Fighting Cyber Fraud: Two Case Studies of Claims Against Recordkeepers
“Did you hear? Another recordkeeper was sued for cyber fraud!” Recordkeepers have heard this line a lot lately. But around the watercooler, such stories often blur together. The details get lost, and that can make it harder for registered investment advisors to understand the risk of the cyber fraud making the headlines — and take the proper steps to protect themselves.
A deeper level of detail about what is happening in these cases can help and there are plenty of examples to pick from. The two case studies that follow are quite similar in some ways. Both involved unauthorized distribution requests that ultimately led to big lawsuits and set legal precedents for the entire fiduciary industry. However, each incident is also unique, which helps to show the range of cyber liability risks you may face as an advisor.
Here’s a look at what happened in these two situations and what recordkeepers can do to lower their risk and protect themselves.
Case Study: Berman v. Estee Lauder, Inc.
In Berman v. Estee Lauder, Inc. (N.D. Cal. Oct. 9, 2019), a plan sponsor, a recordkeeper and a custodian all had to defend their cybersecurity practices in the face of unauthorized distributions. Here’s what happened.
Back in 1998, Naomi Berman started working at MAC Cosmetics, a division of Estee Lauder, in her native San Francisco. During her employment, she contributed to a 401(k) employee benefits plan sponsored by Estee Lauder and received matching contributions from the company.
Although working full time at MAC, she was also studying to become a teacher. Finishing her education, she took a new job with the San Francisco Unified School District and parted ways with MAC, Estee Lauder and the cosmetics industry in 2006. But, like many employees do when they change jobs, she opted to leave her balance at Estee Lauder. For the next ten years, all was well.
As a former plan participant, Berman received quarterly paper statements from the plan recordkeeper, Hewitt Associates LLC (now known as Alight Solutions LLC), which by June 30, 2016, showed her plan savings had grown to more than $90,000. However, the next plan communications she received left her worried and confused:
- First, a “confirmation of payment” document arrived by mail around October 24, 2016, stating that a $37,000 distribution had been made from her account two weeks earlier on October 10 to a checking account at SunTrust Bank.
- Another payment confirmation notice came in the following days, this time showing that a $50,000 distribution had been paid to a checking account at TD Bank on October 18.
- Finally, the third-quarter statement for her account arrived, showing that yet another $12,000 disbursement had been made to an account at Woodforest National Bank on September 29. While this distribution’s date preceded the other two, she learned about it last and never received a separate confirmation notice for it.
Berman had not requested or approved any distributions from her account, nor did she have accounts at any of the banks the notices listed. Hewitt/Alight, the recordkeeper, operated a customer service call center, which told Berman her account then showed a balance of $3,791. Berman reported the theft to the recordkeeper, contacted the police, notified the FBI and placed a fraud alert on her credit.
On November 7, 2016, Berman got an email from the plan’s custodian, State Street Bank & Trust Co., requesting she complete affidavit of forgery forms. She returned the paperwork and continued to contact the customer service center asking for more information. In January 2017, Berman was told by the customer service center that its investigation was complete and that her account would not be made whole. After that, she received no further correspondence from Estee Lauder, State Street Bank or Hewitt/Alight.
Berman eventually filed suit seeking relief for her account to be made whole in October 2019. The lawsuit was directed against Estee Lauder Inc., the employer, Estee Lauder’s Benefits Committee, the plan sponsor, Hewitt/Alight, the recordkeeper, and State Street Bank, the plan custodian. The claim alleged that all four parties violated portions of ERISA 409, ERISA 502(a)(2), 29 U.S.C. 1109 and 29 U.S.C. 1132(a)(2). A second claim in the lawsuit also alleged that the Benefits Committee violated ERISA 502(c) and 29 U.S.C. 1132(c) for failing to provide requested plan information to Berman and her lawyers.
In the end, Berman, Estee Lauder and Hewitt/Alight were able to reach a settlement for an undisclosed amount. While the custodian, State Street Bank, was also named in the original lawsuit, it was later released and not a party to the settlement.
A few key takeaways from this example stand out:
- Plans have long timelines. An account can go decades without a problem, but a sudden increase in activity could be a red flag.
- Unverified or poorly verified distributions are very risky and notification by mail is likely to be too slow to catch fraud.
- Plan participants want to understand what happened. An opaque process may make lengthy and costly litigation more likely.
- Unacknowledged and/or unfulfilled legal requests like those alleged in the lawsuit may lead to greater exposure and additional costs.
- Recordkeepers are definitely at risk, especially if they interface with participants, manage accounts and/or process distributions.
Case Study: Bartnett v. Abbott Laboratories et al.
In the more recent case of Bartnett v. Abbott Laboratories et al. (N.D. Ill. Oct. 2, 2020), a plan sponsor and a recordkeeper both faced a lawsuit over an unauthorized distribution. In this case the defendants chose not to settle, which has led to an interesting legal situation for both the sponsor and the recordkeeper. Here’s an update on where the case stands since we last looked at it.
Heide Bartnett spent most of her career working as a medical sales professional in the Chicago area. She worked for Abbott Laboratories until 2012, then left for another medical sales position elsewhere.
In 2019 at the age of 59, she planned to finally retire for good. She had big plans for the future, thinking that after her husband sold his dry cleaning business, they would move someplace warmer.
