401(k) Document Breach
Steven Cesare, Ph.D.
A business owner from Virginia called me the other day to discuss an emergency affecting her company’s 401(k) program. During our discussion, the owner informed me that one of her administrative employees decided to take all of the company’s 401(k) employee documents home for the weekend to get everything reviewed, caught up, and organized. Accordingly, the employee placed all of the 401(k) documents into a satchel and left work for the week. Upon arriving at home, the employee placed the satchel on her kitchen table and decided to go out for a quick meal.
When the employee returned home two hours later, she noticed that her home had been burglarized, with many personal belongings stolen, including the satchel containing all of the company employees’ 401(k) documentation. The distraught employee called the owner immediately, who in turn got a hold of me on the telephone shortly thereafter.
Acknowledging the employee’s stolen domestic possessions, the business owner and I were singularly transfixed on the loss of dozens of employees’ personal information: full names, home addresses, bank accounts, 401(k) contributions, e-mail addresses, dependents’ names, etc. All of those news releases of breached corporate databases (e.g., Equifax, Wells Fargo, Adobe, LinkedIn, Yahoo) regarding identity theft, came immediately to the fore.
I suggested a three-step plan to the business owner: external, internal, and longitudinal.
The external phase of the plan focused on all affected business partners. First, we made sure there was going to be an official police report documenting the investigation, an inventory of all lost items, and other pertinent administrative details. From that foundation, we contacted the company’s EPLI provider to discuss potential liability, legal exposure, and next steps. Next, the business owner called the Third Party Administrator and 401(k) provider to inform them of the incident, express concern, and seek appropriate guidance.
The internal phase of the plan centered on those employees whose 401(k) information was stolen. A series of meetings were convened during which time the company conveyed factual information that had been gathered, expressed sincere regret for the event, and pledged a one-year subscription to LifeLock to each affected employee as a prescriptive protective mechanism against potential identity theft implications (e.g., credit cards, mortgage, banking).
The longitudinal phase consisted of ad-hoc conversations with any affected employees who reported their personal information had been compromised in a demonstrable fashion, as well as a series of follow-up conversations with the aforementioned business partners to ensure improved security procedures and data integrity systems were in place.
If you would like basic access to my human resources expertise, simply take a look at my affordable offering here: View Offer
Click the icon below to download the Harvest Group Mobile app!
What do you want to learn more about?
The Harvesters want to know what topics you would like to see us discuss. Click below to submit your ideas!