(k) or other individual-account retirement plan’s summary plan description ought to include a part that explains risks about an individual’s data security, and ways for the individual to help manage those risks?

Is it a good idea?  Is it a bad idea?

What are your reasons for including or omitting such an explanation?

Peter Gulia PC

Fiduciary Guidance Counsel

Philadelphia, Pennsylvania

215-732-1552

Peter@FiduciaryGuidanceCounsel.com

Link to comment
Share on other sites

The lawyer in me comes out with questions like this.  First, it is NOT required - and that probably is the biggest reason I have for NOT including that language in a "plan document."  It's inclusion would then set an expectation, if not an obligation on the part of the plan sponsor and service providers dealing with that data, which may, or may not, be consistent with what they are actually doing - at any given point in time.  This is a huge issue among recordkeepers (one of which I work for) and it is extremely fluid.  I can tell you that recordkeepers routinely share their knowledge of "threats" but do NOT share their approaches to safe-guarding data (and to do so would itself be a data security breach).  We keep our data security protocols very very close to the vest, and are constantly reviewing them and changing them - lest the bad guys get wise and figure out how to subvert the protections.

Second, while educating participants on general identity theft issues, might not the inclusion of a discussion about the risks in an SPD prompt a pull back from participation?  That could actually be a bigger (retirement readiness) risk than the risk of an individual's account being hacked or data breached.

In any event, most reputable service providers would make a participant whole for the loss of an account balance due to nefarious activity (provided the participant wasn't negligent themselves - like posting their identifying info online).

We DO educate our plan sponsors on the risks, provide them with various assurances, AND provide a "promise" to plan participants that if they aren't negligent (there is a laundry list of things they must do or must not do to "comply"), that we will make them whole.

So far, we've not seen much in the way of service providers being "hacked" but we have seen data from other hacks (Target, etc.) used to attempt to claim to be a participant and request a distribution ACH'd to a newly established account (from which it immediately moves off-shore).  Protocols exist to identify and intercede there as well.

Link to comment
Share on other sites

In my world, the SPD is created by the document software.  I guess we could add to it, but then I'd have to hire an attorney to give me that language.

Plus, there are many investment arrangements different plans can be a part of.  Some are merely accounts at a big provider (think John Hancock or Voya).  Some are in individual brokerage accounts (like Merrill Lynch or LPL).  Some are a combination. 

Some plans are in a pooled account where the participants don't have access to their "accounts."

I have some plans that have Profit Sharing in a pooled arrangement, but the 401(k) is employee directed.

So I would have to come up with several blurbs and appropriately add them to the SPDs.  Them if the funding arrangement changes, remember to change the SPD.

Too many moving parts, I think.

Cybersecurity is an important topic that might best be served by a joint effort between the custodian and plan administrator.

QKA, QPA, CPC, ERPA

Two wrongs don't make a right, but three rights make a left.

Link to comment
Share on other sites

Hmmm. - just off the top of my head, without really considering more in-depth ramifications:

At this point, I'd say bad idea. Data security and risk are not currently part of the plan's formal provisions. Introducing this into the SPD, particularly where the regulatory authorities have not (yet) published official guidance or Fiduciary "safe harbors" if certain protections are put in place seems, from my non-lawyer perspective, to put the Fiduciary at greater risk. But it may be just the opposite, I don't know!

Giving information, such as the DOL's new informational piece, OUTSIDE of the formal SPD seems like a good idea to me.

Link to comment
Share on other sites

For what it's worth, when I log on to my personal 401(k) account online, one of the first items on the homepage is a notice about protecting online accounts. It links to a very thorough write-up about passwords, two-factor authentication, where to report if your account has been compromised, etc.

As noted above, this may not be feasible for all plan types, but to me it seems more logical there than in an SPD.

I also think it's more likely to be noticed and read on the plan website (which I have accessed many more times than my plan's SPD). 

Link to comment
Share on other sites

Thank you, all, for your helpful observations.

MoJo, I’m not thinking an SPD would communicate anything about what the plan’s administrator, trustee, or any service provider does.  Rather, I’m wondering whether an SPD should include participant-level pointers—perhaps simple ones such as taking control of the individual’s electronic account, even if one expects never to use it; not sharing a password; and checking postal mail and email (if any) for a message that suggests an identity was hacked.

And if a plan has obtained a service provider’s promise to make whole an account, might an SPD communicate what a participant, beneficiary, or alternate payee must do, or not do, to meet the conditions for that promise?

BG5150 and Bird, would your view be different if you were not dependent on someone else’s document-assembly software and the plan had budgeted two hours a year for custom-editing the SPD?

Belgarath, what if a plan’s administration has no communication beyond the SPD?

EBECatty, you’re right that an in-context communication is great, for those who see it.  But what communication would be effective with a participant who has never used the plan’s electronic services and intends never to use it?  Such a participant is vulnerable to identity-theft risks, in some ways more so.

And everyone, understand that I’m not advocating any view or outlook.  Rather, I’m openly seeking your excellent thinking.

Peter Gulia PC

Fiduciary Guidance Counsel

Philadelphia, Pennsylvania

215-732-1552

Peter@FiduciaryGuidanceCounsel.com

Link to comment
Share on other sites

Hi Peter - the term "excellent thinking" has never been applied to me, even by people who want to borrow money.

