Multi-employer plan participants involved in an Employee Retirement Income Security Act of 1974 (ERISA) class action lawsuit against Horizon Actuarial Services LLC (Horizon), a national retirement services firm, have entered into an $8.733 million settlement agreement. The agreement (originally proposed as a $7.75 million non-revisionary fund), if approved by a Georgia federal judge, would resolve all claims brought against Horizon in response to a cyberattack that exposed the personally identifiable information (PII) of more than 100,000 Horizon customers and a potential settlement class of over 4 million individuals.

The proposed Horizon settlement highlights the importance of plan sponsors and other plan fiduciaries conducting regular audits of their data security practices – and those of their third-party service providers – to mitigate cybersecurity risks in accordance with the best practices identified by the Employee Benefits Security Administration (EBSA).

Case Background

In November 2021, a group of cybercriminals breached two servers of Horizon, an actuarial consulting firm that specializes in multi-employer plan benefits. The group claimed to have stolen a list of PII, including names, dates of birth, Social Security numbers (SSNs) and health plan information, among other sensitive financial information. In total, more than 100,000 participants in 25 different multi-employer plans administered by Horizon were affected in the breach. Horizon ultimately negotiated a ransom payment with the cybercriminal group in exchange for the group's agreement to delete and not otherwise sell, publish or distribute the stolen data in any way.

In April 2023, a class action lawsuit was filed in the U.S. District Court for the Northern District of Georgia by several plan participants whose PII data was compromised in the attack. The plaintiffs alleged that Horizon's negligence jeopardized the security of sensitive personal data when it failed to adequately implement reasonable and appropriate systems and safeguards despite the growing commonplace of data breaches and the havoc they wreak. Specifically, the complaint alleged that Horizon failed to 1) properly train and supervise employees and vendors, 2) comply with industry-standard data security practices, including the use of effective security procedures, and 3) comply with state and federal laws and regulations governing data security practices. According to the plaintiffs, Horizon also failed to inform the affected individuals of the cyberattack for upward of five months.

The plaintiffs argued that by collecting and deriving benefit from the personal information of its customers, Horizon had assumed legal and equitable duties to protect such information. They further claimed that they were – and continued to be – at risk of identity theft, fraud and various other forms of personal, social and financial harm. The plaintiffs sought restitution for the time, expenses and hardship associated with securing their personal and financial identities, as well as the fallout of having to protect themselves from a lifetime risk of attack, a risk especially heightened by the loss of their SSNs.

The parties reached an initial agreement in September 2023 that proposed a $7.75 million non-reversionary settlement fund to pay the following: 1) losses related to fraud or identity theft, 2) professional fees, including attorneys, accountants and credit repair services, 3) costs associated with freezing and unfreezing credit with reporting agencies, 4) credit monitoring costs incurred from the point of Horizon's notice of the breach until the date the claim was submitted and 5) other miscellaneous out-of-pocket expenses. The settlement was modified in December 2023 to the $8,733,333 submitted for court approval. The settlement agreement does not require Horizon to admit to any wrongdoing.

Prudent Mitigation of Cybersecurity Risks

Cybersecurity presents an increasing area of risk for ERISA-covered plan fiduciaries, and the safeguarding of sensitive individual health and financial information is paramount. United States retirement plans hold trillions of dollars in assets on behalf of individual investors, a wealth of personnel data along with such funds and remote access points to all of this information. These factors expose plan administrators as attractive targets to the sophisticated underworld of cyberhacking, ransomware and wire fraud. EBSA has now published guidance on the "best practices" fiduciaries should follow to ensure prudent mitigation of cybersecurity risks.

The best practices are as follows:

  1. Have a formal, well-documented cybersecurity program.
  2. Conduct prudent annual risk assessments.
  3. Have a reliable annual third-party audit of security controls.
  4. Clearly define and assign information security roles and responsibilities.
  5. Have strong access control procedures.
  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
  7. Conduct periodic cybersecurity awareness training.
  8. Implement and manage a secure system development life cycle program.
  9. Have an effective business resiliency program addressing business continuity, disaster recovery and incident response.
  10. Encrypt sensitive data that is stored in transit.
  11. Implement strong technical controls in accordance with best security practices.
  12. Appropriately respond to any past cybersecurity incidents.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.