By now, most of us have heard that a plan participant in the Colgate-Palmolive 401k plan suffered a cyber theft of her entire account balance, and sued the plan fiduciaries, the recordkeeper, and the bank custodian. Cyber theft of retirement plan assets is a common occurrence, but most cases are resolved when the recordkeeper restores the participant’s account balance. For some unknown reason, however, the recordkeeper in this case chose to fight the participant’s claim. And now, we learn that all three defendants are fighting back. Three motions to dismiss have been filed disclaiming any liability for the loss of the participant’s account balance: (1) the Colgate plan committee disclaims any fiduciary responsibility for the “unfortunate” loss of the participant’s entire account balance because it was caused, not by anything the plan fiduciaries did, but by a “complex, international fraud that occurred through no fault of the Committee”; (2) Alight as the plan recordkeeper disclaims responsibility for “this unfortunate loss” because it did not serve as a plan fiduciary in that it was a “ministerial administrative service provider” and had no discretionary control over the Plan or disposition of any Plan assets; and finally (3) the Bank of New York Mellon as the custodian of the plan assets “is not to blame” as the directed trustee because its ministerial role in cutting the check to the fraudster was non-discretionary and thus also not a fiduciary function or cause of the loss.
Stripping away the ERISA legalese, every entity in the chain of custody is disclaiming fiduciary liability. To the extent there is any rational explanation as to what happened, the Plan Committee blames the “unfortunate” loss on the lack of security of the South African mail system. It is essentially saying that the recordkeeper and the plan fiduciaries have no fiduciary responsibility when the recordkeeper is fooled by a fraudster impersonating a plan participant. The defendants feel badly about the “unfortunate” loss to the participant, but there are no remedies to restore the participant’s lost account balance.
As a legal matter, all three defendants may be correct that they bear no legal responsibility under fiduciary law. But if that is true, then what is the solution for participant account theft? This is an issue that affects every retirement plan participant in America. We are all at risk of logging into our retirement plan and discovering that all of the assets have been withdrawn through cyber fraud. If the plan fiduciaries and the recordkeeper escape any liability in this case, then we have a liability gap in America’s retirement system for cyber theft – something that happens with great frequency. We need a practical solution that respects the types of reasonable fiduciary arguments made by the plan fiduciaries and the recordkeeper in this case, but provides a solution for innocent participants. The obvious solution is to require plan fiduciaries to seek contractual indemnification from the recordkeeper to guarantee participant account security, or require the recordkeeper to maintain insurance coverage for cyber fraud. The recordkeeper needs to take responsibility for participant account safety, and if fiduciary law does not protect plan participants, then we need recordkeepers to provide contractual security guarantees or an insurance backstop. To the extent that recordkeepers or insurance companies take the position that participant account security is something that cannot be guaranteed or constitutes an uninsurable event, then we need a federal backstop.
There has to be a better answer than saying “I’m sorry” to a plan participant who has lost his entire account balance. We explore these issues after our summary of the case and the positions of each defendants in their respective motions to dismiss.
The Colgate Participant Account Fraud
On July 7, 2022, Paula Disberry, as a participant in the Colgate-Palmolive Employee Savings and Investment (401k) Plan, filed an ERISA complaint against the Colgate plan fiduciary committee, Alight Solutions as the plan’s recordkeeper, and BNY Mellon as the plan custodian, seeking restoration of her 401k account balance that had been distributed to a fraudster. See Disberry v. Employee Relations Committee of the Colgate-Palmolive Company, Case No. 22-CV-5778 S.D.N.Y. The complaint states that “[o]n September 14, 2020, Ms. Disberry was informed that the entire balance of her Plan account, totaling $751,430.53, had been distributed from the Plan in a single taxable lump sum, even though at no point had she authorized or received any such distribution.” She alleges that on January 29, 2020, an unauthorized person contacted the Benefits Information Center operated by Alight by telephone, falsely identified herself as Disberry, and requested to update Disberry’s contact information on file with the Plan. Upon Alight’s request, the caller provided Disberry’s name, last four digits of her social security number, date of birth and the address that had been on file since at least 2017. Alight then sent a temporary personal identification number (PIN) by mail to Plaintiff’s physical address in South Africa. Disberry alleges that an authorized person(s) “intercepted Ms. Disberry’s mail and stole the temporary PIN.”
