Plan Sponsor and Plan Administrator Escape 401(k) Plan Cybertheft Suit, But Recordkeeper Remains
An Illinois district court issued a split decision in a case involving the cybertheft of retirement plan assets, allowing the plan administrator and plan sponsor to be dismissed, but requiring the recordkeeper to defend allegations that it breached its fiduciary duties under the Employee Retirement Income Security Act (ERISA). Bartnett v. Abbott Laboratories, et. al. (N.D. Illinois, Case No. 1:20-cv-02127) is one of several recent lawsuits filed against plan sponsors and recordkeepers for allowing cyber-thieves to pilfer large distributions from participants’ retirement plan accounts.
Heide Bartnett, a former employee of Abbott Laboratories (Abbott) and participant in Abbott’s 401(k) plan, alleges that a hacker accessed her 401(k) account online, changed the password, added a new bank account and requested a $245,000 distribution from the 401(k) plan’s recordkeeper, Alight Solutions LLC (Alight) to be deposited into the newly added account. The imposter also called Alight several times to ask questions about the distribution.
According to the complaint, Alight made the distribution and sent notice of same to Bartnett via mail, even though her stated preference was for email notifications. Bartnett alleges that her retirement funds were already gone by the time she received the notice. Bartnett sued the plan, Abbott as the plan sponsor and plan administrator, and Alight as the recordkeeper, for breaches of fiduciary duty under ERISA, and asserted a state law claim against Alight for violating the Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA). All defendants filed motions to dismiss, and on October 2, 2020, U.S. District Judge Thomas M. Durkin issued a decision that dismissed the Abbott defendants, but kept Alight in the case.
ERISA Claims Against Plan Sponsor and Plan Administrator Are Dismissed
Judge Durkin granted Abbott’s motion to dismiss finding that Bartnett failed to allege any fiduciary acts taken by Abbott as the plan sponsor that led to the alleged theft, noting that the claims are nothing more than a formulaic recitation of ERISA’s fiduciary duties. According to the court, Bartnett failed to sufficiently allege that Abbott met the statutory definition of a fiduciary, as she did not allege that Abbott performed any fiduciary acts, let alone any acts related to the theft.
Similarly, while acknowledging that the Abbott plan administrator owed a fiduciary duty to Bartnett, Judge Durkin found the complaint failed to allege any facts that indicated a breach of that duty and dismissed those claims as well. The court reasoned that Alight operated the 401(k) plan website and Bartnett did not claim that the plan administrator knew of unauthorized attempts to access her account. The court also dismissed the plan as an improper defendant in a breach of fiduciary duty claim. Despite dismissing all Abbott defendants, Judge Durkin gave Bartnett 21 days to amend her complaint to cure the deficiencies described in his order.
ERISA Claims Against Recordkeeper Can Move Forward
By contrast, the court noted that the complaint alleged “far more than legal conclusions concerning Alight,” including a catalogue of “repeated actions taken by Alight related to the Retirement Plan and its assets, including, most importantly, the disbursement of $245,000 in plan assets.” Alight argued that it was not a fiduciary because it performed only “ministerial functions” related to plan administration. The court disagreed, noting that the complaint provides sufficient allegations “to infer that Alight acted as a fiduciary by exercising discretionary control or authority over the plan’s assets” and therefore denied Alight’s motion to dismiss.
ERISA Preemption Does Not Apply to ICFA Claims Against Recordkeeper
Bartnett brought a separate state law claim against Alight under the ICFA, which prohibits “unfair or deceptive acts or practices … in the conduct of any trade or commerce.” Alight argued that it should be dismissed because it was preempted by ERISA and Bartnett did not sufficiently allege a deceptive or unfair act. Judge Durkin concluded that ERISA preemption did not apply because the claim was “premised on the allegations that Alight misrepresented the quality of its services and engaged in an unfair business practice, which have little to no bearing on the plan itself.”
Barnett’s allegations that Alight failed to implement proper security procedures that resulted in the improper withdrawal of her retirement funds were “activities that occurred outside the terms of the plan.” Thus, the ICFA claim was not preempted. Next the court looked to the sufficiency of the claim. While Bartnett did not allege facts to state a claim for deceptive practices, the unfair business practices claim was adequately pled and Judge Durkin denied Alight’s motion to dismiss the ICFA claim.
Takeaways from Cybertheft Cases
Bartnett’s complaint and similar lawsuits confirm that cybertheft of retirement plan accounts is on the rise. The remote working environment caused by COVID-19 has further increased that threat, as electronic communications heighten the risk that cybercriminals will access confidential information. These cases are reminders that plan fiduciaries should review cybersecurity procedures maintained internally and by service providers. Such a review includes ensuring that distribution request processes are designed to catch suspicious activity and quickly alert participants of any account changes — including accessing the account from a new device, changing a password, adding a new bank account, and, of course, making a distribution request. With such large sums of retirement funds on the line, fiduciaries and service providers must ensure that protective procedures are not only in place but also being followed.