Small Email Mishap Affects 9,400 Retirement Plan Participants

By Mary Kathryn Curry

Late last month Schwab Retirement Plan Services (Schwab) sent an accidental email to a participant in another retirement plan, also serviced by Schwab, with a spreadsheet attached containing personal information of approximately 9,400 plan participants. The spreadsheet included information such as names, addresses, dates of birth, Social Security numbers, employment statuses, marital statuses, and account balances belonging to participants in a company-sponsored retirement plan. Soon after receiving it, the recipient of the spreadsheet informed their plan sponsor, who then contacted Schwab. The good news is, Schwab does not believe anyone’s personal information was compromised. In a letter to plan participants, Schwab indicated that though participants’ personal information was exposed, Schwab has confirmed that the email and attachment have been deleted from the company’s email and server, and that the email was not forwarded. Schwab has, nonetheless, recommended that each participant monitor recent and future account statements carefully, check their credit reports regularly, and it has offered a free one-year credit monitoring subscription to assist participants in protecting their information. Schwab also confirmed that it is taking steps to prevent similar incidents in the future.

The lesson learned here is nothing new: all businesses must take steps to protect their customers’ personal information, and not just from hackers. Every company should have a privacy policy that obligates employees with access to customer data to protect that information, which should include annual training for those employees and continued updates on data security measures. Businesses in every industry should also limit their employees’ access to customer information. Only allowing access to the least amount of information needed to do a job minimizes the number of employees with access to customer personal information, which in turn reduces the risk that sensitive information will be improperly exposed. Finally, do as Schwab did here and stick to a breach plan. Acting quickly to contain the problem, and following up with affected individuals by providing information and steps to safeguard their information, is key to reducing the negative effects of a breach.

For more information on protecting your customers’ personal information, please contact the author, a member of the Privacy and Data Security practice, or your Polsinelli attorney.