Cohen & Buckmann, P.C.

INSIGHTS


 
Image

New Lawsuit Against Abbott and Alight Could Clarify Fiduciary Responsibility for Cybersecurity

By Carol Buckmann ·

A lawsuit I wrote about in the article, Cybertheft of 401(k) Plan Assets-New Case Highlights Fiduciary Exposure, that was brought by a participant in the Estee Lauder plan whose account was stolen by an imposter was recently settled. The settlement means there will be no court decision in that case defining the responsibilities of plan sponsors and vendors to keep plan assets secure. However, another lawsuit has been filed by a participant whose plan account also was stolen by an imposter. This time, the plan sponsor defendant is Abbott Laboratories, but the recordkeeper, Alight (formerly Aon) is the same. The Department of Labor also has moved in court to subpoena Alight’s records as part of a separate ongoing investigation.

The Abbott Complaint

The facts as alleged in the complaint are troubling. This was not a direct hack into the system. The imposter engaged in phone conversations with an Alight call center representative because the imposter was unable to process account withdrawals online without assistance.

If these facts are correct, Alight’s procedures for this plan sponsor shared some deficiencies raised in the Estee Lauder complaint. Of primary importance is the fact that no e-mails were sent to the participant asking her to confirm that withdrawals had been requested, and by the time confirmations sent by snail mail arrived in the participant’s mailbox, the money had already disappeared from her account. In addition, the phone representative allegedly disclosed the participant’s address to the imposter and assisted the imposter to change the account password by sending the imposter one-time security codes despite the fact that the phone number used by the imposter was not on file as a phone number associated with the participant’s account. As in the Estee Lauder situation, there appear to have been red flags that should have led Alight to contact the participant for confirmation before the withdrawal was processed.

Although Abbott is correctly named an additional defendant, the complaint focuses on defects in Alight’s system, contending that Alight’s control over plan assets made Alight an ERISA fiduciary. This is important because fiduciaries are personally liable for losses caused by their breaches. Alight is then accused of breaching the fiduciary duties of loyalty and prudence.

Getting a court to declare Alight a fiduciary may be an uphill battle since many cases have determined that recordkeepers are not fiduciaries when they perform their typical functions. However, even if it is not a fiduciary, a court could still determine that Alight violated its contractual responsibilities toward Abbott and its plan participants. Some states have cybersecurity laws that might also provide a basis for recovery in these cases.

Abbott, as plan sponsor, is clearly a fiduciary and was responsible for supervising Alight’s procedures for safeguarding plan assets, yet the complaint provides no information about what Abbot did or did not do to monitor Alight. Abbott may also have breached its own duties of loyalty and prudence by its failure to hire a vendor with adequate internal procedures. In that event, Abbott and its fiduciaries would also be required to restore the loss.

Breaches Are Increasing

These are certainly not the first losses of participant accounts caused by cybersecurity breaches, as this is a fast-spreading problem in the industry. Prior to these lawsuits, we have heard that many vendors were quietly making up losses to participants. That makes sense, since of all the parties here, the participant who was deprived of her benefit was the victim and should not bear the loss. In fact, it appears that the plan deprived the participant of her vested benefit by failing to reimburse her account for the loss, which may also raise plan qualification issues. Perhaps vendors are starting to resist quiet settlements because they fear major losses from a mass breach.

How Government and Fiduciaries Can Respond

As hacks and breaches proliferate, it becomes more and more important for plan sponsors, fiduciaries and service providers to have legal guidance on their cybersecurity responsibilities and for innocent participants whose accounts are stolen to be made whole without the need to resort to the courts. If the regulators and the courts cannot find a basis for protection under ERISA or other existing law, new laws or an amendment to ERISA would be appropriate.

In the meantime, plan fiduciaries should make sure to obtain cybersecurity insurance protection and negotiate indemnification commitments in their services agreements that cover this type of loss. Some vendors are now offering special warranties to their plan customers. But reliance on documents alone is not sufficient. There should be a careful investigation and ongoing audits of the procedures a provider is actually following in practice to make sure they are sufficient. Every plan should also consider adopting a breach policy to set out responses if, despite the procedures in place, a fiduciary breach occurs.

Click here for an update on this lawsuit.