The Colgate Participant Account Cyber Theft Case Survives Dismissal Despite “Very Thin” Claims

By Daniel Aronowitz

A New York federal district court ruled on December 19, 2022 that a participant in the Colgate-Palmolive defined contribution plan adequately alleged breach of fiduciary duty claims against the plan recordkeeper and the plan fiduciary committee (but not the bank custodian).  It is a curious decision that is worth studying to understand whether plan participants have potentially viable claims against the plan recordkeeper and plan fiduciaries when a participant account is hacked.  The court was openly skeptical about the “very thin” theories of liability against the recordkeeper and plan committee, but ultimately allowed the complaint to proceed to discovery.  With very little case law on this important topic, the Colgate court has signaled that sympathetic courts will allow fiduciary breach claims for cyber theft even when there is no evidence that the plan fiduciaries or recordkeeper failed to take reasonable steps to protect participant assets against sophisticated cyber fraud and theft.  The court even gave litigation advice to the plaintiff to file an amended complaint against the recordkeeper to plead a more viable claim under a theory of common law negligence.

There will be many other instances in which individual accounts are hacked despite the best intentions of plan administrators and fiduciaries.  The question is whether there is liability when no responsible entity did anything wrong.  This case is a reminder that it behooves the plan sponsor community to solve the issue of participant account theft in its contracts with third-party providers, including demanding that these providers maintain adequate cyber and crime insurance, and by purchasing cyber and crime insurance that is dedicated solely to protect plan assets.  This will be necessary to avoid litigation in which courts will be understandably sympathetic to plan participants who have lost their retirement savings.

The Colgate Participant Account Fraud

On July 7, 2022, Paula Disberry, as a participant in the Colgate-Palmolive Employee Savings and Investment (401k) Plan, filed an ERISA complaint against the Colgate plan fiduciary committee, Alight Solutions as the plan’s recordkeeper, and BNY Mellon as the plan custodian, seeking restoration of her 401k account balance that had been distributed to a fraudster.  See Disberry v. Employee Relations Committee of the Colgate-Palmolive Company, Case No. 22-CV-5778 S.D.N.Y.  The complaint states that “[o]n September 14, 2020, Ms. Disberry was informed that the entire balance of her Plan account, totaling $751,430.53, had been distributed from the Plan in a single taxable lump sum, even though at no point had she authorized or received any such distribution.”  She alleges that on January 29, 2020, an unauthorized person contacted the Benefits Information Center operated by Alight by telephone, falsely identified herself as Disberry, and requested to update Disberry’s contact information on file with the Plan.  Upon Alight’s request, the caller provided Disberry’s name, last four digits of her social security number, date of birth and the address that had been on file since at least 2017.  Alight then sent a temporary personal identification number (PIN) by mail to Plaintiff’s physical address in South Africa.  Disberry alleges that an authorized person(s) “intercepted Ms. Disberry’s mail and stole the temporary PIN.”

On February 24, 2020, the fraudster again contacted the Alight Benefits Information Center, used the temporary PIN to create a new permanent PIN, and then changed Disberry’s phone number and added an email address.  Subsequently, the fraudster spoke with an Alight representative about how to reset Disberry’s user ID and password, and then changed Disberry’s user ID and password.  On March 17, 2020, the fraudster requested a complete distribution via the Alight website for the plan, and changed the address to a location in Las Vegas, Nevada.  The same day, the fraudster called the Benefits Information Center and was advised that the distribution could not be made by direct deposit.  The fraudster then requested a distribution by paper check.  A check in the amount of $601,144.42 (after federal taxes were withheld) and made payable to Paula Disberry was mailed to the Las Vegas address.  The check was then manually endorsed in the name of Paula Disberry and deposited at a Bank of American branch in Las Vegas into an account in the name of Paula Disberry.

