Compliance May 9, 2022

Data Breach Results in Lawsuit Against Actuarial Firm

The plaintiff suggests an actuarial and administrative services firm did not take sufficient care to protect certain clients’ personally identifiable information.

Reported by

A lawsuit filed recently in the U.S. District Court for the Northern District of Georgia underscores the emerging set of cybersecurity risks facing the U.S. financial services and retirement planning industry.

The lead plaintiff in the case says Horizon Actuarial Services LLC, a provider of actuarial and administrative services to retirement plans and other client types, failed to properly secure and safeguard sensitive personally identifiable information provided by and belonging to its customers. The types of data allegedly breached include names, dates of birth, health plan information and Social Security numbers.

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.

According to the text of the lawsuit, and as detailed on Horizon Actuarial’s website, on or around November 12, 2021, the firm received an email from a group claiming to have stolen data from its computer servers on the two preceding days. Horizon, after conducting an internal investigation, paid the group in exchange for an “agreement that they would delete and not distribute or otherwise misuse stolen information.” As Horizon’s incident report spells out, the group provided a list of information they claimed to have stolen from Horizon’s servers, and on or about January 9, 2022, Horizon determined the information contained the sensitive information of individuals and prepared a preliminary list of individuals affected by the data breach.

“Defendant determined that the unauthorized actor accessed and exfiltrated the PII of more than 2,537,261 current and former Horizon customers, including that of plaintiff and class members,” the lawsuit states. “Despite learning of the Data Breach in November 2021, Horizon waited to begin informing class members until roughly January 13, 2022. Plaintiff did not receive his Notice of Data Incident from Horizon until April 14, 2022—more than five months after the data breach occurred.”

During this time, the lawsuit contends, the plaintiff and class members were unaware that their sensitive personal identifying information had been compromised. It states that, by “obtaining, collecting, using and deriving a benefit” from the proposed class of plaintiffs’ PII, Horizon “assumed legal and equitable duties to these individuals.” The lawsuit further claims that Horizon “admits that the unencrypted PII accessed and exfiltrated includes highly sensitive information, such as names, dates of birth, health plan information and Social Security numbers.”

“The exposed PII of defendant’s customers can be sold on the dark web and is in the hands of the group of criminals,” the complaint states. “Plaintiff and class members have no ability to protect themselves, as these criminals can easily access and/or offer for sale the unencrypted, unredacted PII to other criminals. Defendant’s customers face a lifetime risk of identity theft, which is heightened by the loss of their Social Security numbers.”

The lawsuit argues the PII in question was “compromised due to defendant’s negligent and/or careless acts and omissions and the failure to protect PII of defendant’s customers.” It argues the data was compromised as a result of the defendant’s failure to adequately protect the PII of the defendant’s customers and effectively secure hardware containing protected PII using reasonable and effective security procedures free of vulnerabilities.

“Defendant’s conduct amounts to negligence and violates federal and state statutes,” the lawsuit argues. “Plaintiff and class members have suffered numerous actual and imminent injuries as a direct result of the data breach, including theft of their PII; costs associated with the detection and prevention of identity theft; costs associated with time spent and the loss of productivity from taking time to  address and attempt to ameliorate, mitigate, and deal with the consequences of the data Breach; invasion of privacy; the emotional distress, stress, nuisance and annoyance of responding to, and resulting from, the data breach; the actual and/or imminent injury arising from actual and/or potential fraud and identity theft posed by their personal data being placed in the hands of the ill-intentioned hackers and/or criminals; damages to and diminution in value of their personal data entrusted to defendant with the mutual understanding that defendant would safeguard their PII against theft and not allow access to and misuse of their personal data by others; and the continued risk to their PII, which remains in the possession of defendant.”

On the company’s website, Horizon Actuarial contends that it “takes this incident and the security of information in our care very seriously.”

“We are reviewing our existing security policies and have implemented additional measures to further protect against similar incidents moving forward,” the firm says.

According to the Investment Company Institute, U.S. retirement plans held $37.4 trillion of investor assets at the end of 2021’s third quarter. Experts say that ocean of money—combined with the accounts’ valuable personal data and the multiple ways of accessing accounts remotely—makes retirement plans a natural target for thieves.

“As retirement plan advisers, we see phishing schemes, ransomware, social engineering attacks, email compromise and wire fraud,” warns David Graver, vice president of Fort Pitt Capital Group in Pittsburgh. “The last one really sticks out when specifically focusing on retirement accounts. Often, emails will be compromised, or online accounts hacked, and unauthorized loans or withdrawals will be requested from the account.”

Simply put, advisers, service providers and employers offering benefit plans must all be wary of cybersecurity risks and do their utmost to ensure they do not become victims of increasingly sophisticated and well-equipped cyberthieves.

The text of the complaint is available here.

Investing May 6, 2022

Vermont Governor Vetoes Pension Reform Bill; Treasurer to Retire in January

State Treasurer Beth Pearce says she will not seek a seventh term due to health issues.

Reported by

Vermont Governor Phil Scott has vetoed a pension and benefits reform bill that addresses a $3 billion public retirement fund shortfall that had been unanimously approved by the state senate last week.

Although Scott said the bill “takes some positive steps,” he added that “it does not include enough structural change to solve the enormous unfunded liability problems the state faces.”

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

In a letter to the state’s general assembly explaining his decision not to sign the bill, Scott acknowledged that the veto will likely be easily overridden, but said that “given the scope of this problem and the risk it poses to the financial health of our state, I cannot bring myself to do that. It would be disingenuous because I know we could have done better.”

Vermont House Speaker Jill Krowinski and Senate President Pro Tempore Becca Balint said in a joint statement that they plan to “override the veto expeditiously.”

The bill proposes various amendments to pension benefits and other post-employment benefits for participants in the Vermont State Employees’ Retirement System and the Vermont State Teachers’ Retirement System.  It also changes reporting dates for certain actuarial studies for VSERS and VSTRS, as well as for the Vermont Municipal Employees’ Retirement System.

The legislation calls for one-time payments from the state totaling $200 million to pay down the unfunded liability in the state pension systems. It would also require phased-in increases in contributions from state employees and teachers, as well as some reductions in pension benefits. It makes no changes to the benefits of current retirees and beneficiaries, and modifies the formula for calculating cost-of-living adjustments.

The Vermont-National Education Association, the state’s largest union, said it was “disappointed” by Scott’s veto.

“Today’s veto is an affront to teachers, an affront to state employees, and an affront to troopers,” Vermont-NEA President Don Tinney said in a statement, adding that “our 13,000 members stand ready to work with lawmakers as they override this irresponsible and thoughtless veto.”

Meanwhile, Vermont State Treasurer Beth Pearce said she will not seek reelection for a seventh term and plans to retire in January after “having received some health news this past month.”

In her six terms as treasurer, Pearce has served as president of the National Association of State Treasurers, president of the National Association of State Auditors, Comptrollers and Treasurers and chair of the Government Accounting Standards Advisory Council.

“It has been my greatest personal and professional honor to serve the people of Vermont for the past 19 years … this service has been the highpoint of my more than 45 years in government finance,” Pearce said at a May 4 press conference. “I am so proud of this office and what we have accomplished over the past decade.”

Following Pearce’s announcement, Scott said in a statement that Pearce “has been a steadfast public servant, deeply committed to Vermont,” adding that “regardless of our differences, we have worked together well on several issues. I know Beth will continue to serve Vermonters well for the remainder of her term, and I wish her a speedy recovery.”

«