Compliance May 7, 2024

J.P. Morgan Sued For Data Exposure

A new lawsuit alleges J.P. Morgan Chase & Co. lacked adequate protocols to thwart a recent breach, resulting in the exposure of participants' personal data.

Reported by

Remy Samuels

A participant in a retirement plan managed by J.P. Morgan Chase & Co. has initiated legal action against the company following recent reports of a data breach where over 451,000 plan participants’ personal details were exposed,

According to the lawsuit filed in the U.S. District Court for the Southern District of New York on May 3, former Long Island Railroad employee Benjamin Valentine’s personal information—which he entrusted with J.P. Morgan on the mutual understanding that the firm would protect it against disclosure—was “targeted, compromised and unlawfully accessed due to the data breach.”

For more stories like this, sign up for the PLANADVISERdash daily newsletter. 

The personal identifiable information that was exposed included participants’ full names, addresses, payment and deduction amounts and Social Security numbers, the bank confirmed last week when making public news of the breach.

A spokesperson at J.P. Morgan at that time said the breach was not part of a cyberattack and there was no indication of data misuse. A regulatory filing submitted to the Maine Attorney General had revealed that on February 26, J.P. Morgan learned of a software issue that caused certain reports run by three authorized system users to include plan participant information that they were not entitled to see.

As a condition of Valentine’s employment with the Long Island Railroad, he was required to provide his personal identifiable information to J.P. Morgan, according to the lawsuit.

Valentine received a notice letter about the data breach on April 18, and according to the letter, his personal information was “improperly accessed and obtained by unauthorized third parties,” including his name, address, Social Security number and payment and deductions amount.

The lawsuit claims that Valentine suffered injury from having his information compromised. This includes invasion of privacy, theft of his PII, lost or diminished value of PII, lost time and opportunity costs associated with attempting to mitigate the actual consequences of the data breach and more.

“The data breach has caused [Valentine] to suffer fear, anxiety, and stress, which has been compounded by the fact that [J.P. Morgan] has still not fully informed him of key details about the data breach’s occurrence,” the lawsuit states.

The lawsuit also accuses J.P. Morgan of failing to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect its clients’ employees’ PII from a “foreseeable and preventable cyberattack.”

While J.P. Morgan denied that the breach was a result of a cyberattack, the lawsuit argues that the firm was targeted for a cyberattack due to its “status as a financial institution that collects and maintains highly valuable PII on its systems.”

In addition, the lawsuit accuses J.P. Morgan of failing to ensure its data systems were protected against unauthorized intrusions, failing to take steps to prevent the data breach and failing to provide affected participants “prompt and accurate notice” of the breach.

“Omitted from the notice letter were the details of the root cause of the data breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure such a breach does not occur again,” the lawsuit stated.

Lynne Atchison, executive director of benefit payment services at J.P. Morgan, wrote in the disclosure notice to the Maine AG that the firm “promptly addressed the access and applied a software update” once the firm was aware of the issue.

Through the lawsuit, Valentine seeks relief including, but not limited to, actual damages, treble damages, statutory damages, injunctive relief and attorney’s fees and costs.

Valentine is represented by law firm Milberg Coleman Bryson Phillips Grossman LLC based in Garden City, New York.

J.P. Morgan did not respond immediately to a request for comment on the lawsuit.

You Might Also Like:

Compliance

March 4th, 2025

Participant Data at Community Colleges, Public Schools Exposed in Breach at TPA

A third-party administrator of 403(b) and 457(b) plans experienced a cyber breach last month, exposing sensitive information of more than...

Compliance

February 24th, 2025

Call Center Rep Accessed Data of More Than 2,000 Customers at Inspira Financial

The third-party call center representative improperly accessed personal data of retirement plan participants between December 2024 and January 2025.

Compliance

February 24th, 2025

SEC Announces Unit to Protect Investors From Crypto, AI Scams

The Cyber and Emerging Technologies Unit will be led by Laura D’Allaird, who was co-chief of the predecessor Crypto Assets and Cyber Unit.