I'd say that at this point, a Plan Administrator isn't necessarily under any obligation to provide such information, but I'd reiterate that I believe it is a good idea. And I have no doubt that it'll be required at some point. I'm just afraid that the DOL, when they borrow Thor's Hammer to implement something, will use excessive force, as is their wont.

Link to comment
Share on other sites

17 minutes ago, Peter Gulia said:

Rather, I’m wondering whether an SPD should include participant-level pointers—perhaps simple ones such as taking control of the individual’s electronic account, even if one expects never to use it; not sharing a password; and checking postal mail and email (if any) for a message that suggests an identity was hacked.

This stuff would/should be provided when the account is opened in their name or when they create the account themselves.

My thought is if someone is perusing the SPD to that granularity in order to see the cybersecurity warning/disclaimer, they will be similarly scrutinizing the account setup.

QKA, QPA, CPC, ERPA

Two wrongs don't make a right, but three rights make a left.

Link to comment
Share on other sites

The SPD is provided very infrequently in most cases, and as such may not be the best vehicle for constantly-changing information relating to cybersecurity.

I think Belgarath has the right idea about providing the information outside the SPD.

1 hour ago, Peter Gulia said:

what if a plan’s administration has no communication beyond the SPD?

Surely they provide account statements and a SAR at least annually? The "cybersecurity notice" could be enclosed with those documents. A more frequent notice cadence would allow the plan sponsor to keep up  with evolving best practices.

Free advice is worth what you paid for it. Do not rely on the information provided in this post for any purpose, including (but not limited to): tax planning, compliance with ERISA or the IRC, investing or other forms of fortune-telling, bird identification, relationship advice, or spiritual guidance.

Corey B. Zeller, MSEA, CPC, QPA, QKA
Preferred Pension Planning Corp.
corey@pppc.co

Link to comment
Share on other sites

2 hours ago, Peter Gulia said:

BG5150 and Bird, would your view be different if you were not dependent on someone else’s document-assembly software and the plan had budgeted two hours a year for custom-editing the SPD?

I still think the investment houses would do a better job.

Again, I think it's an important issue, but I don't think it needs to be in the SPD.  Do you put investment diversification info in the SPD?

QKA, QPA, CPC, ERPA

Two wrongs don't make a right, but three rights make a left.

Link to comment
Share on other sites

17 hours ago, BG5150 said:

I still think the investment houses would do a better job.

Again, I think it's an important issue, but I don't think it needs to be in the SPD.  Do you put investment diversification info in the SPD?

Thanks for answering; I agree.

And add that it's a hypothetical that I'd rather not entertain.

Ed Snyder

Link to comment
Share on other sites

My query wasn’t about a hypothetical situation.

I have a client that, besides the plan’s website and whatever paper communication the recordkeeper sends when a participant or other individual is entered in the system, is considering whether to put an explanation in the summary plan description.  (I am one of several lawyers advising the plan’s sponsor/administrator/trustee.)

Infrequency is no impediment because this administrator continually revises its custom SPD, and every November redelivers the restated SPD to all participants.  Also, the administrator puts the SPD, 404a-5/404c-1 information, and SAR in the same delivery.

I recognize this client’s circumstances are not others’ norm.

I haven’t yet formed my advice.  BenefitsLink neighbors have given me plenty to think about.

Peter Gulia PC

Fiduciary Guidance Counsel

Philadelphia, Pennsylvania

215-732-1552

Peter@FiduciaryGuidanceCounsel.com

Link to comment
Share on other sites

21 hours ago, Peter Gulia said:

My query wasn’t about a hypothetical situation.

Hypothetical for me..."...would your view be different if you were not dependent on someone else’s document-assembly software..."

Sorry for not being clear.

Ed Snyder

Link to comment
Share on other sites

11 minutes ago, Bird said:

Hypothetical for me..."...would your view be different if you were not dependent on someone else’s document-assembly software..."

Sorry for not being clear.

Nope.  If it isn't regulatorily required, we wouldn't do it (nor would I, if I were in private practice).  ANYTHING over and above what is actually required becomes a potential issue - and possibly one of litigation/liability.  Keep the "educational" stuff separate from the "regulatorily required" stuff.

And for the record, we use Relius - but have them customize our document and SPD - so we do "control" the content.

Link to comment
Share on other sites

3 hours ago, MoJo said:

Nope.  If it isn't regulatorily required, we wouldn't do it (nor would I, if I were in private practice).  ANYTHING over and above what is actually required becomes a potential issue - and possibly one of litigation/liability.  Keep the "educational" stuff separate from the "regulatorily required" stuff.

And for the record, we use Relius - but have them customize our document and SPD - so we do "control" the content.

100 % this.

Do not create an accidental benchmark or standard of care where one isnt required.  Especially when the regulatory agencies dont know/havent decided what that standard is.

"I was trying to be helpful..." will doom you in court when someone relied on it and got hurt.

 

 

Link to comment
Share on other sites

Bird, thank you.  I apologize for being unnecessarily sensitive.  Some BenefitsLink people think some of my queries are too fanciful, and I do sometimes anticipate issues.  I wanted the group to know this query is grounded on a real and current client request.

MoJo, thank you for your further explanation that your reasoning would not change if you were unconstrained and directly advising a plan’s administrator.

RatherBeGolfing, thank you for your further suggestions about ways to consider potential pitfalls.

Peter Gulia PC

Fiduciary Guidance Counsel

Philadelphia, Pennsylvania

215-732-1552

Peter@FiduciaryGuidanceCounsel.com

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...