Identity Theft and Internet Fraud Warning Clauses
(Defined Contribution Plan) (Summary Plan Description)

Summary

Use these clauses in a defined contribution retirement plan's summary plan description (SPD) to warn plan participants of the dangers of identity theft incidents and data security attacks with respect to their individual retirement plan account, including warnings concerning fraudulent distributions and loans. These clauses include practical guidance, drafting notes, and an alternate clause. Plan sponsors and other fiduciaries must take steps to secure participants' personally identifiable information provided to vendors in order to protect the security of plan assets and other data—as is consistent with their fiduciary duties under ERISA. As there has been limited guidance on the part of the Department of Labor when it comes to fiduciary responsibility with respect to the protection of plans against privacy and risks of cybersecurity attacks, this topic has been one of much debate. These clauses provide sample language to warn participants of identity theft and internet fraud issues that may be used to educate participants in the SPD. For a listing of key content regarding cybersecurity issues in retirement plans, see Cybersecurity for Qualified Retirement Plans Resource Kit. For a full listing of key content covering 401(k) and other defined contribution plan compliance, see 401(k) and Other Defined Contribution Plan Compliance Resource Kit.