RETIREMENT - Identity Crisis

Asset managers are scrambling to blunt a wave of online 401(k) security breaches.

Identity theft has caught up with the 401(k) world. Recent security breaches at several big plan administrators, linked primarily to the proliferation of laptop and handheld computers, have shaken investors’ confidence and prompted heightened scrutiny of how big firms protect customer information.

In January an investor had his entire $179,000 401(k) balance pilfered after hackers obtained his user ID and password. JPMorgan Chase & Co., the plan’s administrator, refunded all of the stolen money. In November a disgruntled employee at 401(k) administrator and consulting firm Towers Perrin allegedly stole five laptops from a locked room at the company’s Manhattan office. Employees of American Express and Unilever’s Lipton division were among those affected, with at least one reporting that his personal information had been used to open charge accounts. Towers Perrin says it notified affected clients as quickly as possible and regrets any inconvenience the incident caused them.

“Participants’ accounts are more exposed now than ever before,” says Jeffrey Cook, director of regulatory compliance for DST Systems, a recordkeeper that administers about $50 billion in retirement assets.

Security is becoming a huge issue for 401(k) plans not just because of hacker attacks but also as a result of a regulatory change: On October 16 the Securities and Exchange Commission will begin requiring a new level of information-sharing among investment managers, brokerages, independent recordkeepers and other firms that serve plan sponsors. The new rule, known as 22c-2, is designed primarily to help mutual fund firms track and deter market timing and other trading abuses among individual account holders. But it also will substantially increase the volume of information traffic that hackers can target.

“We’ll dim the lights by the number of transactions we have to pull data from,” says Chad Breunig, senior vice president and risk manager of Wachovia Retirement Services, referring to the spike in electronic messaging the new rule will prompt.

Corporations and other retirement plan sponsors are required under a 2002 change in federal law to keep participants’ accounts private and secure -- and to ensure that anyone they hire to work on the plans will do likewise. How are they responding to the growing risk of security breaches?

“Treat your laptops and handhelds like desktops,” advises Jonathan Gossels, president of SystemsExperts Corp., a technology-security consulting firm based in Sudbury, Massachusetts. That means using the same encryption software and other security measures for portable devices that firms deploy on computers in the office.

Fidelity Investments -- which came under criticism last year when a laptop containing information on 196,000 401(k) account participants from Hewlett-Packard Co. was stolen from an employee’s rental car -- is doing just that. The industry’s biggest defined contribution administrator, with some $911 billion in plan assets, recently installed encryption software on all company laptops and now requires employees to complete training on how to protect confidential client information, says a spokesman. (Fidelity says none of the HP beneficiaries’ account information was compromised as a result of the laptop theft.)

The Vanguard Group does not allow employees to store any participant information on laptops. Neither does the retirement services division of New York Life Investment Management, another leading 401(k) administrator. Vanguard and other firms are also working to improve the technology that authenticates the identities of plan participants and other parties who engage in account transactions. One big focus: safeguards that rely on recognizing a human voice, sophisticated fingerprinting, retinal scanning and other biometric innovations.

“That’s where the most innovative work is happening,” says Frederick Teufel, a Vanguard principal who works on security. “Every firm in the industry is testing voice recognition, for example.”

Many firms require manual approval of actions that could be used by hackers, including withdrawals, loan requests, changes of address and the linking of retirement accounts to checking accounts, loan requests and address changes. More than a few executives liken their efforts to an arms race; they’re always scrambling to stay one step -- or mouse click -- ahead of attackers.