Cybersecurity risks are not new. We’ve been dealing with data breaches for years, and if we’ve learned one thing, it’s that hackers are smart. Hackers can infiltrate even the most complex security systems in the pursuit of personal information. It was only a matter of time until retirement plans, rich with personal information and money, fell victim to data breaches too. And like most companies navigating the aftermath of a data breach, retirement plan sponsors and service providers can easily find themselves in the midst of intense litigation.
Now, with the implementation of the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”), plan sponsors and service providers are seeing an influx of participant requests for distributions and loans. Unfortunately, this presents an opportunity for cybercriminals to take advantage of easier distribution rules and overwhelmed service providers. Combined with the relatively easy access to money, retirement plans are more desirable than ever for cybercriminals.
Recent litigation illustrates the complexity of issues that can arise when a retirement plan is breached. With so many players, including affected participants, plan sponsors, administrators, and recordkeepers, responsibility becomes a game of finger-pointing and who-did-it? From these cases, all parties can learn about their duties to protect personal information.
Berman v. Estee Lauder, Inc. et al.
In October 2019, a participant in the Estee Lauder Companies 401(k) Savings Plan (the “Lauder Plan”) filed a complaint against the plan sponsor, the employee benefits committee, Alight Solutions LLC, as recordkeeper, and the Lauder Plan’s custodian, claiming breaches of the fiduciary duties of loyalty and prudence.
According to the complaint, the participant had more than $90,000 in her account balance as of June 30, 2016. In three withdrawals, of which the participant only received two “confirmation of payment letters” via postal mail, the participant’s account was all but drained. The participant also alleges she made at least 23 phone calls to the recordkeeper’s customer service center. Ultimately, the participant was told that the investigation was complete, no money had been recovered, and that the participant’s account balance would not be made whole. Notably, the participant claims that no one from the plan sponsor or the employee benefits committee ever contacted her concerning this theft.
The complaint alleges deficiencies in the Lauder Plan’s and defendant’s policies and procedures, such as the failure to confirm authorization prior to making distributions, provide timely notice by telephone or email, or flag the multiple requests for distributions to accounts in different banks as suspicious. These deficiencies, the complaint argues, are breaches of the defendant’s fiduciary duties.
The parties filed a notice of settlement on March 2nd. While the terms of the settlement are not public, this case laid the groundwork for questioning responsibility and remedies when data breaches and ERISA intersect.
Leventhal v. MandMarblestone Group, LLC
Similar to the Estee Lauder case, a plan participant (and the plan sponsor) filed a complaint in June 2018 seeking relief after approximately $400,000 was distributed from a 401(k) account. The participant sued both MandMarbleStone Group, LLC (“MMG”), as plan administrator, and Nationwide Trust Company FSB (“Nationwide”), as the plan custodian, after a cybercriminal obtained a copy of a participant’s distribution form and used it to submit a series of fraudulent request for withdrawals.
In ruling on the defendants’ motion to dismiss, the court determined that the complaint sufficiently pled that the administrator and the custodian were fiduciaries in connection with distributing the plan assets to participants and, as such, they could be held liable for breach of fiduciary duty in failing to enact prudent procedures and safeguards to protect the plan participants from security breaches. The court dismissed the state law claims.
MMG and Nationwide filed counterclaims against the plaintiffs, claiming that the plaintiffs’ own carelessness with respect to its employees, computer systems, and policies allowed the cybercrime to occur. The counterclaim states that the plan sponsor is equally liable in its capacity as a named fiduciary of the plan and should be proportionally liable for the losses. On May 27, 2020, the court ruled that ERISA allows claims of contribution and indemnity.
While the court has not yet concluded that a fiduciary breach occurred, it notably held that the plaintiffs have, so far, sufficiently established that the administrator and custodian acted as fiduciaries in connection with the payment of distributions. Most courts have historically held that administrators and custodians do not act as fiduciaries, raising the question of whether protecting against cybercrime will change the relationship between ERISA plans and service providers.
Bartnett v. Abbott Laboratories et al.
Most recently, on April 3, 2020, a participant in the Abbott Laboratories Stock Retirement Plan (the “Abbott Plan”) filed a lawsuit against Abbott Laboratories and Abbott Corporate Benefits, the individual designated as plan administrator, and Alight Solutions LLC, as the recordkeeper. Like the cases before, the complaint alleges that defendants failed to use the level of care and prudence required of an ERISA fiduciary when protecting plan assets. Specifically, the complaint alleges that the defendants breached their fiduciary duties by (i) failing to verify the participant’s identity prior to making distributions, (ii) failing to establish safeguards to protect plan assets from unauthorized withdrawals, and (iii) failing to monitor other fiduciaries’ distribution procedures and policies. Notably, just three days after the participant filed her complaint, the Department of Labor announced an investigation into Alight’s processing of unauthorized distributions as a result of cybersecurity breaches.
According to the complaint, the hacker likely already had certain personal information about the participant prior to accessing the plan account, including the last four digits of the participant’s social security number and date of birth. It’s also likely the hacker had access to the participant’s email. In December 2018, the hacker attempted to login to the participant’s account by using the “forgot password” option and after entering the last four digits of the social security number and birthdate, the hacker was sent a one-time verification code via email, therefore gaining access to the participant’s account. From there, the hacker changed the account password and added direct deposit information for a new bank account.
Two days later, someone called the Alight participant phone line from a number not associated with the participant’s account and reported that a requested distribution did not go through. Alight did not allow the distribution to go through because it requires a seven-day waiting period between adding a new bank account and allowing distributions to the new account. Eight days later, someone again called the participant phone line and requested the distribution. Alight sent another verification code to the email address. The hacker was then able to distribute $245,000 to the new bank account.
In the complaint, the participant alleges that the defendants informed her about the addition of the new bank account and the distribution by regular mail. The participant argues that if the defendants had used email, she would have been able to question the security of her account and stop the transfer of the funds.
In June 2020, Abbott Laboratories and Alight filed competing motions to dismiss the complaint. Both motions disclaim any liability for fiduciary breaches in these circumstances and point the finger as to the other. In addition to determining whether the participant has stated a claim of fiduciary breach, the Northern District of Illinois will ultimately determine whether either Abbott or Alight (or both) have a fiduciary duty with respect to cybercrime, therefore commenting on fiduciary duties in regards to cybersecurity for plan sponsors and service providers.
Lessons Learned (thus far)
These cases accurately illustrate the complexities that arise in the aftermath of a data breach. While the Department of Labor has not yet issued guidance on how to address cybercrime against retirement plans or what types of protective measures should be in place, it is clear that plan sponsors and service providers must preemptively consider cybersecurity. Until the Department of Labor issues guidance, we must rely on the fiduciary duties of care, skill, prudence, and diligence.
But what exactly does that mean? What should plan sponsors and administrators consider? In light of the above cases, best practices could include:
- Both plan sponsors and service providers should review agreements to determine whether cybersecurity is discussed and the division of responsibilities.
- Plan sponsors should understand the cybersecurity policies and procedures the plan service providers have in place to protect participant personal information and plan assets.
- Plan sponsors should reserve the right to review the service provider’s cybersecurity audits, like the Service Organization Control Reports.
- Both plan sponsors and service providers should encourage participants to regularly check plan accounts for any irregularities. Participants should have an easy method of contacting a service provider if concerned.
If case law and current events indicate anything, it’s that issues of cybercrime are not going away any time soon. Plan sponsors and service providers both need to proactively (and preemptively) make cybersecurity a priority.
Jenny L. Holmes