A law firm is facing a claim that its lax security procedures contributed to the theft of $400,000 in 401(k) funds from a retirement accounts. The suit says criminals were able to gain access to the funds by obtaining a copy of an employee’s withdrawal receipt. The criminals then used the information to remove all the funds in the employee’s account.
The firm had sued the third-party administrator of the account, saying the administrator breached its fiduciary duty by allowing the criminals to access the funds. The administrator filed a counterclaim against the firm, saying that by allowing employees to work from home and use their personal emails for business, the firm created a cyber-security risk. The administrator says the risk constitutes a breach of the firm’s duty as a co-fiduciary under ERISA.
A Federal judge has allowed the case to continue.
WHY THIS IS IMPORTANT…While this case arises in the specialized context of ERISA protected accounts, the basic allegations are that the law firm should be liable because it allowed employees to work from home using personal electronic mail addresses and systems. Those systems are not as secure as the law firm’s own systems. Companies need to be sure that systems used for business purposes are secure because of all the personally identifiable information they carry. Any breach exposing personally