Disberry discovered the fraud on September 14, 2020 when logging onto her account on the Alight website.  She then contacted Colgate-Palmolive, who contacted Alight, and then Alight placed a freeze on her account.  On October 16, 2021, Disberry submitted a claim for benefits under the Plan.  On April 17, 2022, the Plan’s Claims Administrator denied her claim, stating in part, “the Plan had in place reasonable procedures with respect to Plan distribution, [] these procedures were followed . . . [and] your Plan benefit was paid in accordance with all Plan terms and requirements.”  According to the Plan Committee in its motion to dismiss, Disberry did not appeal the denial of benefits, and thus has not exhausted her administrative remedies under the plan.

The plan participant alleged in the subsequent lawsuit that the (a) plan recordkeeper, (b) plan committee, and the (c) bank custodian had all failed to detect “numerous red flags” that should have caused defendants to become suspicious that fraudulent activity was taking place:

• (1) Within the span of less than two months, the fraudster changed the participant’s phone number, email address, mailing address, and bank account information, and then requested an immediate cash distribution of the participant’s entire $750,000 plan account;
• (2) the fraudster changed the participant’s contact information such that her phone number and email address were in one country, while her mailing address was in a different country;
• (3) although the participant was not yet 59 ½ years old, the fraudster asked for an immediate cash distribution instead of a tax protected roll-over distribution, resulting in an additional 10% penalty;
• (4) the fraudster failed to contact the International Benefits Department prior to requesting a distribution while residing in a foreign country, although the Plan’s Summary Plan Description strongly recommended that this be done; and
• (5) there were numerous attempts to access the participant’s plan account by telephone and online within a short time span, many of which were unsuccessful. While not in the complaint, the court noted that the Alight investigation report found that during the first half of 2020, the fraudster had made seven additional phone calls to the Benefits Information Center and at least eleven additional attempts to log into the website in order to access the participant’s account information.  These additional attempts were unsuccessful because the fraudster failed to provide the PIN, address, phone number or email address that were on file for the account.

All three defendants filed motions to dismiss disclaiming any liability for the loss of the participant’s account balance:  (1) the Colgate Plan Committee disclaimed any fiduciary responsibility for the “unfortunate” loss of the participant’s entire account balance because it was caused, not by anything the plan fiduciaries did, but by a “complex, international fraud that occurred through no fault of the Committee”; (2) Alight as the plan recordkeeper disclaimed responsibility for “this unfortunate loss” because it did not serve as a plan fiduciary in that it was a “ministerial administrative service provider” and had no discretionary control over the Plan or disposition of any Plan assets; and finally (3) the Bank of New York Mellon as the custodian of the plan assets “is not to blame” as the directed trustee because its ministerial role in cutting the check to the fraudster was non-discretionary and thus also not a fiduciary function or cause of the loss.  Stripping away the ERISA legalese, every entity in the chain of custody disclaimed fiduciary liability.  To the extent there is any rational explanation as to what happened, the Plan Committee blamed the “unfortunate” loss on the lack of security of the South African mail system.

The Court Denied Recordkeeper Alight’s Motion to Dismiss – Alight Can Be Deemed a Functional Fiduciary Despite the Fiduciary Disclaimer in its Recordkeeping Contract

Alight’s took the position in its motion to dismiss that it was not acting or functioning as a fiduciary when taking the actions that form the basis of plaintiff’s claim.  Alight argued that it is not a plan fiduciary because the complaint identifies it as performing purely ministerial tasks when it alleges that “Alight exercised control over Plan assets by facilitating, directing and processing distributions from participants accounts” or that “[Alight] operated a telephone customer service center . . . and a website . . . which provided Plan participants . . . the ability to manage their Plan accounts, including distribution of benefits.”

Alight cited the fiduciary disclaimer clause in its recordkeeping contract [Master Services Agreement} with the plan that expressly states that it “does not have any discretionary control respecting management of any Colgate Plan or management or disposition of any Colgate Plan assets,” but rather acts “at all times as a ministerial administrative service provider.”  The court noted, however, that the MSA contract had additional language requiring Alight to “acknowledge[] if it exercises discretion with respect to the administration of the Colgate Plans or the assets of the Colgate Plans, it may be a fiduciary under ERISA.”  Thus, the court noted, putting the “magic words” – “purely ministerial duties” – “does not automatically preclude a finding that Alight acted as a fiduciary if it did in fact exercise discretion.”  The court held that “reading the Complaint in the light most favorable to the Plaintiff, it is not possible to dismiss out of hand the possibility that Alight would qualify as a ‘functional fiduciary’ within the meaning of ERISA, given its alleged role in directing the institution that held the Plan assets (BNY Mellon) to make the distribution . . .”

