By Barry Salkin and Jordan Mamorsky
Any case that analyzes the scope of liability for ERISA plan sponsors and service providers following a cybersecurity incident and/or identity theft will be heavily scrutinized because of a scarcity of case law and regulatory guidance on the issues—particularly any judicial precedent that widens the net of potential liability. A recent opinion denying a third party administrator (“TPA”) and plan fiduciary’s motion to dismiss, in the Southern District of New York not only widened the scope of liability for potential ERISA defendants in actions seeking to recover ERISA fraudulent distributions, but it also made new legal determinations that, if followed by other courts, will have an impact on future suits made by plan participants seeking to recover lost retirement plan money.
The opinion, Disberry v. Emp. Rels. Comm. of the Colgate-Palmolive Co., concluded that the defendant third-party administrator of the Colgate-Palmolive Company’s Savings and Investment Plan (the “Plan”), Alight Solutions (“Alight”), could have been acting as a fiduciary, and that the defendant named fiduciary of the Plan, an administrative committee of the Plan sponsor, both could have breached their fiduciary duties in connection with an identity theft resulting in an approximately $750K fraudulent distribution to a thief. On January 6th, the plaintiff, Ms. Disberry, a former Colgate senior executive, amended her complaint to bring new negligence claims against Alight. The case will be closely watched and provides interesting insights for plan sponsors and administrators to follow.
The Complaint’s “Red-Flags” and “Reasonable Procedures” Theory
In response to the defendants’ motion to dismiss the original complaint, the Court concluded that both Alight and the Plan’s named fiduciary the Employee Relations Committee of the Colgate-Palmolive Company (the “Committee”) owed a fiduciary obligation to ensure “reasonable procedures” existed to issue distributions to participants and prevent thieves from stealing plan assets. The Court also concluded that Alight had a fiduciary duty to act when it should have observed alleged “red flags” with changes made to Ms. Disberry’s personal information and bank account information. Although other courts might adhere more closely to the common law rule that a trustee was not liable for a theft loss if it had adopted reasonable procedures, the Southern District, for purposes of the motion to dismiss allowed plaintiff’s claims to move forward in this respect.
The Court’s focus on missed “red flags” and the failure to enact “reasonable procedures” is potentially significant because specific acts by a thief that constitute “red flags” may not have specifically been addressed as part of the “reasonable procedures” of a plan or recordkeeper. To provide context, even though surviving a motion to dismiss does not necessarily mean that either Alight or the Committee breached their fiduciary duty in this way, the Court’s allowance of this theory to proceed to discovery—even after acknowledging the complaint’s failure to make specific nonconclusory allegations—should be a warning sign for plan sponsors and TPAs who may have to defend similar suits in the future.
With the benefit of hindsight, Ms. Disberry alleged that Alight and Committee could have acted to prevent the fraud. Neither the Plan nor Ms. Disberry, however, were aware that a fraudulent distribution occurred until months after its occurrence so no “red flags” were recognized in real time by either the Plan or Alight. According to the complaint, Ms. Disberry learned of the theft when she attempted to access her Plan account online with Alight in August 2020. She could not login (because the thief had changed her credentials) so she contacted Alight Solution’s Benefits Information Center. Alight representatives informed her that the full amount of her Plan account $751,430.53 had been distributed to a bank account in Las Vegas, Nevada months prior.
On April 7, 2022, the Plan’s Claims Administrator denied her claim to restore the $751,430.53 to her Plan account, asserting that “[w]hile it is unfortunate that your information and Plan benefit may have been stolen from you…the Plan had in place reasonable procedures with respect to Plan distribution, these procedures were followed…[and] your Plan benefit was paid in accordance with all Plan terms and requirements.
In other words, in its benefits denial letter, the Plan informed Ms. Disberry that it did enact reasonable procedures to prevent her from being defrauded, but she was defrauded anyway because of the thief’s actions. The dispute will therefore boil down to (i) were reasonable procedures adopted; and (ii) if so, could these reasonable procedures, if followed, have prevented the theft?
Clearly, Alight and Ms. Disberry have different ideas as to what are truly “reasonable” procedures that need to be enacted and, to make matters more confusing, there are no specific guidelines from the U.S. Department of Labor (“DOL”) or courts as to what a plan administrator must specifically do to verify the identity of participants in connection with distributions.
This is a hugely important issue particularly for large retirement plans that may process many claims in a relatively short period of time. In practice, encouraging expeditious benefit distributions should be balanced with safety and security concerns in ensuring the participant and/or beneficiary requesting a distribution is who he or she says he or she is.
