Retirement Planning Gives Bigger Role to Theft Prevention as Risks Lurk Online

(snip)

Record-keepers typically have policies that promise reimbursement as a result of unauthorized activity in 401(k) accounts. But such coverage might be contingent on account owners having taken certain steps. Vanguard Group Inc., for example, says “if there’s evidence you neglected to reasonably safeguard your account, further investigation may be necessary to determine whether we can issue a reimbursement.”

Recent court cases highlight the risks for account owners. In one such case, filed last April, Heide Bartnett alleges that Abbott Laboratories, where she worked in sales from 2002 to 2012, and its 401(k) plan record-keeper, Alight Solutions LLC, violated Erisa by allowing money to be stolen from her account. Ms. Bartnett, 60 years old, said she was shocked to receive letters from Abbott on Jan. 14, 2019, notifying her that her 401(k) account password had been changed and a $245,000 distribution made to a bank account that wasn’t hers. With 68% of her $362,000 balance gone, “I thought, ‘This cannot be happening,’ ” said the Darien, Ill., resident. She has since recovered about $108,000.

According to the lawsuit, the perpetrator changed Ms. Bartnett’s 401(k) account password by using the “forgot password” option and a one-time code sent to her email address—an email Ms. Bartnett said she has no record of receiving. The thief also successfully impersonated her in calls to the plan’s call center.

(snip)

On Feb. 8, U.S. District Judge Thomas Durkin in the Northern District of Illinois dismissed Ms. Bartnett’s case against Abbott, but not against Alight. In a statement, Alight declined to comment on the litigation and said: “We continually evaluate our security measures to ensure they meet and exceed industry best practices.”

Here are steps 401(k) record-keepers and others recommend taking to safeguard your retirement accounts:

Have an online account. Mr. Taylor recommends setting up online access to your account even if you prefer paper statements, because “unclaimed online accounts are easier for impersonators to take control of.”
Check in regularly. Check your 401(k) account, including your email and street addresses, at least monthly. Sign up for text alerts that notify you of changes or transactions and use multifactor authentication, which verifies your identity by sending codes to multiple devices.
Practice good internet hygiene. Avoid public Wi-Fi and never click on emails or texts seeking personal information, including passwords. Promptly install software updates.
Create good passwords.Choose a unique password you keep confidential. Providing passwords to third-party services that aggregate passwords or financial-account data could be grounds for denying reimbursement if “our investigation determines that a fraud event is traceable” to that service, Alight said.

https://www.wsj.com/articles/retirement-planning-gives-bigger-role-to-theft-prevention-as-risks-lurk-online-11613125801 (subscription)