JPMorgan Chase sued over data breach, exposing 450K retirement plan participants

A retirement plan participant has sued JPMorgan Chase over the company’s recent data breach, alleging that his personal information was “targeted, compromised and unlawfully accessed.” The full names, addresses, payment and deduction amounts, and Social Security numbers of more than 451,000 participants were exposed in the breach, the company said.

Benjamin Valentine, a former Long Island Railroad employee, filed a class action lawsuit representing up to 50,000 plan participants in the U.S. District Court for the Southern District of New York. He received a letter in mid-April saying his personal information was improperly accessed and obtained by unauthorized third parties. “The data breach has caused [Valentine] to suffer fear, anxiety and stress, which has been compounded by the fact that [JPMorgan] has still not fully informed him of key details about the data breach’s occurrence,” the lawsuit said.

The lawsuit said JPMorgan failed to:

• Implement adequate and reasonable cybersecurity procedures and protocols necessary to protect its clients’ employees’ personal information;
• Ensure that its data systems were protected against unauthorized intrusions;
• Take steps to prevent the data breach; and
• Provide affected participants prompt and accurate notice of the breach.

Valentine seeks relief including but not limited to actual damages, treble damages, statutory damages, injunctive relief and attorney’s fees and costs.

J.P. Morgan learned of a software issue that caused certain reports run by three authorized system users to include plan participant information that they were not entitled to view, according to a regulatory filing submitted to the Maine attorney general. The breach was not part of a cyberattack and there was no indication of data misuse, a company spokesperson said at the time.

Retirement plans increasingly are becoming a target for identity theft, said David Donaldson, president of the risk-management firm ERISA Smart and former senior investigator at the U.S. Department of Labor. “Most people’s largest liquid asset is their retirement plan, and it’s an account that people don’t frequently monitor,” he said.

The California Public Employees Retirement System, Charles Schwab and Fidelity Investments are among the 600 organizations worldwide whose pension funds and benefits plan providers had their participants’ data security breached in the past year. These breaches, and the lawsuits that often result, should be a wake-up call to plan sponsors, said Tim Rouse, executive director at the SPARK Institute.

Related: The MOVEit data breach: A wake-up call for all retirement plan sponsors

Before a breach occurs, sponsors should speak with their vendors about developing an incident response plan that helps the organization mitigate risk before, during and after a security incident. In case of breach, it is important for plan sponsors to understand which systems were affected and determine whether they can isolate those systems and contain the problem. After the problem is contained and steps have been taken to mitigate the breach, a sponsor needs to have a plan for how the organization will communicate the issue with its participant base.

“Unfortunately, these incidents will continue to happen,” Rouse said, “and no one is immune.”