By this point, most people in the employee benefits space have heard about the MOVEit and Retirement Clearing House (RCH) cyber incidents, which could directly impact employers’ benefit plans. The MOVEit file transfer application is used by a number of vendors, including those that locate missing plan participants or find information regarding deceased plan participants (e.g., PBI Research Services). RCH is often used by retirement plans to facilitate benefit transfers, including for IRA rollovers. Other plan vendors/subcontractors may also use the MOVEit software application or subcontract with RCH for their plan services. Actual and potential victims have included state and federal government agencies as well as companies across a variety of industries (and their benefit plans) who were using MOVEit or RCH, or who engaged with service providers who used these tools.
Initial public reports of the MOVEit and RCH cybersecurity incidents began in May and information about extent the incidents is still being uncovered. RCH has announced that Social Security Numbers, as well as account numbers at Matrix Trust, may have been compromised but the IRA accounts themselves were not actually accessed.
In order to satisfy ERISA fiduciary obligations to safeguard plan participants’ personal information, plan fiduciaries should attempt to understand what happened, whether or not the incident impacted plan participants, and what information was compromised. Since neither incident was a direct result of action taken by any plan, plan fiduciaries and administrators are currently in a “trust but verify” situation with their service providers, contractors and subcontractors. However, as of the date of this post, we have already seen a class action filed against PBI as a result of the MOVEit incident.
If a retirement plan has a business relationship with any service provider that uses, used or may have used the MOVEit software application or RCH services, the plan should determine what fields or categories of personal information were shared with the service provider(s), and by extension MOVEit or RCH, to determine the impact on the plan and its participants. Any service agreements with the applicable vendors should also be reviewed with respect to data breach notification, information reporting, and follow up obligations of the service provider(s). This includes any indemnification provisions for data incidents. Also, if the plan carries cyber-liability insurance (increasingly common), there may be a requirement to notify the cyber-liability carrier. If the plan is adversely impacted and does not receive satisfactory responses from its service provider, more direct action may be needed.
The plan’s responsibilities and potential avenues for relief depend on a number of factors.
Seyfarth will continue to monitor the incident, and provide further information as we learn more.