On February 8, 2021, the US District Court for the Northern District of Illinois handed down a decision in Bartnett v. Abbott Laboratories, dismissing plaintiff’s claims against defendant sponsor fiduciaries in a case involving the theft of $245,000 in plaintiff’s Abbott retirement plan account. In an earlier (October 2, 2020) decision, the court allowed plaintiff’s claim against Alight Solutions, LLC, which (among other things) administered the Abbott Benefits Center, to proceed.
Particularly interesting for plan sponsors is the court’s discussion of the sponsor fiduciary’s standard of care with respect to a plan provider’s “cybersecurity.”
The facts of the case illustrate the kinds of security risks retirement plans face in a largely internet-based/internet administered retirement system.
Summarizing: In December 2018 an identity thief gained access to plaintiff Bartnett’s account (having previously obtained her Social Security Number and access to her email), reset her password, and added “direct [deposit] information for a SunTrust bank account that was not hers.” The thief then proceeded to authorize the transfer of $245,000 from the participant’s account to that SunTrust account, through a process that involved, among other things, some problem-solving conversations between the thief and an (Alight) Abbott Benefits Center representative.
The timing on what happened next is instructive. Quoting the court:
The imposter made another call to the service center … on January 9 , asking if the funds had been successfully transferred to the SunTrust bank account. The service representative reported that the transfer request had been processed and that the funds would be available on January 14. Also on January 9, a letter was sent via first class U.S. Mail to Bartnett advising her of the transfer. Bartnett did not receive the letter until January 14. She called the service center on January 15, and the service representative immediately froze Bartnett’s Retirement Plan account. According to Bartnett, she would have been able to halt the transfer had she received immediate notification of it via email. [Citations to the record omitted.]
Bartnett was ultimately able to recover $108,485 of the stolen funds. She rejected “a ‘take-it-or-leave-it’ offer [from Abbott] that restored only a fraction of the funds that had been stolen” and brought this complaint.
Plaintiff sued both Alight and the Abbott plan fiduciaries. As noted, plaintiff’s claims against Alight are going forward. We focus on the claims against the sponsor fiduciaries, and especially the standard of care applicable to their hiring/monitoring Alight, as articulated by the court.
As a general matter, the court held that to avoid a motion to dismiss a plaintiff claiming ERISA imprudence must “plausibly allege action that was objectively unreasonable.” (Emphasis added.)
Plaintiff alleged that ERISA’s fiduciary prudence standard makes a fiduciary responsible for “safeguarding of data and prevention of scams.” In this regard, she claimed the Abbott fiduciaries “fail[ed] to monitor other fiduciaries’ [i.e., Alight’s] distribution processes, protocols, and activities.” In its initial decision (October 2020), the court found this assertion to be “nothing more than speculation” and dismissed plaintiff’s original complaint.
In her amended complaint, plaintiff claimed that the Abbott fiduciaries knew:
[T]hat Alight “[fumbled] cybersecurity and data privacy” responsibilities, “lack[ed] experience with retirement plans,” “fail[ed] to provide quality plan administration services,” “[had] inadequate policies and practices,” and was subject to “recent litigation and/or enforcement actions.”
In support of this claim, plaintiff listed seven public incidents involving Alight (or its predecessor Aon Hewitt), some involving errors by Alight or Aon Hewitt.
The court’s decision
The court found that plaintiff’s additional allegations were insufficient to defeat a (second) motion to dismiss. With respect to the prudence of hiring (in 2003)/re-hiring (in 2015) Alight/Aon Hewitt, the court found that:
[T]he incidents that pre-date Alight’s rehiring [in 2015] do not give rise to the inference that renewing Alight’s contract was objectively unreasonable. Indeed, the two incidents that occurred before Alight was rehired were limited in size and scope, did not involve significant lapses in security protocols, and no client funds were stolen. … Although an investigation by the Abbott Defendants in 2015 would have shown that two isolated incidents occurred under Aon Hewitt’s watch, Aon Hewitt presumably handled tens of thousands of customer transactions that year, and rehiring a plan administrator with a less-than-perfect track record does not plausibly allege imprudent conduct. That is especially so given that neither incident seemed to involve Alight’s performance on behalf of the Abbott Labs Stock Retirement Plan.
With respect to the Abbott fiduciaries’ ongoing duty to monitor, in a similar vein, the court found that, while plaintiff’s amended complaint contained “over a dozen new allegations, … none of them speak to whether the Abbott Defendants monitored (or failed to monitor) Alight’s performance vis-à-vis the Abbott Labs Stock Retirement Plan. The allegations focus instead on Alight’s performance as an administrator for other plans …, and the Court cannot reasonably infer that the Abbott Defendants breached their duty to monitor based on incidents that did not involve them.”
Takeaways for sponsors
- Two elements of the court’s decision are significant:
- The fiduciary need not hold a provider to a “standard of perfection.” That is, hiring/retaining a provider with “a less-than-perfect track record” does not make the fiduciary imprudent.
- Incidents of error by a provider not related to the plan are generally not significant. It is worth considering how far a court might be willing to go with this sort of approach – that is, how notoriously error-prone would a provider have to be to put a fiduciary on notice?
- These cases are not going to involve “easy” facts. They will often involve relatively innocent participants who have been victimized, have lost assets on which they depend to make ends meet, and have no remedy other than suing the plan fiduciaries and the provider. It seems likely that we will see similar cases litigated in other courts that may reach different conclusions.
- Sponsor fiduciaries have a duty to prudently hire and monitor service providers (including, e.g., service center operators). They will want to consult with counsel about what this duty may involve, and they will want to be in a position to prove the steps they have taken to determine whether their providers’ cybersecurity safeguards are adequate.
* * *
We will continue to follow these issues.