Compliance May 7, 2024

PTE 2020-02 and Compensation-Related Conflicts

PTE 2020-02 does not explicitly ban any adviser practices, but does require reasonable conflict mitigation policies regarding compensation.

Reported by

Paul Mulholland

The Retirement Security Rule and accompanying Prohibited Transaction Exemption amendments, finalized in April, elaborate on differential pay between products offered by advisers and how advisers should manage their compensation-related conflicts.

The amendments to PTE 2020-02 provide exemptive relief to financial professionals that sell investment advice to plans governed by the Employee Retirement Income Security Act. To make use of the exemption, professionals must manage their conflicts through policies and procedures, which include receiving varying compensation for different products, or differential compensation, which could incentivize an adviser to recommend a product that does not advance the investor’s best interest.

For more stories like this, sign up for the PLANADVISERdash daily newsletter. 

PTE 2020-02 maintains the traditional principles-based approach to mitigating conflicts, says Jason Roberts, CEO of the Pension Resource Institute, “for better or worse, very few things are categorically banned under PTE 2020-02.”

The amendments describe how advisers should mitigate their conflicts in the PTE’s preamble and section on policies and procedures. The amended PTE 2020-02 reads, “The Financial Institution’s policies and procedures must mitigate Conflicts of Interest to the extent that a reasonable person reviewing the policies and procedures and incentive practices as a whole would conclude that they do not create an incentive for a Financial Institution or Investment Professional to place their interests, or those of any Affiliate or Related Entity, ahead of the interests of the Retirement Investor.”

The DOL says explicitly that they do “not require Financial Institutions to categorically eliminate all sales quotas, appraisals, performance or personnel actions, bonuses, contests, special awards, differential compensation, sales contests, quotas, or bonuses.”

However, advisers must be sure to “eliminate such incentives that are ‘intended, or that a reasonable person would conclude are likely, to result in recommendations that do not meet the Care Obligation or Loyalty Obligation.’” The DOL adds that “it is not imposing an obligation on firms to eliminate all differential compensation, but rather to manage any conflicts of interest caused by such differentials so that the interest of the Retirement Investor is paramount.”

Reg BI

Regulation Best Interest, enforced by the Securities and Exchange Commission, requires advisers to act in the best interest of their retail clients when recommending securities, and served as inspiration for the DOL’s final rule. Reg BI does, in fact, have a per se ban on “sales contests, sales quotas, bonuses, and non-cash compensation that are based on the sales of specific securities or specific types of securities within a limited period of time.”

PRI’s Roberts says that though PTE 2020-02 lacks this explicit and unqualified prohibition, “the same types of contests Reg BI expressly prohibits would also not be allowable under the PTE,” because no reasonable conflict mitigation policy could permit them.

The DOL provides some examples in the PTE for policies designed to mitigate conflicts where differential compensation exists. Policies “could provide for increased monitoring of Investment Professional recommendations at or near compensation thresholds, recommendations at key liquidity events for investors (e.g., rollovers), and recommendations of investments that are particularly prone to conflicts of interest, such as proprietary products and principal-traded assets.”

Not Prohibited

Roberts notes that the DOL says that eliminating differential compensation actually does not on its own satisfy the reasonable policies and procedures requirement: “It is not enough merely to pay Investment Professionals the same percentage of the Financial Institution’s compensation for a recommended investment product, as for other products, if the Financial Institution receives more compensation from recommending that product.” This is because the firm’s conflict is passed on to the adviser.

Roberts says that the “DOL is reluctant to categorically prohibit things and prefers to let affected firms evaluate their policies in light of how a reasonable person would view them. After all, a reasonableness standard has been the foundation for ERISA’s fiduciary duties for 50 years.”

However, Roberts points out that in the amended PTE 2020-02, the DOL “moved the reference to differential compensation and incentives from the preamble into the actual text of the exemption. That signals to me that this is an area to which DOL thinks firms should be paying more attention.”