While Ms. Disberry alleged in her complaint that had Alight attempted to verify the distribution request and the very recent requests to change the participant’s contact information and bank account information, the theft would not have occurred. She did not specifically indicate what verification duties Alight possessed without regard to the specific nature of the theft. An assessment of a plan’s or recordkeeper’s reasonable procedures needs to be made ex ante. (i.e., before the theft). For the same reason that prudence of investment decisions cannot be assessed in hindsight, neither can a plan’s or recordkeeper’s procedures for minimizing the risk of theft.
How Ms. Disberry attempts to prove (i) what reasonable procedures were necessary (likely through expert testimony); and (ii) causation, that the actions and/or failures to enact and follow reasonable procedures and/or act on red flags (arguably even if those “red flags” fell outside the scope of the ‘reasonable procedures’) could have prevented the theft entirely, will be illuminating for plan sponsors and TPAs who seek to avoid liability in similar cases.
The Service Provider Agreement Did Not Control Alight’s Fiduciary Status
In its motion to dismiss the complaint, Alight argued it could not be a fiduciary in connection with this matter because it had contracted with the Plan not to perform fiduciary tasks. Indeed, its agreement with the Plan stated, “Alight does not have any discretionary control respecting management of any Colgate Plan or management or disposition of any Colgate Plan assets and [Alight] should act at all times as a ministerial administrative service provider.”
The Court, citing to the basic concept of a “functional fiduciary” pursuant to ERISA § 3(21) rejected the argument that this language of the contract had any effect in determining if Alight acted as a fiduciary given the case law saying that “magic words in the contract” do not avoid fiduciary responsibility, other portions of the agreement recognized if Alight did act with discretion fiduciary status could attach.
Typically, in order to establish fiduciary status pursuant to ERISA § 3(21), particularized allegations as to why the entity/individual in question is a fiduciary with respect to the alleged fiduciary conduct is required. Here, even though the Court acknowledged Ms. Disberry’s allegations regarding fiduciary status were “entirely conclusory,” it still held that Alight could have acted as a fiduciary through directing the Plan’s custodian bank to make the distribution to the thief and maintaining a Plan service center that responded, among other things, to benefit distributions.
Administrators and recordkeepers therefore should be prepared to defend fiduciary allegations even in instances where their contracts might refer to the scope of their services as ministerial.
TPA’s Should Be Prepared to Defend State Law Claims in Connection With Fraudulent Distribution
The Court’s December 19th order, in dicta, stated that: “it is somewhat surprising that Plaintiff has not alleged an alternative claim against Alight under common law principles of negligence.” The Court was therefore giving Ms. Disberry a big hint that she needed to amend her complaint to save her claims if she could not ultimately prove Alight was a fiduciary. That is because in the original complaint, Ms. Disberry only brought ERISA breach of fiduciary claims and if she could not prove the elements of those claims (including fiduciary status, breach of fiduciary duty, and causation), she would be left without an avenue to recovery.
With the Court’s prodding, Ms. Disberry amended her complaint on January 6, 2023, to add state law negligence claims in the event Alight is not found to be a fiduciary. It will be interesting to follow how Alight responds to these claims and how the Court rules on them, as there is not extensive case law or guidance on the common law duties of a plan’s service providers under tort law, to participants. If the District Court ultimately finds that Alight was not acting as a fiduciary, it is unlikely that Alight could successfully claim that ERISA preempts the state law claims, because Ms. Disberry is simply pleading in the alternative (i.e., if Alight is a fiduciary, my relief is under ERISA, but if Alight is not acting under ERISA, relief is available under state law). If the Court finds that Alight was acting as a fiduciary, but finds either that Alight did not breach a fiduciary duty, or that it breached a fiduciary duty but the breach did not cause the loss, then a preemption argument would be stronger, because Ms. Disberry’s negligence claim could be characterized as an alternative means of enforcement.
Under similar facts, the better claim as a matter of law, may have been a breach of contract/negligence claim by the plan sponsor against the TPA given that the entities and/or individuals who engaged Alight were, and are, in a contractual relationship with them. That is because it is more difficult as a matter of law to establish a duty under tort law between a noncontracting party and the alleged tortious party. Asserting this claim might also be a tactically wise decision by a plan sponsor, particularly where the sponsor might not have insurance to defend suits similar to the complaint in Disberry.
The Court Read Into the Complaint a Potentially New Extension of the Fiduciary Duty to Monitor a TPA or Recordkeeper
Even though the Court acknowledged “the Complaint does not allege any specific facts tending [to] show that the Committee in fact failed to monitor Alight’s actions,” it read into the claim that “Defendants failed to institute reasonable procedures to detect and prevent theft of Plan assets” and that the complaint was alleging in substance that the Committee failed to adequately monitor Alight.