Though Barnett finished her professional career elsewhere, she chose to keep her retirement savings in the Abbott Labs stock retirement plan where she had been a participant. Like the Estee Lauder plan, the Abbott Labs plan was managed by Alight Solutions LLC, one of the largest recordkeepers in the country.
The Abbbott Labs retirement account served as Bartnett’s primary retirement savings, reaching a balance of $362,510.84 by December 2018. But shortly after, Bartnett’s plans for her savings and her retirement would be thrown into question by the theft. A detailed timeline is available:
- December 29: A fraudster hacked Bartnett’s email and used it to reset her password on the Abbott Benefits website. The hacker added direct deposit information for a SunTrust bank account.
- December 30: Someone called the Abbott Benefits Center claiming to be Bartnett and saying she was having trouble processing a distribution. A customer service representative told the caller the distribution could be processed after a seven-day wait for new direct deposit accounts.
- January 1: A paper notice confirming the addition of the direct deposit account is mailed to Bartnett, but as she had set her preferred contact method to email, she missed what would have been her first clue that her retirement account had been compromised.
- January 4: Bartnett’s husband attempted to log into the account. When their old password failed to work, he answered the security questions to reset the password to view the account. Bartnett received this notice by email.
- January 8: Unable to access the online account, the fraudster calls the customer service line again. A verification code is again sent to Bartnett’s email, and the representative helped the caller initiate a transfer of $245,000 to the SunTrust account.
- January 9: The fraudster called the customer service line again to check on the transfer and was told the distribution was processing and would be available on January 14. The same day, a notification was mailed to Bartnett confirming the transfer request.
Bartnett received the transfer notification on January 14, the same date that the funds became available to the fraudster. She called the call center the following day and was able to freeze her Abbott account. Bartnett next contacted the police, who subpoenaed SunTrust Bank, Alight and the Abbott Benefits Center to request the records related to Bartnett’s account and the fraudulent transfer. A number of details came to light in the investigation:
- The online fraudster accessed the website from an Indian IP address.
- The calls to the call center came from numbers not associated with Bartnett or her account.
- Account alerts Bartnett was supposed to receive via email never arrived. It is unknown whether the thief deleted the emails or changed the account preferences.
- The customer service representative did not ask the unknown caller any security questions to receive information about the account or to process the transfer.
Bartnett also hired a lawyer to assist with recovering the funds. Attorneys for Bartnett and Abbott Labs corresponded regularly for months. Initially, an amount of $48,991 withheld from the withdrawal for tax purposes was returned to account by the Abbott Benefits Center. A sum of $59,494 received at the SunTrust account was also able to be recovered. But $136,515 of the stolen funds was not able to be recovered. In December 2019, attorneys for Abbott Labs told Bartnett that her account would not be made whole and reportedly offered a final offer to restore a fraction of the missing funds.
Bartnett responded by filing a lawsuit against Abbott Labs, Abbott Corporate Benefits, Abbott Laboratories Stock Retirement Plan, Marlon Sullivan, Abbott’s named plan fiduciary, and Alight Solutions LLC. The lawsuit has taken several unusual turns since.
In a preliminary hearing, U.S. District Judge Thomas Durkin granted a motion to dismiss without prejudice to all parties except Alight, the recordkeeper. However, Durkin also noted a number of specific deficiencies in the complaint and allowed Bartnett permission to file an amended complaint addressing them.
As Alight moved forward to the discovery phase, Bartnett filed her first amended complaint. The judge again noted remaining deficiencies and dismissed the complaint without prejudice, telling Bartnett she would have an opportunity to file a second and final amended complaint against the Abbott Labs defendants, with the benefit of discovery materials from Alight.
More takeaways can be drawn from this example:
- Cyber fraud isn’t always limited to online methods. It can also involve phone or even in-person communications.
- Email accounts can be hacked, so email verification alone may not completely protect the security of plan accounts or plan assets.
- Without the help of the customer service representative, the fraudster wouldn’t have been able to complete the theft from Bartnett.
- Verifying the identity of callers through caller ID or security questions could help reduce the risk of fraud.
- Without processes and systems in place to flag a series of unusual account actions, the risk to plan assets is increased.
- Plan administrators may still risk costly and lengthy litigation, even if they initially prevail in a motion to dismiss.
- Recordkeepers are at high risk and may face forms of liability that the employer, plan sponsor or plan custodian do not.
- Courts may judge the responsibility of an administrative party by the actions they take, and not just their defined relationship to the plan and participants.
Cyber Insurance Protection for Recordkeepers
Cyber fraud is a complex threat. A plan participant’s account can go years without a problem, yet be compromised and pilfered in days. Thieves can be surprisingly bold and persistent and when a theft is successful, plan participants will sue to get their money back.
Recordkeepers can take steps to lessen the risk, such as instituting robust account security and active account monitoring, but it may not be enough to prevent all fraudulent transfers. Instead, specific insurance protection to protect against cyber fraud is often needed.
A cyber liability policy can protect you against fraudulent instruction requests and losses to a participant’s account. With Lockton Affinity Advisor, our Cyber Liability insurance coverage is tailored to meet the needs of recordkeepers plus other retirement plan professionals. To learn more, visit LocktonAffinityAdvisor.com or call (844) 406-5958.