On February 24, 2020, the fraudster again contacted the Alight Benefits Information Center, used the temporary PIN to create a new permanent PIN, and then changed Disberry’s phone number and added an email address. Subsequently, the fraudster spoke with an Alight representative about how to reset Disberry’s user ID and password, and then changed Disberry’s user ID and password. On March 17, 202, the fraudster requested a complete distribution via the Alight website for the plan, and changed the address to a location in Las Vegas, Nevada. The same day, the fraudster called the Benefits Information Center and was advised that the distribution could not be made by direct deposit. The fraudster then requested a distribution by paper check.
A check in the amount of $601,144.42 (after federal taxes were withheld) and made payable to Paula Disberry was mailed to the Las Vegas address. The check was then manually endorsed in the name of Paula Disberry and deposited at a Bank of American branch in Las Vegas into an account in the name of Paula Disberry. Disberry discovered the fraud on September 14, 2020 when logging onto her account on the Alight website. She then contacted Colgate-Palmolive, who contacted Alight, and then Alight placed a freeze on her account.
On October 16, 2021, Disberry submitted a claim for benefits under the Plan. On April 17, 2022, the Plan’s Claims Administrator denied her claim, stating in part, “the Plan had in place reasonable procedures with respect to Plan distribution, [] these procedures were followed . . . [and] your Plan benefit was paid in accordance with all Plan terms and requirements.” According to the Plan committee in its motion to dismiss, Disberry did not appeal the denial of benefits, and thus has not exhausted here administrative remedies under the plan.
The Plan Committee’s Motion to Dismiss – no breach of fiduciary duty and not the cause of the loss, which was the lack of security of the mail system
The Plan Committee filed a motion to dismiss asserting that the Plaintiff Disberry had failed to plead facts showing: (1) a breach of fiduciary duty by the Committee; and (2) a causal connection between any act or omission of the Committee and the loss Plaintiff alleges. To the first point, the Committee asserts that the fact of an account theft is insufficient to show that the theft resulted from a breach of fiduciary duty. The argument, like in imprudent investment cases, is that the ERISA fiduciary standard is based on a fiduciary’s conduct and not results. The Committee cites to two cases showing that federal courts have recognized that a theft of a participant’s balance from a 401(k) plan is insufficient to show a breach of fiduciary duty.
First, they cite to a 2012 Tenth Circuit case involving the fraudulent withdrawal of a plan participant’s account balance by an ex-wife1. In Foster v. PPG Industries, Inc., the Tenth Circuit held that “the mere fact that [the plan participant] has not received his benefits is insufficient in itself to allow him recovery against the plan.” Because the plan had followed established procedures, “[d]efendants were entitled to rely on the legitimacy of the electronic request and to treat it as a request from [the actual participant].” It is important to note that the court was relying on the assumption or finding that the plan followed established procedures and there was no finding of “any fault” by the plan administrator or fiduciaries. Given no finding of fault, the plan was entitled to take the position that the plan benefits were paid in accordance with plan terms and requirements. The second case relied upon by the Plan committee is Barnett v. Abbott Laboratories2 in which the plan administrator and named fiduciary were held not liable when an imposter gained access to participant’s email.
The core argument by the Plan Committee is that the complaint does not meet the pleadings requirement of plausibility of showing that the plan committee somehow acted in an “objectively unreasonable” manner in handling participant information – in other words, that the plan fiduciaries followed reasonable procedures in ensuring account integrity with the recordkeeper. According to the plan fiduciaries, “the question is not whether some additional protective step can be identified with the benefit of hindsight,” but rather “the question is whether the Plan acted in an objectively unreasonable manner by failing to protect against a reasonably foreseeable risk.” Plaintiff had argued that the plan should have required a waiting period of fourteen days before disbursing the funds, but the Committee asserts that it would not have mattered. To this point, the Committee asserts that there are no facts to allege that the fraud would have been discovered or otherwise avoided the loss within fourteen days. Next, the Committee asserts that there is nothing to suggest an objectively unreasonable process in how Alight handled the fraudster. The Committee states that participants need the ability to regain access to their accounts when they (frequently) forget their login credentials; it is reasonable to have a call center for this purpose; it is reasonable to ask callers to provide personally identifiable information; and it is reasonable to take the additional step of physically mailing a temporary PIN to the participant’s known mailing address. Plaintiff in the complaint had criticized the use of mailing to a physical address, but the Committee asserts that the Barnett case shows that electronic mail can also be hacked.
