Another court has decided which ERISA plan fiduciaries can be held liable in connection with a data breach of a plan participant’s account. On October 2, 2020, the Northern District of Illinois, in Bartnett v. Abbott Laboratories, et al., ruled that Alight Solutions, the TPA of the Abbott Corporate Benefits Stock Retirement Plan (the “Plan”), could be held liable for both an ERISA fiduciary breach claim and a claim pursuant to the Illinois Consumer Fraud and Deceptive Practices Act (ICFA) and it dismissed the Abbott affiliated defendants from the case (for now).
The opinion is unique because it raises important questions—not just about the scope of a TPA’s ERISA fiduciary liability for distributing plan benefits that end up in a cyber criminal’s pocket—but whether ERISA plan TPA’s can be sued for both ERISA fiduciary breach claims and state law consumer fraud claims resulting from the same alleged misconduct: the failure to enact cybersecurity procedures that prevent the theft of plan assets. The result of the Abbott decision has serious implications. Liability both under ERISA and state law could lead to double or alternative recoveries for plan participants, and subject plan fiduciaries to state consumer fraud statutes that allow for compensatory and punitive damages.
Court Says TPA Is an ERISA Fiduciary For “Operating” Benefit Distribution Center
The Abbott Court weighed first whether Ms. Bartnett plausibly stated ERISA fiduciary breach claims against the following sets of defendants: (1) her employer, Abbott Laboratories; (2) the purported Plan administrator, an entity she termed “Abbott Corporate Benefits;” (3) the Plan itself; (4) Abbott employee, Marlon Sullivan; and (5) the Plan’s “contract administrator,” Alight Solutions. Ms. Bartnett specifically alleged Alight Solutions was the entity that imprudently processed the $245,000 distribution from Ms. Bartnett’s Plan account to an unknown person impersonating Ms. Bartnett.
The Court held that Ms. Bartnett only stated a claim for ERISA fiduciary breach against Alight Solutions and dismissed all of Ms. Bartnett’s claims against the Abbott defendants. How the Court reached this conclusion is instructive. In finding that Ms. Bartnett adequately pled a fiduciary claim against Alight, the Court followed the logic of Leventhal v. MandMarblestone Group, LLC—a May 2019 opinion in the Eastern District of Pennsylvania that determined an ERISA plan’s record keeper and TPA could be held liable for breach of fiduciary duty in failing to enact prudent procedures and safeguards to protect the plan and participants from cybercriminals following a plan data breach. The Leventhal court reasoned the TPA acted in a fiduciary capacity because of the discretion it possessed, contractually and functionally, to disburse plan assets to participants.
While the Abbott Court didn’t cite Leventhal outright in its analysis, like Leventhal, it singularly focused on Alight’s discretion to make Plan participant distributions, specifically the allegations concerning Alight’s operation of the Abbott Benefits Center and abbottbenefits.com and its actual improper distribution of the $245,000 to the cybercriminal. The Court rejected Alight’s claim that it did not function as a fiduciary because it performed ministerial “non-discretionary services” for the Plan. Importantly, it did not contemplate this argument as a question of law— whether a TPA who was retained to disburse plan assets according to directions from participants was engaged in a ministerial non-fiduciary function—but rather, depicted the argument as an issue of fact as to whether Alight, in practice, assumed the requisite level of fiduciary discretion and control over plan distributions and benefits.
This result is important for plan administrators to follow. If Courts in the future employ this same analysis in weighing fiduciary status and consequent fiduciary liability associated with similar data breach claims, TPA’s in particular should prepare themselves for the strong possibility of fiduciary liability. And language in a plan services agreement with the plan sponsor stating that the TPA is not acting in a fiduciary capacity might not avoid this result.
The Court Dismisses Claims Against the Abbott Affiliated Defendants But Leaves The Door Open To Amendment
In granting the Abbott affiliated defendants’ Motion to Dismiss, the Court latched on to the Complaint’s ambiguities in failing to describe the specific fiduciary processes and functions of the Abbott defendants.
