Because of the scarcity of case law and regulatory guidance on the issues, any case that analyzes the liability of ERISA plan sponsors and service providers following a cybersecurity incident and/or identity theft will be heavily scrutinized. A recent opinion in the Southern District of New York, denying motions to dismiss made by a third party administrator (“TPA”) and plan fiduciary, has widened the scope of liability for potential ERISA defendants in actions seeking to recover fraudulent distributions from ERISA-covered plans. It has also made new legal determinations that, if followed by other courts, will have an impact on future suits by plan participants seeking to recover lost retirement plan money.
The Southern District’s opinion, in Disberry v. Emp. Rels. Comm. of the Colgate-Palmolive Co., concluded that Alight Solutions (“Alight”), concluded that the defendant third party administrator of Colgate-Palmolive’s Savings and Investment Plan (the “Plan”), could have been acting as a fiduciary, and that both it and the defendant named fiduciary of the Plan, an administrative committee of the Plan sponsor (the “Committee”), could have also breached their fiduciary duties in connection with an identity theft that resulted in an approximately $750,000 fraudulent distribution to a thief. On January 6, the plaintiff, Ms. Disberry, a former senior Colgate executive, amended her complaint to bring new negligence claims against Alight. The case will be closely watched and provides interesting insights for plan sponsors and administrators.
The Complaint’s “Red-Flags” and “Reasonable Procedures” Theory
The Court’s focus on missed “red flags” and the failure to enact “reasonable procedures” is potentially significant because specific acts by a thief that constitute “red flags” may not always be addressable through “reasonable procedures” instituted by plan sponsors or TPAs. Even though surviving a motion to dismiss does not necessarily mean that either Alight or the Committee breached their fiduciary duty in this way, the Court’s allowance of this theory to proceed to discovery—even after acknowledging the complaint’s failure to make specific non-conclusory allegations—should be a warning sign for plan sponsors and TPAs who may have to defend similar suits in the future.
With the benefit of hindsight, Ms. Disberry alleged that Alight and the Committee could have acted to prevent the fraud. According to the complaint, Ms. Disberry learned of the theft when she attempted to access her Plan account online in August 2020. Not being able to log in (because the thief had changed her credentials), she contacted Alight’s Benefits Information Center. Alight representatives informed her that the full amount of her Plan account, $751,430.53, had been distributed to a bank account in Las Vegas months prior.
On April 7, 2022, the Plan’s claims administrator denied her claim to restore the $751,430.53 to her Plan account, asserting that, “[w]hile it is unfortunate that your information and Plan benefit may have been stolen from you…the Plan had in place reasonable procedures with respect to Plan distribution, these procedures were followed,…[and] your Plan benefit was paid in accordance with all Plan terms and requirements.” The dispute will therefore boil down to (i) whether Colgate adopted reasonable procedures; and (ii) if so, could those reasonable procedures, if followed, have prevented the theft?
Clearly, Alight and Ms. Disberry have different ideas as to the “reasonable” procedures that need to be enacted. Making matters more confusing, there are no specific guidelines from the U.S. Department of Labor (“DOL”) or courts as to what specifically a plan administrator must do to protect participant data from unauthorized changes, or to verify the identity of participants in connection with distributions.
This is a hugely important issue, particularly for large retirement plans that may process many claims in a relatively short period of time. In practice, encouraging expeditious benefit distributions should be balanced with safety and security concerns in ensuring that a participant and/or beneficiary requesting a distribution is whom he or she says they are.
While Ms. Disberry alleged in her complaint that, had Alight attempted to verify the distribution request and the very recent requests to change her contact and bank account information, the theft would not have occurred, she did not specifically indicate what verification duties Alight possessed without regard to the specific nature of the theft. An assessment of a plan’s or recordkeeper’s reasonable procedures needs to be made prospectively. Just as the prudence of investment decisions cannot be assessed in hindsight, nor can a plan’s or recordkeeper’s procedures for minimizing the risk of theft.