After finding that Alight could be sued as a potential functional fiduciary, the next issue was causation, as Alight had also argued that there is not a sufficient link between the allegedly fiduciary actions that Alight took and the misconduct in which Alight is alleged to have engaged.  As the court summarized, a plaintiff “must allege a ‘nexus’ between defendants’ discretion and ‘the wrongdoing alleged in the Complaint.’” (citations omitted).  The court noted that the complaint failed to distinguish the actions of the three defendants when claiming liability, but found enough to tie the fiduciary acts of Alight to the wrongdoing alleged in the Complaint.  Specifically, the complaint alleges that Alight ignored “significant red flags” during the course of Alight’s repeated interactions with the fraudster.  The court reasoned that “Alight at the very least is a party that should have been alerted to the possibility that someone was trying to hack into Plaintiff’s account.”  The court found that these red flags established the required “nexus” between Alight’s authority and control and the wrongdoing alleged in the complaint.

The court cautioned that the “the fact that the court cannot grant the motion to dismiss does not mean that Alight will ultimately be found to be a functional fiduciary within the meaning of ERISA.”  Notwithstanding its skepticism of the fiduciary claim, the court continued that “[i]t is somewhat surprising that Plaintiff has not alleged an alternative claim against Alight under common law principles of negligence.  The facts pleaded, if proved, would almost certainly suffice to make out a negligence claim against Alight if it turned out not to be a functional fiduciary under ERISA.”  The court is specifically recommending that the participant file an amended complaint that pleads an alternative state law negligence claim against Alight.

BNY Mellon’s Motion to Dismiss Was Granted – Not a Plan Fiduciary in the Ministerial Act of Cutting the Check to the Fraudster

BNY Mellon’s motion to dismiss asserts that it is “not to blame” because it served “as a directed trustee, did not interact with the fraudster, never possessed and had no role in managing Ms. Disberry’s personal information, and was not privy to the changes the fraudster made to Ms. Disberry’s personal information before the requested benefits distribution.”  BNY Mellon’s only role in the events at issue in this lawsuit “was the ministerial task of cutting a check pursuant to instructions provided by the Plan’s recordkeeper, Alight Solutions.”  Consequently, BNY Mellon was not a fiduciary with respect to the fraudulent withdrawal of the plaintiff’s retirement account.

The court agreed.  Citing Second Circuit law, a directed trustee like BNY Mellon lacks independent discretion that is the “touchstone of an ERISA fiduciary analysis,”
and “does not exercise or possess discretionary authority when it makes or changes investments pursuant to [another party’s] instructions.”  The court held that the only action that BNY Mellon took in connection with the fraud was to issue a check for the amount in the participant’s account.  Plaintiff had not alleged any facts to show that BNY Mellon had authority or control with respect to that action.  In addition, there was no allegation that BNY Mellon had any interaction with the perpetrator of the fraud, unlike Alight, which interacted with the fraudster immediately.  The court specifically contrasted this case with Leventhal v. Mand Marblestone Grp. LLC, No. 18-CV-2727, 2019 WL 1953247, at *5 (E.D. Pa. May 2, 2019), because there the custodian of plan assets was acting as a fiduciary because it also had general administrative responsibilities in addition to serving as the plan custodian.  By contrast, BNY Mellon did not have any general administrative responsibilities:  it held plan assets and distributed them “exactly as instructed – nothing more.”

