JPMorgan Chase Sued over Data Breach That Exposed 450K Retirement Plan Participants

The investment firm is among 600 organizations worldwide whose pension funds and benefits plan providers had participants’ data breached recently.

A retirement plan participant has sued JPMorgan Chase over the company’s recent data breach, alleging that his personal information was “targeted, compromised, and unlawfully accessed.” The full names, addresses, payment and deduction amounts, and Social Security Numbers of more than 451,000 participants were exposed in the breach, the company said.

Benjamin Valentine, a former Long Island Railroad employee, filed a class action lawsuit representing up to 50,000 plan participants in the U.S. District Court for the Southern District of New York. He received a letter in mid-April saying his personal information was improperly accessed and obtained by unauthorized third parties. “The data breach has caused [Valentine] to suffer fear, anxiety, and stress, which has been compounded by the fact that [JPMorgan] has still not fully informed him of key details about the data breach’s occurrence,” the lawsuit claims.

The lawsuit says JPMorgan failed to:

Valentine seeks relief including, but not limited to, actual damages, treble damages, statutory damages, injunctive relief, and attorney’s fees and costs.

J.P. Morgan learned of a software issue that caused certain reports run by three authorized system users to include plan participant information that they were not entitled to view, according to a regulatory filing submitted to the Maine attorney general. The breach was not part of a cyberattack, and there was no indication of data misuse, a company spokesperson said at the time.

Retirement plans increasingly are becoming a target for identity theft, said David Donaldson, president of the risk-management firm ERISA Smart and former senior investigator at the U.S. Department of Labor. “Most people’s largest liquid asset is their retirement plan, and it’s an account that people don’t frequently monitor,” he said.

The California Public Employees Retirement System (CalPERS), Charles Schwab, and Fidelity Investments are among the 600 organizations worldwide whose pension funds and benefits plan providers had their participants’ data security breached in the past year. These breaches, and the lawsuits that often result, should be a wake-up call to plan sponsors, said Tim Rouse, executive director at the SPARK Institute.

Before a breach occurs, sponsors should speak with their vendors about developing an incident response plan that helps the organization mitigate risk before, during, and after a security incident. In case of breach, plan sponsors need to understand which systems were affected and determine whether they can isolate those systems and contain the problem. After the problem is contained and steps have been taken to mitigate the breach, a sponsor needs to have a plan for how the organization will communicate the issue with its participant base.

“Unfortunately, these incidents will continue to happen,” Rouse said, “and no one is immune.”



From: BenefitsPRO