Going forward, Ms. Disberry must demonstrate (i) what reasonable procedures were necessary, likely through expert testimony, and (ii) causation – that the actions and/or failures to enact and follow reasonable procedures and/or act on red flags (arguably even if those “red flags” fell outside the scope of the ‘reasonable procedures’) would have prevented the theft entirely.
The Service Provider Agreement Did Not Control Alight’s Fiduciary Status
In its motion to dismiss, Alight argued it could not be a fiduciary in connection with this matter because it had contracted with the Plan not to perform fiduciary tasks. Indeed, its agreement with the Plan stated, “Alight does not have any discretionary control respecting management of any Colgate Plan or management or disposition of any Colgate Plan assets and [Alight] should act at all times as a ministerial administrative service provider.”
The Court, citing the basic concept of a “functional fiduciary” pursuant to ERISA § 3(21), rejected the argument that this contractual language had any effect in determining if Alight acted as a fiduciary, given the case law holding that “magic words in the contract” cannot nullify fiduciary responsibility. As the Court noted, other portions of the agreement recognized that, if Alight acted with discretion, fiduciary status could attach to Alight.
Typically, in order to establish fiduciary status under ERISA §3(21), particularized allegations as to why the entity/individual in question is a fiduciary with respect to the alleged fiduciary conduct are required. Here, even though the Court acknowledged Ms. Disberry’s allegations regarding fiduciary status were “entirely conclusory,” it still held that Alight could have acted as a fiduciary through directing the Plan’s custodian bank to make the distribution to the thief and by maintaining a Plan service center that responded, among other things, to benefit distribution requests.
Administrators and recordkeepers therefore should be prepared to defend fiduciary allegations even in instances where their contracts might refer to their services as ministerial.
TPAs Should Be Prepared to Defend State Law Claims in Connection With Fraudulent Distributions
The Court’s December 19 order, in dicta, stated that: “it is somewhat surprising that Plaintiff has not alleged an alternative claim against Alight under common law principles of negligence.” The Court was therefore giving Ms. Disberry a big hint that she needed to amend her complaint to save her claims if she could not ultimately prove Alight was a fiduciary. In the original complaint, Ms. Disberry only brought ERISA breach of fiduciary claims; if she could not prove the elements of those claims (including fiduciary status, breach of fiduciary duty, and causation), she would be left without an avenue to recovery.
With the Court’s prodding, Ms. Disberry amended her complaint on January 6, 2023, to add state law negligence claims in the event Alight is not found to be a fiduciary. It will be interesting to follow how Alight responds to these claims and how the Court rules on them, as there is little case law or guidance on the common law duties of a plan’s service providers to participants under tort law. If the District Court ultimately finds that Alight was not acting as a fiduciary, it is unlikely Alight could successfully claim that ERISA preempts the state law claims, because Ms. Disberry is simply pleading in the alternative (i.e., if Alight is a fiduciary, my relief is under ERISA, but if Alight is not acting under ERISA, relief is available under state law). If the Court finds Alight was acting as a fiduciary, but finds either that Alight did not breach a fiduciary duty or that it breached a fiduciary duty but the breach did not cause the loss, then a preemption argument would be stronger, because Ms. Disberry’s negligence claim could be characterized as an alternative means of enforcement.
Under similar facts, the better claim, as a matter of law, may have been a breach of contract/negligence claim by the plan sponsor against the TPA given that the TPA is in a contractual relationship with the Plan; it is more difficult to establish a duty under tort law between a non-contracting party and an alleged tortfeasor. Asserting a state law claim against a TPA might also be a tactically wise decision by a plan sponsor, particularly where the sponsor might not have insurance to defend suits similar to the complaint in Disberry.