In addition to failing to prove the BNY Mellon was a functional fiduciary, plaintiff also failed to allege the required factual nexus between the specific actions that BNY Mellon took as a directed trustee and the actions that caused the loss alleged in the Complaint – specifically, the unauthorized tampering of plaintiff’s personal information and the unauthorized distribution of her pension benefits.  Only Alight had contact with the perpetrator of the fraud; and there was no credible allegation that BNY Mellon could have been aware of the “red flags” or of any of the activity connected to the hacked account.  Plaintiff had argued that BNY Mellon was required to, but failed to implement reasonable procedures to detect and prevent fraud in her account.  But the court held that the Master Trust Agreement provided that BNY Mellon was not responsible to establish or maintain individual accounts or the information associated with individual accounts.  The fact that BNY Mellon agreed to implement standard information security safeguards over the information that was in its possession does not mean it was required to provide safeguards for information over which it contractually had no dealings.  Consequently, the court held that the plaintiff had failed to plead a link between any actions of BNY Mellon and the fraudulent conduct alleged in the complaint.

The Plan Committee’s Motion to Dismiss Was Denied – the “Very Thin” Complaint Sufficiently Alleges Breach of Fiduciary Duty and Loss Causation Against the Committee

The Plan Committee was the one party that could rightfully and only be sued under ERISA and did not dispute that it had a fiduciary duty to the plaintiff.  Instead, the Committee filed a motion to dismiss asserting that (1) the complaint does not sufficiently allege that it breached that duty, or (2) that the Committee caused plaintiff’s loss.

The court first ruled that plaintiff did not have to exhaust administrative remedies to pursue her breach of fiduciary duty claims.  The court held that most courts have distinguished between claims for benefits under the terms of the plan, which require administrative exhaustion, and claims for violation of the statute itself, which do not.  The distinction is that determining whether the plan fiduciaries breached their fiduciary duties does not require interpretation of the plan terms.

On the merits of the breach of fiduciary duty claim, the court started with a summary analysis that it agrees with the Committee that the complaint does not sufficiently allege that it breached its fiduciary duties or that the Committee caused the loss.  The court stated that the “Committee – is simply not alleged to have done anything that violates ERISA.”

Based on this statement, the Plan Committee wins and is dismissed from the case.  Not so fast.  The summary paragraph described above makes no sense when you keep reading the court’s analysis, because the court does not rule for the Plan Committee.

The court continues by listing all of the ways in which the complaint fails to tie the Plan Committee to anything that led to the account hack or stolen funds.  To this end, the court summarizes that there is not a single factual allegation tending to show that the Committee was aware of the so-call “red flags,” or let alone that it ignored them.  This is because Alight was the only party to have had contact with the perpetrator of the fraud.  As a result, Alight was in a position to be aware of the red flags, but, according to the court, there is no plausible allegation that the Committee should have been aware that fraudulent activity was taking place with respect to Plaintiff’s account.  Going further, the court states that the Complaint does not allege any specific facts showing that the Committee in fact failed to monitor Alight’s action.

Nevertheless, without any warning, the court pivots, stating that the monitoring claim “is precisely the sort of issue that, in an ERISA case, allows a Complaint to survive a motion to dismiss, because the information about the Committee’s monitoring is solely within the knowledge of the Committee and must abide discovery.”  Similarly, the court states that the allegations that the Committee failed to institute reasonable procedures to detect and prevent fraud and theft of plan assets “is vague and insufficiently specific.”  But “when read most favorably to an ERISA plaintiff, it appears to allege that the Committee – which is ultimately responsible for protecting the Plan’s assets for the benefit of the participants – did not do enough to detect and prevent fraud and theft, crimes of which Plaintiff was most assuredly the victim.”  In sum, the court gives the benefit of the doubt to the plan participant.

Although the court is allowing the fiduciary breach claim to proceed against the Committee, the court took great effort to show its skepticism of what will be the ultimate result in the case, like it did with the fiduciary claim against Alight.  To this end, the court states that “[o]f course the Committee is not an insurer against any and every possible wrongdoing.”  The Committee will not ultimately be deemed to have breached its fiduciary duty to the plan participant “if it took reasonable steps to ensure that fraud and theft would be detected (which quite possibly includes by hiring a reputable contract administrator) . . .”  In sum, the court ruled that “it remains to be seen whether the Committee did take reasonable steps to protect the assets of the Plan against fraud and theft.”