While the complaint listed the following Abbott defendants as fiduciaries,
- Abbott Laboratories (plan sponsor and functional fiduciary of Plan)
- “Abbott Corporate Benefits” (plan sponsor and named fiduciary of the Plan)
- Marlon Sullivan (named plan administrator and the named sponsor) of the Plan
- Alight Solutions (“contract administrator,” record keeper and functional fiduciary),
the Court stressed that the complaint failed to specify the fiduciary acts and/or responsibilities of these persons and entities, any fiduciary processes that the Abbott affiliated defendants established to meet their fiduciary responsibilities and also any processes to monitor the activities of Alight. Dismissal of the claims against the Abbott defendants was a predictable outcome given the motion to dismiss briefing in the case described here. The Court also pointed out that Ms. Bartnett did not make any attempt to respond to Abbott’s argument that “Abbott Corporate Benefits” does not exist as a legal entity and therefore dismissed this entity as a defendant.
Although the Court laid out the complaint’s inadequacies in identifying the Abbott defendants, it also gave Ms. Bartnett the opportunity to amend and remedy those deficiencies, saying that, “Ms. Bartnett may file a motion for leave to file an amended complaint if she believes she can cure the deficiencies in the allegations against the Abbott Defendants described in this opinion.”
While it appears that the dismissal and the chance to amend are based on Ms. Bartnett’s factually deficient pleading, it is important to note that the Court did not mention any inherent plan sponsor specific obligation to ensure it maintains adequate cybersecurity protocols for its retirement plan. This obligation was recently noted by the DOL in promulgating its new rules relating to “alternative methods for disclosure through electronic media,” where it instructed that, “As required under ERISA section 404, the Department expects that many plan administrators, or their service or investment providers, already have secure systems in place to protect covered individuals’ personal information. Such systems should reduce covered individuals’ exposure to data breaches.”[1] Alight most likely will refer to its contractual arrangements with Abbott to demonstrate to the Court that the burden to meet this obligation did not rest on them alone.
Further, in any future amendment to the complaint, it will be interesting to see if Ms. Bartnett specifically focuses her claim on Abbott’s fiduciary duty to monitor Alight because an express delegation of fiduciary responsibilities to Alight could still subject Abbott to an ERISA fiduciary duty to monitor. The application of the duty to monitor here might be particularly relevant considering two sets of facts. First, the DOL’s announcement (three days after the filing of the complaint) that it was performing an investigation into Alight’s cybersecurity practices, and second, prior suits against Alight in other cybersecurity cases, including Berman v. Estee Lauder Inc., No. 3:19-cv-06489 (N.D. Cal. filed Oct. 9, 2019) which was settled in 2020.
While the Northern District of Illinois hinged its duty to monitor analysis on the fact that “the complaint does not allege any monitoring process between Sullivan and Alight, let alone a defect in that process,” courts have found that an appointing fiduciary’s obligation to act could be triggered when it has notice of the appointee’s misconduct or has information available to it from which the misconduct would be apparent to them.[2] This duty could therefore apply to the facts in Abbott and establish the delegating Abbott fiduciary’s duty to monitor Alight even if Abbott did not have any direct fiduciary responsibilities relating to the disbursement of plan assets to Ms. Bartnett.
Abbott Could Still Be Liable For Fiduciary Breaches Through Principles of ERISA Fiduciary Contribution
This past May, the Eastern District of Pennsylvania, in Leventhal v. MandMarblestone Group, LLC, handed down a decision that highlighted the dangers facing both plan sponsors and plan service providers when a cybersecurity breach results in money stolen from a participant’s account. The court there ruled that the TPA service provider, after being sued by the plan sponsor for the cybersecurity breach, could bring counterclaims against the plan sponsor for contribution and indemnity because the plan sponsor was alleged to be “careless” in its “computer/IT systems” and “employment policies” in permitting an employee and plan participant to work remotely without adequate safeguards.
Here, a counterclaim might not be the appropriate procedural mechanism for Alight to snare in the Abbott affiliated defendants with a similar claim, but it should be noted that courts in the Seventh Circuit and the Northern District of Illinois have previously allowed ERISA defendants to bring third party contribution claims against their co-fiduciaries.[3]
Therefore, even if Ms. Bartnett does not amend her complaint or that amendment is also found to be insufficient, Abbott might not be out of the woods in connection with its co-fiduciary liability for the data breach claim.
