The recent hacking of Capital One by a disgruntled former employee sent shockwaves through the finance sector as an estimated 100 million credit card applicants had their personally identifying information exposed. The incident has hurt Capital One’s reputation as a tech-savvy company and has other businesses and consumers wondering what must be done to secure user data. The episode should be a wake-up call for any business that stores consumer and employee data, but as a business owner, you also must wonder about the security of companies to whom you entrust employee data. We’re speaking specifically about the company that administers your 401(k) plan.

As a 401(k) plan sponsor, you have to take precautions against identity theft. Imagine a hacker accessing the identifying information necessary to log into the service provider’s website and start moving assets around. Within a short period of time, your workers’ retirement savings could be wiped out. Not only would this be devastating for your loyal employees, but such a crisis could grind your business operations to a halt. To protect against disaster, here are some steps you must take:

• Assess the service provider’s security — Many company’s choose providers based on their reputation for investing assets wisely for sustained growth over time. But you also have to investigate whether they have reliable protection systems and security policies. Providers generally carry cyber fraud insurance and extend coverage to plan participants. However, this protection may be limited, and may be void if the provider determines that you or your employees created conditions that allowed a security breach.
• Conform your protocols —Your plan may require participants to adopt the provider’s recommended security practices, such as checking account information “frequently” and reviewing correspondence from the administrator “promptly.” You must understand the standards that apply and adhere to them.
• Educate your employees — Instruct your workers so they act appropriately to preserve their rights. Workers have been conditioned to deposit funds and let the system work for them. They shouldn’t worry about short term fluctuations because “the market always comes around.” However, without regular monitoring, the accounts become vulnerable. Thus, you must instruct your employees to periodically check their account balances and look for signs of unauthorized activity.
• Reinforce standard security protocols — A hacker doesn’t have to attack the plan provider directly. Hackers can access an employee’s information through another online account where the security is weak. Having discovered the 401(k) exists, the hacker then proceeds to attack. That’s why it’s important to reinforce basic security protocols for all online accounts.
  1. Use strong passwords and change them frequently.
  2. Vary login IDs and passwords for different sites.
  3. Don’t store login information on a browser.
  4. Never share login information even with relatives and close friends.