The Plan Committee summarizes that its actions were “objectively reasonable” because “it was not reasonably foreseeable” that a perpetrator would: (1) know Plaintiff has an account with the Plan; (2) have her personally identifying information, including date of birth and social security number; (3) be in a position to physically intercept her mail in South Africa; and (4) be able to deposit a physical check made payable to the legitimate plan participant in the United States. But even if the Court were to conclude that the process used to reset passwords was objectively unreasonable, the Plan Committee asserted that Alight handed that process, and not the Committee.
Finally, the Plan Committee asserts that it did not cause the “alleged” and “very unfortunate” loss. The cause of the loss was a “sophisticated, international fraud” in a process that was handled by Alight. The Plan Committee asserts that “the error without which the loss would not have occurred is that the Plaintiff’s personal physical mail was not sufficiently secure so as to prevent interception of the mailed PIN.” According to the Plan Committee, there was nothing that the Committee or Alight could have done which would have prevented the theft of physical mail to the Plaintiff.
The Recordkeeper Alight’s Motion to Dismiss – Alight did not perform any fiduciary functions
Alight’s motion to dismiss is the straightforward position that it cannot be responsible for breach of fiduciary duty under ERISA because it was not a named or functional fiduciary under ERISA. Alight cites the fiduciary disclaimer clause in its recordkeeping contract with the plan that expressly states that it “does not have any discretionary control respecting management of any Colgate Plan or management or disposition of any Colgate Plan assets,” but rather acts “at all times as a ministerial administrative service provider.” Alight places the blame of the “unfortunate loss” on “bad actors” who intercepted Disberry’s personal mail, stole her temporary PIN, and subsequently used the temporary PIN to change Plaintiff’s contact information.” “Ultimately, the bad actors removed all of the assets from Plaintiff’s retirement account.” For a third-party service provider like Alight to be considered a fiduciary, Alight asserts in its motion to dismiss that Plaintiff must plausibly allege it exercised discretionary authority or control over management of a plan or have authority or control over disposition of the plan’s assets. Alight asserts that its only role was operating a customer service center and a website, which are non-discretionary, ministerial functions that do not meet the fiduciary test under ERISA. Finally, Alight contends that it does not have discretion over plan assets because the plaintiff’s complaint makes clear that plan participants, not Alight who direct and control distributions from their plan accounts.
BNY Mellon Motion to Dismiss – Not a Plan Fiduciary in the Ministerial Act of Cutting the Check to the Fraudster
BNY Mellon’s motion to dismiss asserts that it is “not to blame” because it served “as a directed trustee, did not interact with the fraudster, never possessed and had no role in managing Ms. Disberry’s personal information, and was not privy to the changes the fraudster made to Ms. Disberry’s personal information before the requested benefits distribution.” BNY Mellon’s only role in the events at issue in this lawsuit “was the ministerial task of cutting a check pursuant to instructions provided by the Plan’s recordkeeper, Alight Solutions.” Consequently, BNY Mellon was not a fiduciary with respect to the fraudulent withdrawal of the plaintiff’s retirement account.
What is the Solution for Participant Account Theft?
As noted in the introduction, we have all three parties involved with the Colgate plan disclaiming liability with very persuasive arguments: (1) the plan fiduciaries take the position that cyber theft of a participant account does not constitute a fiduciary breach by plan fiduciaries, and the plan fiduciaries did not cause the loss as long as the plan instituted and followed objectively reasonable account security procedures; (2) the plan recordkeeper claims it cannot be held responsible because it just followed reasonable procedures instituted by the plan and is not a plan fiduciary with discretionary control of plan assets; and (3) the bank custodian asserts that it also is not a fiduciary in the ministerial act of cutting the check to the fraudster. Every party in the chain of custody is disclaiming fiduciary liability. The Plan Committee blames the “unfortunate” loss on the lack of security of the South African mail system. And the plan recordkeeper is essentially saying that it has no responsibility when it is fooled by a fraudster impersonating a plan participant.
