November 26, 2020

Volume X, Number 331

Advertisement

November 25, 2020

Subscribe to Latest Legal News and Analysis

November 24, 2020

Subscribe to Latest Legal News and Analysis

November 23, 2020

Subscribe to Latest Legal News and Analysis

Plan Sponsor and Plan Administrator Escape 401(k) Plan Cybertheft Suit, But Recordkeeper Remains

An Illinois district court issued a split decision in a case involving the cybertheft of retirement plan assets, allowing the plan administrator and plan sponsor to be dismissed, but requiring the recordkeeper to defend allegations that it breached its fiduciary duties under the Employee Retirement Income Security Act (ERISA). Bartnett v. Abbott Laboratories, et. al. (N.D. Illinois, Case No. 1:20-cv-02127) is one of several recent lawsuits filed against plan sponsors and recordkeepers for allowing cyber-thieves to pilfer large distributions from participants’ retirement plan accounts.

Heide Bartnett, a former employee of Abbott Laboratories (Abbott) and participant in Abbott’s 401(k) plan, alleges that a hacker accessed her 401(k) account online, changed the password, added a new bank account and requested a $245,000 distribution from the 401(k) plan’s recordkeeper, Alight Solutions LLC (Alight) to be deposited into the newly added account. The imposter also called Alight several times to ask questions about the distribution.

According to the complaint, Alight made the distribution and sent notice of same to Bartnett via mail, even though her stated preference was for email notifications. Bartnett alleges that her retirement funds were already gone by the time she received the notice. Bartnett sued the plan, Abbott as the plan sponsor and plan administrator, and Alight as the recordkeeper, for breaches of fiduciary duty under ERISA, and asserted a state law claim against Alight for violating the Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA). All defendants filed motions to dismiss, and on October 2, 2020, U.S. District Judge Thomas M. Durkin issued a decision that dismissed the Abbott defendants, but kept Alight in the case.

ERISA Claims Against Plan Sponsor and Plan Administrator Are Dismissed

Judge Durkin granted Abbott’s motion to dismiss finding that Bartnett failed to allege any fiduciary acts taken by Abbott as the plan sponsor that led to the alleged theft, noting that the claims are nothing more than a formulaic recitation of ERISA’s fiduciary duties. According to the court, Bartnett failed to sufficiently allege that Abbott met the statutory definition of a fiduciary, as she did not allege that Abbott performed any fiduciary acts, let alone any acts related to the theft.

Similarly, while acknowledging that the Abbott plan administrator owed a fiduciary duty to Bartnett, Judge Durkin found the complaint failed to allege any facts that indicated a breach of that duty and dismissed those claims as well. The court reasoned that Alight operated the 401(k) plan website and Bartnett did not claim that the plan administrator knew of unauthorized attempts to access her account. The court also dismissed the plan as an improper defendant in a breach of fiduciary duty claim. Despite dismissing all Abbott defendants, Judge Durkin gave Bartnett 21 days to amend her complaint to cure the deficiencies described in his order.

ERISA Claims Against Recordkeeper Can Move Forward

By contrast, the court noted that the complaint alleged “far more than legal conclusions concerning Alight,” including a catalogue of “repeated actions taken by Alight related to the Retirement Plan and its assets, including, most importantly, the disbursement of $245,000 in plan assets.” Alight argued that it was not a fiduciary because it performed only “ministerial functions” related to plan administration. The court disagreed, noting that the complaint provides sufficient allegations “to infer that Alight acted as a fiduciary by exercising discretionary control or authority over the plan’s assets” and therefore denied Alight’s motion to dismiss.

ERISA Preemption Does Not Apply to ICFA Claims Against Recordkeeper

Bartnett brought a separate state law claim against Alight under the ICFA, which prohibits “unfair or deceptive acts or practices … in the conduct of any trade or commerce.” Alight argued that it should be dismissed because it was preempted by ERISA and Bartnett did not sufficiently allege a deceptive or unfair act. Judge Durkin concluded that ERISA preemption did not apply because the claim was “premised on the allegations that Alight misrepresented the quality of its services and engaged in an unfair business practice, which have little to no bearing on the plan itself.”

Barnett’s allegations that Alight failed to implement proper security procedures that resulted in the improper withdrawal of her retirement funds were “activities that occurred outside the terms of the plan.” Thus, the ICFA claim was not preempted. Next the court looked to the sufficiency of the claim. While Bartnett did not allege facts to state a claim for deceptive practices, the unfair business practices claim was adequately pled and Judge Durkin denied Alight’s motion to dismiss the ICFA claim.

Takeaways from Cybertheft Cases

Bartnett’s complaint and similar lawsuits confirm that cybertheft of retirement plan accounts is on the rise. The remote working environment caused by COVID-19 has further increased that threat, as electronic communications heighten the risk that cybercriminals will access confidential information. These cases are reminders that plan fiduciaries should review cybersecurity procedures maintained internally and by service providers. Such a review includes ensuring that distribution request processes are designed to catch suspicious activity and quickly alert participants of any account changes — including accessing the account from a new device, changing a password, adding a new bank account, and, of course, making a distribution request. With such large sums of retirement funds on the line, fiduciaries and service providers must ensure that protective procedures are not only in place but also being followed.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume X, Number 295
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Kimberly A. Jones Partner Chicago  ERISA-related matters
Partner

Kimberly Jones advocates for clients in a broad range of ERISA-related matters in federal courts throughout the country. She is co-leader of the firm’s ERISA litigation team, and a member of the benefits and executive compensation practice group.

ERISA Litigation

Kim litigates claims involving denials of life, health, disability, pension, retiree medical, and severance benefits; breaches of fiduciary duty; prohibited transactions; and ERISA Section 510 violations on behalf of plans, plan sponsors, plan fiduciaries, and third party administrators. She has defended plan...

312-569-1296
K.Elise Norcini, Drinker Biddle Law Firm, Corporate and Tax Attorney
Associate

K. Elise Norcini provides representation to a variety of corporate, institutional and tax-exempt clients regarding employee benefits and executive compensation issues. Elise is a contributor to Drinker Biddle’s Broker-Dealer Law Blog, which provides practical insights on litigation, regulatory, compliance and fiduciary issues impacting broker-dealers.

Prior to joining Drinker Biddle, Elise was in-house legal counsel at The Northern Trust Company and, in part, represented Northern in...

312-569-1294
Advertisement
Advertisement