Merrill data bungle hits Walmart 401(k) plan

Merrill Lynch is the latest broker-dealer to report a snafu in handling client private data, with the Maine Attorney General’s office last week disclosing that Merrill, as the record keeper for Walmart’s 401(k) plan, revealed private client information to an “unauthorized recipient” having nothing to do with the plan.

Merrill provides services for the Walmart 401(k) Plan, with 1,883 clients affected by the data breach. They are eligible for two years of Experian Credit Monitoring, according to Maine.

In April, “a Merrill employee inadvertently disclosed personal information to an unauthorized recipient via an isolated email error,” according to the Maine Attorney General. “We became aware of this event on April 22, 2024. The personal information included in the email was the first and last name and Social Security number.”

The email has since been deleted, and Maine officials in the May 23 notice added that they were not aware of any misuse of the disclosed personal information disclosed.

The Securities and Exchange Commission this month said it was sharpening its focus on cybersecurity breaches at broker dealers and registered investment advisors.

Interactive Brokers, which specializes in equities and options trading, this month notified Massachusetts that it had identified a business email compromise that resulted in the unauthorized access to a limited amount of consumer personal information.

“Financial institutions hold massive amounts of personal client information, including clients’ statements of net worth, and bad actors want to target this information for a variety of schemes,” said Scott Silver, a plaintiff’s attorney. “We’re hearing more horror stories along those lines.”

“Plus, there are many small 401(k) companies and plan administrators who have sensitive client information and may not all have best in class systems to protect that information,” he added. “That’s part of what the SEC is looking at.”

In a letter to Walmart 401(k) clients, Merrill Lynch on May 23 wrote: “We recommend you take the following steps to help protect your personal information: promptly review your credit reports and account statements over the next 24 months and notify your financial institution of any unauthorized transactions or incidents of suspected identity theft.”

“Enroll in the complimentary identity theft protection service offered,” according to the letter. “We regret any concern or inconvenience this incident may cause you.”

A spokesperson for Merrill Lynch said the firm had no comment beyond the letter to clients.

In a move to modernize regulation around how certain institutions handle customers’ nonpublic personal information, the SEC this month said that it adopted critical amendments to Regulation S-P.

This move is intended to address the growing risks associated with technological advancements since the rule’s initial adoption in 2000. Under the amendments, broker-dealers, investment companies, registered investment advisers, and transfer agents will have to meet new requirements to safeguard customer data.

Related Topics: Merrill Lynch