The Court Read Into the Complaint a Potentially New Extension of the Fiduciary Duty to Monitor a TPA or Recordkeeper
This is interesting given that the Northern District of Illinois, in a similar fact set, dismissed a similar monitoring claim where the allegations involved a duty to monitor the same third party administrator, Alight. In Bartnett v. Abbott Labs., 492 F. Supp. 3d 787, 798 (N.D. Ill. 2020), the District Court held that the monitoring claims were “conclusory” and that the plaintiff did not make any allegations about any monitoring process between the plan fiduciary and the retained third party administrator/recordkeeper, let alone a defect in that process. Importantly, the Abbott court also stated that the fiduciary duty of prudence may be limited to certain activities, such as investment matters, not plan administration, and may not, as a matter of law, extend to “safeguarding of data and prevention of scams.” Id.
The difference in outcome between the Abbott decision and the Disberry decision is important There is minimal case law concerning the scope of any fiduciary duty to monitor a TPA or recordkeeper. Also, the District Court in Disberry may not have appreciated the limited value of the monitoring duty in this context. The appointment of a service provider for a plan is a fiduciary function that requires both prudent selection and prudent monitoring. What is unclear is the nature of prudent monitoring in the context of safeguarding access to plan data and assets held or controlled by the service provider.
DOL guidance indicates that the duty to monitor a service provider requires a plan fiduciary to review the service provider’s performance; review any reports it provides; check the fees charged; ask about its policies and procedures; and follow up on participant complaints. In the context of cybersecurity, the DOL has provided additional, more specific guidance, suggesting that the plan fiduciary specifically require the recordkeeper’s cyber and other protections for plan data and assets to be consistent with the plan’s own policies and procedures. Given this description of general standards of conduct, it might be difficult for any claim for failure to monitor to succeed in a case involving a single instance of theft of plan assets. Also, it should be kept in mind that the duty to monitor is a derivative duty, so that if the TPA has not committed a breach or negligent act, there can be no fiduciary liability on the part of the party with the monitoring obligation.
Until regulatory and judiciary guidance clarifies as to whether or how the duty to monitor TPAs and/or recordkeepers applies in the context of cybersecurity protection and/or identity verification, plan sponsors and fiduciaries should enact policies and procedures that assume the fiduciary obligation to monitor will be applicable to them.
Sponsors, Named Fiduciaries, Service Providers to Plans Should Be Prepared to Defend Similar Suits
Sponsors, fiduciaries, third party administrators, other service providers, and custodian banks, at least until recently, have not contemplated that they can be liable for fiduciary breach in connection with data or asset breaches or identity theft incidents given the limited regulatory and judicial guidance as to what basic procedures are required – as well as the basic fact that they did not commit the crime, the “fraudster” did. It is important to note that the jurisdiction of a potential case could be material. For example, the standard in the Second Circuit, where the Disberry case is pending, is that there must be an allegation of a “nexus” between the defendant’s discretion and the wrongdoing alleged. However, the Eleventh Circuit and Third Circuit have held that proximate cause (a stricter standard) is what must be shown.
Whichever standard applies, it is likely that attorneys representing defrauded participants in the future will allege a theory similar to the “reasonable procedures” and/or “red flags” theory alleged in Disberry and therefore the outcome of the Disberry case bears close watching.
Meanwhile, it is absolutely vital that plan fiduciaries, TPAs, and recordkeepers implement prudent procedures for the maintenance of personal information, and in the distribution process, that would ensure that a participant’s identity could be verified for important changes in the participant’s identifying information, and for large or unusual distribution requests. And, of course, the DOL could assist in providing stability by issuing guidance on the harder question—what if a plan’s processes are state-of-the-art reasonable, and one or more participant accounts are still hacked?
Best practices, which may evolve over time, could include:
- sending verifications of any change to personal information held with the plan or recordkeeper to the participant’s phone and/or email in real time (rather than in a writing by mail);
- using two-step authentication practices that require a participant to answer security questions and/or provide other information uniquely in the hands of the participant; and/or
- requiring a participant, in order to receive a distribution from a plan, to provide to the custodian bank a driver’s license or other proof of identification uniquely held by the participant.
To address all of these issues, we strongly recommend fiduciaries and contract administrators closely review their practices and procedures with ERISA counsel.