The Court Says Consumer Fraud Claims Are Not ERISA Preempted
The most important takeaway from the Abbott decision might be the Court’s conclusion that Alight could be independently liable under the ICFA for virtually the same underlying misconduct alleged in the ERISA fiduciary breach claim. While Alight made the argument that the ICFA claim was ERISA-preempted, the Court rejected this argument on two grounds:(1) the ICFA claim does not require the Court to interpret the terms of the retirement plan, and (2) the ICFA claim seeks recovery for activities that occurred outside the terms of the plan e.g. false representations online about the quality of its services and unfair business practices for failing to implement proper security procedures. On the second point, the Court wrote that the ICFA claim “alleges that Alight engaged in an unfair business practice because it failed to implement proper security procedures online and over the phone, which led to the improper withdrawal of her funds. The claim therefore seeks recovery for activities that occurred outside the terms of the plan.” (emphasis added).
This part of the Court’s decision raises serious questions for plan fiduciaries. For example, if the second part of this reasoning is extended by other courts—that a plan fiduciary’s failure to implement property cybersecurity procedures occurs “outside the terms of the plan” and accordingly outside the purview of ERISA—a TPA or other plan service provider could be held responsible for the same misconduct under the rubric of ERISA’s fiduciary liability remedies and consumer fraud statutes on the basis that the misconduct occurred both inside and outside of the plan. Plaintiffs could in turn receive double and/or alternative recovery for the same claims of wrongdoing for failing to implement proper cybersecurity protocols. Whether a TPA’s services agreement could be drafted in a manner to bring cybersecurity services within the terms of the plan, or whether state law claims are preempted by ERISA, are the types of unresolved issues that will be interesting to follow in future judicial opinions and potential regulatory guidance.
This result is also noteworthy because many state consumer fraud and/or deceptive business practice statutes, including the ICFA, allow for compensatory and punitive damages. This opportunity for a plaintiff to recover under both ERISA and state consumer fraud and/or deceptive business practice statutes runs contrary to other cases involving ERISA service providers (including TPA’s) where liability under ERISA or state law pivots on their fiduciary status. The Court here did not adopt such an approach and found that ERISA’s remedial provisions of fiduciary liability did not preempt the ICFA. If other courts apply a similar analysis to ERISA data breach cases, TPA’s, and potentially other plan service providers, could be hit with liability under both federal and state law.
In the end, the Abbott decision and its implications underscores the necessity for plan sponsors and administrators to seriously consider their cybersecurity, identity verification, and plan distribution protocols and procedures. We have identified some prior suggestions here
Considering all of the uncertainty surrounding ERISA fiduciary cybersecurity responsibilities and liability relating to plan data breaches, plan sponsors and plan service providers should proactively address issues of cybersecurity in more detail with their ERISA counsel.
________________________________________
[1]See 29 CFR § 2520.104b-31(e)(3) and 29 CFR § 2520.104b-31(k)(4)(i).
[2]Scalia v. WPN Corp., 417 F. Supp. 3d 658, 671 (W.D. Pa. 2019); Sec’y of Labor v. Doyle, 657 F. App’x 117, 127-28 (3d Cir. 2016).
[3] United Labs., Inc. v. Savaiano, No. 06 C 1442, 2007 WL 4162808, at *8 (N.D. Ill. Nov. 19, 2007) citing Daniels v. Bursey, 329 F.Supp.2d 975, 978-80 (N.D. Ill. 2004)(the “court finds it likely that the Seventh Circuit would recognize a right to contribution among co-fiduciaries to an ERISA plan, were the question properly presented to that court”). There is currently a circuit split on whether a contribution claim is permissible. The Ninth Circuit, for example, has stated that “sections 1109 and 1132(a)(2) of ERISA establish remedies for the benefit of the plan, “but do[ ] not provide an equitable remedy of contribution in favor of a breaching co-fiduciary.” Concha v. London, 62 F.3d 1493, 1500 (9th Cir. 1995).