The court finishes by reiterating that “[t]his is a very thin complaint as against the Committee” because the “Plan was a victim of fraud and theft just as much as the Plaintiff was.”  “An ERISA plan is not required to have procedures in place that account for every possibility – i.e., to act as an insurer against all losses.  It must adopt reasonable procedures, but not absolutely air-tight procedures, to protect against the possibility of what happened here, which was a heinous crime.”  The participant’s fiduciary claims survive – at least for now.

The Euclid Perspective

The New York court in the Colgate case was openly skeptical as to whether there was enough evidence to prove that Alight was a functional fiduciary.  And even more skeptical that there will be proof adduced in the case showing that the Plan Committee somehow did not take reasonable steps to protect the plan’s assets against cybertheft.  But despite the lack of any evidence in the complaint showing that either the recordkeeper or the plan fiduciaries did anything wrong, the court nevertheless allowed the case to proceed against both parties.  The lesson is that courts will be understandably sympathetic to a participant who suffers from a cyber theft, and will give the participant every opportunity to prove their case in court.  This is the lowest possible pleading standard.

Alight and the Colgate plan could easily read this decision as a signal from the court that they will ultimately prevail if they continue to litigate.  But to what end?  The account losses are $600,000 plus lost investment earnings [and the market is down 20%+ this year].  The defense law firms defending Alight and Colgate will easily spend that amount in several months.  The cost of the defense will be higher than the amount at issue.  The only reason to continue litigating is to set precedential value – and so far, the precedent has not been helpful to plan sponsors.  The motion to dismiss ruling demonstrates that courts will likely do everything possible to help plan participants recover account losses.  It remains curious why Alight has allowed this case to go public in litigation.  Allowing the case to be filed – much like Alight’s recent litigation with the Department of Labor over its subpoena power – has backfired by allowing poor precedent to apply to future cyber thefts of defined contribution accounts.

From a big picture perspective of plan fiduciaries, this fact pattern is not unique.  Most participant account theft scenarios will track the same facts as this case in which only the recordkeeper has direct contact with the fraudster; only the recordkeeper has the ability to be aware of “red flags”; and in most cyber incidents, there will be no cause for the plan committee to change any normal monitoring of the recordkeeper.  But the case demonstrates that courts will likely ignore the lack of evidence and give participants a green light to sue plan fiduciaries, and allow participants to prove their case through expensive discovery that the recordkeeper or plan fiduciaries failed to take reasonable steps to protect against possible cybertheft.

The Colgate case is a wake-up call that plan sponsors need a proactive solution for cyber theft to avoid litigation in which courts will be biased towards finding liability.  Potential solutions for participant account theft need to come from one or more of the following sources:  (1) a contractual obligation by the plan recordkeeper’s to guarantee participant account security from cyber fraud; (2) cyber or crime insurance purchased by both the plan and the recordkeeper to restore a plan participant’s losses irrespective of fault by the plan or the recordkeeper; or alternatively, (3) federal regulators need to create some kind of federal insurance backstop for participant account theft.  Even if no one handling plan assets is at fault for cyber fraud, it is still not fair for a plan participant to lose their retirement security through no fault of their own.

In conclusion, the lesson of the Colgate participant account theft motion to dismiss decision is that courts will need to find ways to impose liability to protect plan participants from account theft.  When the recordkeeper who deals directly with the fraudster is going to disclaim liability we need a better solution, because it is not acceptable for participants to lose their retirement savings through no fault of their own.  Recordkeepers must be required to provide indemnification to plan fiduciaries for participant account theft, and this security guarantee must be backstopped by quality cyber and crime insurance that covers social engineering scams.  Finally, to the extent the cyber fraud is rampant and becomes an uninsurable risk, Congress and federal regulators need to get involved and create a government insurance program to protect plan participants.