From our perspective, it is very likely that all three defendants will prevail on their motions to dismiss because they raised legitimate defenses to fiduciary responsibility. First, it is clear that BNY Mellon had no fault in the fraud and is not a proper defendant, as all it did was cut a check authorized by another party. Second, a participant has no privity of contract with the plan recordkeeper, so any recourse by a participant for cyber theft against Alight would have to come through fiduciary law. But the recordkeeper has a fiduciary disclaimer provision in its contract with the plan, and has a strong argument that it was not a functional plan fiduciary because it had no discretion in handling plan assets.
That leaves the Plan Committee as the only remaining defendant. To decide the motion to dismiss, the Plan Committee has correctly stated the court’s key inquiry: “the question is not whether some additional protective step can be identified with the benefit of hindsight,” but rather “the question is whether the Plan acted in an objectively unreasonable manner by failing to protect against a reasonably foreseeable risk.” In this inquiry, the court will weigh whether the plan or Alight had account security processes that were prudent. The plan committee has argued that “it was not reasonably foreseeable” that a perpetrator would: (1) know Plaintiff has an account with the Plan; (2) have her personally identifying information, including date of birth and social security number; (3) be in a position to physically intercept her mail in South Africa; and (4) be able to deposit a physical check made payable to Plaintiff in the United States. While it is possible that the plan could have required a photo ID or waited two weeks to distribute the money, there does not appear to be any basis for the plaintiff to dispute that the plan had instituted objectively reasonable procedures for Alight to follow in implementing account changes and distributions. Stated differently, it appears that Alight followed best practices in handling the account changes and distributions, whether these procedures were required by the plan or Alight itself. It is possible that the court will deny the dismissal motion to allow the plaintiff discovery to establish that the plan should have required more robust account security procedures, but we think the Plan Committee has established as a matter of law that it was not the cause of the participant’s loss.
As a legal matter, therefore, all three defendants may be correct that they bear no legal responsibility. Nevertheless, we can all put ourselves in the shoes of the Colgate plan participant who was defrauded of her entire account balance [except for the approximately $152,000 that had been withheld for federal taxes and was subsequently restored to the plan account]. Participants need to be protected from cyber theft of their retirement assets. But if a participant cannot sue for breach of fiduciary against plan fiduciaries and the recordkeeper, what is a plan participant’s recourse if their 401k account balance is hacked and they lose their entire retirement savings? The motions to dismiss filed by the three defendants in the Colgate case reveal that there is a real public interest issue at stake here. If there is no recourse for plan participants against the plan and its recordkeeper, then we have a serious liability gap for this increasingly common type of cyber fraud.
Plan sponsors will be naïve to think that the Department of Labor will find it acceptable for plan sponsors and the recordkeeper to disclaim liability for participant account theft, like what has transpired in the Colgate case. Even if these positions are legitimate – and they appear to be in the Colgate case – plan sponsors need to proactively figure out a solution to participant account theft. We need to figure out how to protect innocent plan participants.
Potential solutions for participant account theft need to come from one or more of the following sources: (1) a contractual obligation by the plan recordkeeper’s to guarantee participant account security from cyber fraud; (2) cyber or crime insurance purchased by both the plan and the recordkeeper to restore a plan participant’s losses irrespective of fault by the plan or the recordkeeper; or alternatively, (3) federal regulators need to create some kind of federal insurance backstop that guarantees participant account theft. Even if no one handling plan assets is at fault for cyber fraud, it is still not fair for a plan participant to lose their retirement security through no fault of their own.
The most obvious solution is to require the recordkeeper to guarantee account security. Even if the plan committee and Alight have no fiduciary responsibility, we nevertheless believe there can be contractual liability by Alight to the plan. While the participant cannot make a direct contract claim against Alight, the plan should have the ability to enforce indemnification or security requirements in the recordkeeping contract. There is a curious gap in the case with respect to what contractual duties Alight owes to the plan. The question is whether the plan required Alight to guarantee account security and reimburse participants for potential cyber theft. Also, the plan surely required Alight to maintain cyber and crime coverage for this type of theft. But the case is completely missing any facts relating to why Alight did not have a security guarantee to plan participants. And it is also missing any understanding as to why Alight’s social engineering coverage under its crime and/or cyber policy is not covering this claim to restore the participant’s account balance. We can only assume that Alight has a high social engineering coverage retention or deductible in either its cyber or crime insurance – likely more than one million dollars. The Colgate case is a classic social engineering scam, and this is exactly what social engineering coverage is designed to cover – payments authorized by the insured in which they are duped into sending the payment to a fraudster. There is no explanation as to why insurance did not cover this claim.
