As COVID-19 forces our economy to become digital, standards around cyber fraud claims are changing. This digital shift had already been underway in the retirement space, but COVID-19 has created additional pressure for plan administration to become more digital and faster.
Under ERISA, a plan fiduciary is required to act as a “prudent expert” when making decisions regarding the administration of a plan. Even recently, plan fiduciaries were taking the position that cybersecurity breaches are novel and that fiduciaries have not had enough notice of these types of risks to be responsible for taking precautions. COVID-19 and recent litigation may bring those days to an end.
As cybersecurity risks increase, plan sponsors may want to review their contracts with plan service providers to understand the measures that are being taken and to understand who bears cybersecurity risk.
Bartnett v. Abbott Laboratories
Earlier this month, a participant in Abbott Laboratories 401(k) plan filed suit against Abbott Laboratories and related parties highlighting evolving cybersecurity and plan fraud risks. The participant alleges that plan fiduciaries, including the plan’s recordkeeper, breached their fiduciary responsibilities when they allowed a fraudster to steal $245,000 from the participant’s retirement account.
This suit could provide federal courts with another opportunity to address whether cybersecurity is a part of plan administration and, if so, how robust the cybersecurity and fraud prevention processes need to be.
The facts alleged in Bartnett v. Abbott Laboratories are what one would expect. Participant saved for retirement. Fraudster impersonated participant. Recordkeeper fell for impersonation. Money was stolen. Neither the plan sponsor nor the recordkeeper want to reimburse the participant for the criminal theft.
The fraudster began with three pieces of information: The participant’s username, the last four digits of her Social Security number, and her date of birth. Using that information, the fraudster requested a one-time code via email to reset the account’s password. The fraudster then added a new direct deposit account to which the funds within the plaintiff’s plan account could be transferred. The fraudster was able to transfer $245,000 to the new account seven days later.
The participant claims that the recordkeeper failed to satisfy ERISA’s requirements for a few reasons:
- First, she alleges that the recordkeeper should have notified the participant that a new direct deposit account was established using a method of delivery that would allow a participant to object in a timely manner. Here, the recordkeeper used paper mail to send this notice.
- Second, the participant alleges that the recordkeeper should have required the fraudster to answer her online security questions rather than having a by-pass option of sending an email with a one-time password reset code.
- Third, the participant alleges that the recordkeeper should have been more communicative via email when it made changes to her account. The plaintiff asserts a number of times throughout the complaint that she has no record of emails from the recordkeeper that would prompt her to reset the password, notify her of the password change, or inform her that a distribution was requested.
3 key takeaways for plan fiduciaries
A court has not yet weighed in on these allegations and, as the case proceeds, more details on the facts will come out, but there are a few key takeaways for plan fiduciaries in this latest cyber fraud lawsuit:
1. Understand key players’ duties and responsibilities. It is helpful for plan fiduciaries to understand what duties their service providers, such as recordkeepers, advisors, and consultants, take on and what responsibilities they retain.
Here, the plaintiff asserted that the recordkeeper is a “fiduciary” that “manages plan assets.” That would be very atypical, if true.
Many recordkeepers do not take on fiduciary status and instead operate under procedures adopted and approved by the plan sponsor. This complaint highlights the responsibilities of recordkeepers and how plan sponsors generally retain significant duties relating to the administration of the plan.
2. Review and understand service providers’ cybersecurity processes. Regardless of whether a service provider is a fiduciary, this complaint highlights the benefits of reviewing and understanding the cybersecurity processes that service providers have implemented.
These processes can range from multi-factor authentication to process flows and fraud detection solutions that are both human and technology based.
3. Review guarantees and insurance policies. It is impossible to identify and stop all cyber fraud and data breach attempts. Given this, plan fiduciaries may want to review their and their plan service provider’s guarantees and insurance policies (and their specific terms given the constantly evolving cybersecurity landscape) to determine whether coverage might exist for fraudulent losses like in those asserted in the Bartnett lawsuit.
Given the relatively small size in question, $245,000, and the recent settlement in the similar Estee Lauder case, it would be surprising to see a judicial resolution. As a result, plan fiduciaries will have to confront the litigation risks caused by COVID-19’s forced shift to digital without clear guidance.
Allison Itami, David Levine, George Sepsakos, and Kevin Walsh are principals at Groom Law Group, Chartered. Groom is a Band 1 ranked firm nationally for employee benefits and executive compensation.