This is interesting given that the Northern District of Illinois, in a similar fact set, dismissed a similar monitoring claim where the allegations involved a duty to monitor the same TPA, Alight. In Bartnett v. Abbott Labs., 492 F. Supp. 3d 787, 798 (N.D. Ill. 2020), the District Court held that the monitoring claims were “conclusory” and that the plaintiff did not allege any monitoring process between the alleged fiduciary and the retained TPA/recordkeeper, let alone a defect in that process. Importantly, the Abbott court also referenced that the fiduciary duty of prudence may be limited to certain activities, like investment matters, not plan administration, and may not, as a matter of law, extend to “safeguarding of data and prevention of scams.” Id
The difference in outcome between the Abbott decision and the Disberry decision are important, particularly for the prospective liability of plan sponsors and named fiduciaries in the aftermath of identity thefts and data and asset breach incidents. There is minimal case law concerning the scope of a fiduciary duty to monitor a TPA or recordkeeper. Also, the District Court in Disberry may not have appreciated the limited value of the monitoring duty in this context. The appointment of any service provider to a plan is a fiduciary function, that requires both prudent selection and prudent monitoring. What is unclear is the nature of prudent monitoring in the context of safeguarding plan data and assets held by the service provider.
DOL guidance indicates that the duty to monitor a service provider requires that a plan fiduciary should review the service provider’s performance; review any reports they provide; check their fees charged; ask about their policies and procedures; and follow up on participant complaints. In the context of cybersecurity, the DOL has provided additional, more specific guidance, suggesting that the plan fiduciary specifically require that the recordkeeper’s cyber and other protections for plan data and assets be consistent with the Plan’s own cyber policies and procedures. Given this description of general standards of conduct, it might be difficult for any claim for failure to monitor to succeed in a case involving a single instance of theft of plan assets. However, to the extent that the duty of monitoring is tied more closely to the specific theft, the monitoring duty would be more extensive. Also, it should be kept in mind that the duty to monitor is a derivative duty, so that if the TPA has not committed a fiduciary breach or acted negligently, there can be no liability on the part of the fiduciary with the monitoring obligation. n. It will be very interesting to see how Ms. Disberry succeeds in developing this theory in discovery and how in any future opinion, the limits the District Court places on the duty in response to any discovery. Until regulatory and judicial guidance is conclusive regarding the scope of the duty to monitor TPAs and/or recordkeepers in the context of applying and executing cybersecurity and/or identity verification protections, plan sponsors and fiduciaries should enact policies and procedures that assume the fiduciary obligation will be applicable to them.
Sponsors, Named Fiduciaries, and Service Providers to Plans Should Be Prepared to Defend Similar Suits
Sponsors, fiduciaries, TPAs, other service providers, and custodian banks, at least until recently, have not contemplated that they can be liable for fiduciary breach in connection with data or asset breaches or identity theft incidents given the limited regulatory and judicial guidance as to what basic procedures are required—and the basic fact that they did not commit the crime, the “fraudster” did. On the latter point, it is important to note that the jurisdiction of a potential case could be material. For example, the standard in the Second Circuit, where the Disberry case is venued is that there must be an allegation of a “nexus” between defendants’ discretion and the wrongdoing alleged. However, the Eleventh Circuit and Third Circuit have held that proximate cause (a stricter standard) is what must be shown.
Whichever standard applies, it is likely that attorneys representing defrauded participants in the future will allege a theory similar to the “reasonable procedures” and/or “red flags” theory alleged in Disberry; therefore, the outcome of the Disberry case bears close watching.
In the interim, it is absolutely vital that the Plan’s fiduciaries, TPAs, and recordkeepers implement prudent procedures in the maintenance of personal information, and in the distribution process that would ensure that a participant’s identity could be verified for important changes in the participant’s identifying information, and for large or unusual distribution requests. And, of course, the DOL could assist in providing stability by issuing guidance on the harder question—what if a plan’s processes are state of the art reasonable, and one or more participant accounts are still hacked?
Best practices, which may evolve over time, could include:
- sending verifications of any change to personal information held with the plan or recordkeeper to the participant’s phone and/or email in real time (rather than in a writing by mail);
- using two-step authentication practices that require a participant to answer security questions and/or other information uniquely in the hands of the participant and/or
- in order to receive a distribution from a plan for the participant to provide to the custodian bank a driver’s license or other proof of identification uniquely held by the participant.
To address all of these issues, we strongly recommend fiduciaries and contract administrators closely review their practices and procedures with ERISA counsel.