In a recent email, American Express pointed me to some good stuff about protecting against identity theft. What plan sponsors can’t protect against, however, is employee personal and financial information stolen from 401(k) providers. I’ve written about this in the past. Take for instance the 401(k) provider that had personal data on 160,000 current and former employees of Neiman Marcus stolen, or the accounting firm that had personal data on 40,000 current and former Chicago Public School Teachers stolen. Or my nomination for the Chutzpah of the Year Award: the thieves that robbed Scotland Yard of the names and personal data on 15,000 Met police officers.

What do all of these situations have in common? The service provider in question was carrying around confidential employee data on a lap top. Not exactly state-of-the-art computer security. I’m now convinced that one of the questions that plan sponsors should ask their provider is "exactly how do you protect our data?"  The answer may surprise – and concern – you!