I previously wrote about a lawsuit filed against Abbott and recordkeeper Alight by a participant whose account was reduced by $245,000 when a hacker assumed her identity and requested distributions. (Bartnett v. Abbott Laboratories, 1:20-cv-02127)  According to the complaint, the hacker was assisted by an Alight employee when the account password couldn’t be changed online.

Many were hoping that this lawsuit would clarify the law in this area, and particularly the responsibilities of plan sponsors and recordkeepers. There has now been a preliminary decision in that case.

Abbott Defendants Are Dismissed.

The plaintiff named Abbott Labs as a defendant, but the court dismissed these claims on the ground that plaintiff did not show that Abbott Labs acted as a fiduciary or was identified as a fiduciary in the plan document. No acts were specified that linked Abbott to the alleged theft, and a complaint must allege that Abbott acted in a fiduciary capacity when it took actions that were the basis for the lawsuit.

Of course, ERISA requires that every plan have a named fiduciary, and that is usually the plan sponsor, whether by active designation or default. However, in this case, an individual named Marlon Sullivan had been appointed as administrator and named fiduciary.

Claims against the named fiduciary were also dismissed. The duty of loyalty was not breached because even if the plan website was misleading about account safeguards, the website was run by Alight, not Abbott or Sullivan. The allegation that Sullivan failed to monitor Alight was found to be conclusory because there was no allegation that there was a monitoring process in place. The court also assumed that the duty of prudence applied only to plan investments and not to safeguarding plan assets.

If you are shaking your head at this point, you are not alone.  If there is a duty to monitor, the failure to have or engage in a monitoring process could in itself be a fiduciary breach.  ERISA liability has not been limited to positive acts. Failure to do what you should have done has always been a basis for ERISA liability. Also, if Abbott Labs appointed Sullivan and he failed to do his job, they could be liable for failure to prudently monitor him.

The court also dismissed claims against the plan and Abbott corporate benefits. The plan may be a legal entity, but it cannot be sued for fiduciary breach. The court pointed out that Abbott Corporate Benefits was not a separate legal entity and that the plaintiff had confused it with the plan sponsor.

Abbot’s victory here might be temporary, as the court has permitted the plaintiff to file an amended complaint.  An amended complaint could fill the pleading gaps identified by the court and connect the Abbott defendants more clearly to the breach.

Alight Could Be A Fiduciary.

The court refused to dismiss the claims against Alight, finding that Alight might be a fiduciary because it had discretion and control over plan assets. That will be determined at trial.

Alight Could Also Be Liable under Illinois State Law.

The court refused to dismiss allegations that an Illinois consumer protection statute was violated, finding that the state law was not preempted by ERISA.  Alight may have committed an unfair business practice as defined in that law when Alight failed to implement security practices that would have prevented the theft, failed to protect personal information or to notify plaintiff promptly of changes to her account.  Again, these will be issues for trial.

Where Does This Leave Plaintiff?

Plaintiff can try to file an amended complaint specifying how the Abbott defendants are fiduciaries, and connecting their actions to the alleged breach. The amended complaint may or may not be acceptable to the court. Plaintiff still has claims against Alight, but even if Alight is found to be a fiduciary in this situation, plaintiff will have no ERISA remedy unless Alight is also found to have breached its fiduciary responsibilities on these facts. In that case, Alight would have to make up the loss. The decision doesn’t discuss available remedies under the Illinois law, but it presumably provides for plaintiff to be reimbursed for her loss. It is also possible that this case will be settled without a further resolution of these questions.

Need for Further Guidance.

We need more guidance from the Department of Labor clarifying the responsibilities of those involved in running a plan when a hacker is able to steal a participant’s account. Participants can’t control who the plan fiduciaries hire to hold plan assets or process distributions from the plan, and attempts to pursue hackers under the criminal laws are usually futile. Participants should not have resort only to the courts when they have lost their retirement fund through no fault of their own. On the other hand, plan fiduciaries are not insurers and it may be unfair for those who have appropriate procedures in place to prevent cybertheft to be held accountable if assets are nonetheless stolen. We know that no system is hackproof

Plan sponsors can take some steps to protect themselves while waiting for the law to develop. All plan sponsors should have cybersecurity insurance coverage in place to help deal with these situations. They should also have provisions in their services agreements dealing with cybersecurity and requiring their service providers to maintain their own cybersecurity insurance.  Service providers such as Alight also need to develop good security procedures with input from experts and to implement employee training that reinforces the need to always follow those procedures.