In sum, it appears that the plan instituted, and Alight followed, an objectively reasonable process, and was just a victim of a sophisticated fraud as they claim in their respective motions to dismiss. But there may be an argument that the best fiduciary process is to demand under the recordkeeper contract that Alight indemnify the plan, or make participants whole, in the event of participant account theft. And it is also imperative – and likely a fiduciary responsibility – to require third-party administrators and recordkeepers to maintain adequate cyber and crime insurance with social engineering coverage. There may not have been a breach of fiduciary duty with respect to plan account security procedures, but it may be a fiduciary responsibility to ensure that the recordkeeper can guarantee account balances with a security guarantee or insurance coverage for cyber fraud.
The point we are making is that cyber theft is often not caused by or the fault of employee benefit plan fiduciaries, or even the plan recordkeeper. But cyber fraud is a foreseeable event in modern life, and plan fiduciaries need a proactive solution. The most straightforward solution is to enforce contractual indemnification by the recordkeeper to guarantee participant account losses. And if the recordkeeper cannot guarantee cyber fraud, they must provide sufficient cyber insurance to reimburse participants for these losses.
Step back, and consider the hundreds of fiduciary malpractice cases that have been filed alleging excessive recordkeeping fees. These cases allege that plan recordkeeping is an undifferentiated commodity. For years, courts have tolerated these excessive recordkeeping fee lawsuits claiming that recordkeeping costs are too high. Fortunately, some courts have started to push back and require plaintiffs to compare plan services on an apples-to-apples basis. The Colgate case demonstrates that cyber security by the recordkeeper is a valuable service, and that not all recordkeepers provide the same level of cyber security [note that Fidelity, America’s leading recordkeeper has never allowed a public lawsuit alleging participant account theft]. It is worth paying more – not less as the cases allege – for quality cyber security procedures and protections by a high-quality recordkeeper in an institutional plan. Cyber security costs money, but it is the best defense to participant account fraud. The excessive fee cases have caused a race to the bottom in recordkeeping services, which is unfortunate when we see a recordkeeper refusing to restore a participant’s account balance after a cyber fraud.
It is quite possible that recordkeepers will eventually take the position that it is not financially feasible to guarantee account security given rampant cyber fraud. By fighting the Colgate participant’s claim in public, Alight may be taking that very position. It is also possible that insurance companies will eventually take the position that it is not feasible to provide sufficient social engineering or funds transfer fraud coverage in cyber or crime policies. In our experience, we know that it is not practical to provide first-dollar coverage for cyber fraud, at least for affordable premiums. But insurance for cyber fraud is still widely available. We do not understand why the recordkeeper or plan’s cyber or fraud carriers have not paid a claim in this case. We will have more thoughts for plan sponsors in future posts as to what cyber and crime insurance they need to protect against participant account theft. In the meantime, we recommend plan sponsors review our recent testimony to the ERISA Advisory Council. See here.
The point we are making is that the Department of Labor is not going to allow participants to lose their entire retirement plan account balance through no fault of their own. Plan sponsors do not want this result either. We have a serious public policy issue that must be addressed. If it cannot be resolved by contractual guarantees from the recordkeeper or insurance, then we need a federal backstop. We have the PBGC to guarantee plan insolvencies; and we have federal insurance backstop for terrorism events that are not insurable. We have precedent for other uninsurable events. If cyber theft is an uninsurable event, then we need a federal backstop to protect plan participants.
In conclusion, the lesson of the Colgate participant account theft case is that fiduciary law does not adequately protect plan participants from account theft. The plan fiduciaries and the recordkeeper have argued that they cannot be responsible for sophisticated cyber fraud. They might be right under fiduciary law, but we need a better solution, because it is not acceptable for participants to lose their retirement savings through no fault of their own. Recordkeepers must be required to provide indemnification to plan fiduciaries for participant account theft, and this security guarantee must be backstopped by quality cyber and crime insurance that covers social engineering scams. Finally, to the extent the cyber fraud is rampant and becomes an uninsurable risk, Congress and federal regulators need to get involved and create a government insurance program to protect plan participants.
_________________________
1 Foster v. PPG Industries, Inc., 693 F.3d 1226 (10th Cir. 2012). 2 492 F. Supp.2d 787, 796 (N.D. Ill. 2020).