401(k) plan hacked? Plan sponsors can't always blame the recordkeeper

Plan sponsors of corporate 401(k) accounts may be breathing a collective temporary sigh of relief after a U.S. District Court judge in Illinois recently rejected an argument that Abbott Laboratories was partially liable in the case of a former employee who had her retirement funds fraudulently withdrawn.

The recordkeeper or administrator of the 401(k) account – Alight Solutions, LLC – did not fare as well, and a suit against that company from the account participant remains in effect.

The ruling could have significant impact for plan sponsors, who earlier this year had been put on notice that they could share in any liability for individual 401(k) accounts that are hacked and potentially drained of funds.

On the trail of a hacker

The case at hand involves Heide Bartnett, 59, of Darien, Illinois, a retired former employee of Abbot Laboratories. Bartnett had $245,000 withdrawn from her retirement account by a cyber attacker who was subsequently traced to an IP address in India. Through a series of well-coordinated digital and paper steps, the hacker was able to:

• Take advantage of the “forgot password” option to gain access to Bartnett’s 401(k) account.
• Seize control of Bartnett’s email and thereby control any subsequent notices regarding the account.
• Attach a bogus bank account against Bartnett’s 401(k) account, and delete notice of the change in account access status.
• Make requests for disbursement of funds to that new bank account before she could learn of the actions.

Like most 401(k) account holders, Bartnett relied on regular statements on account activity, but by the time she got notice by regular mail that revealed the withdrawals, the cybercriminal was long out of the picture, as were her funds.

In response, Bartnett filed suit against Abbott Labs and Alight, claiming that both parties had failed in their fiduciary duties to safeguard her account. The court decided that “the complaint fails to allege any fiduciary acts taken by Abbott Labs, no less link them to the theft.”

The ruling by Judge Thomas M. Durkin of the U.S. District Court for the Northern District of Illinois was especially noteworthy for two reasons. First, Bartnett’s case remains one of the most highly publicized with regard to cyber hacking of 401(k) plans. Do a search for 401(k) plans and cyber fraud, and odds are that the Bartnett case will be in the top search results.

Second, an earlier 2020 case put all account holders, plan sponsors and plan administrators equally on notice that in the event of a cyber hack or breach, all parties could potentially be liable.

That case was Leventhal v. MandMarblestone Group, LLC. In May, the Eastern District Court of Pennsylvania ruled that 401(k) plan sponsors can be held equally liable with plan administrators when such accounts are breached.

The court in that case said this is especially true when the employer has inadequate security defenses or if impacted plan holders (employees) work remotely or without adequate safeguards.

In this particular case, the judge ruled that while the plan administrator has an obvious obligation for security, plan sponsors must also provide security measures and train employees in security best practices. In the midst of the pandemic, with millions of American workers now home-based, the ruling could have far-reaching impact with regard to cyber security training and best practices.

Pandemic brings new opportunities for cyber crooks

Cyberattacks against 401(k) accounts have been on the rise for the past couple of years, but especially so in the past several months.

In another notable case, a former employee of Estee Lauder sued the cosmetics firm and its plan administrator, again, Alight Solutions LLC, when she discovered that three distributions were made from her plan – of $37,000, $52,000 and $12,000, for a total of $99,000 – without her knowledge or consent. The former Estee Lauder employee also claimed the firms breached their fiduciary duty by failing to secure and protect her account.

Strong cybersecurity around 401(k) accounts is especially important during the pandemic, says Jeffrey D. Mamorsky, co-chairman of the Global Human Capital and Compensation and Benefit Groups at Greenberg Traurig in New York.

In March, in an effort to make it easier for out-of-work Americans to gain access to critically-needed funds, Congress passed the 2020 CARES Act. While the legislation makes it easier for citizens to take early retirement plan distributions, it can also make it easier for cyber crooks to do the same, Mamorsky explains.

It is easy to see why cyber crooks would be drawn to 401(k) accounts. Quite simply, for those citizens that have one, the 401(k) account is probably their largest single financial asset.

“The average 401(k) account has thousands of dollars more than the average checking or savings account,” notes Jeffrey Brown, chief information security officer for the State of Connecticut. “They also typically do not have the same security controls as a bank account. Until recently, many of these accounts didn’t even have multifactor authentication (MFA) and other security controls that would be found on your typical bank account. Your average person might log in to check a 401(k) balance once a month, once a quarter or even less. By then the damage may have been done and the money can be very hard to recover.”

As noted, successful hacking and scams against 401(k) accounts generally involve several steps.

“The criminals appear to be very diligent and employ a variety of methods,” explains Richard Carpenter, president of USVI Pensions in the U.S. Virgin Islands. “In the Abbot Labs case, they scammed the Alight call center. I am aware of a case in Texas where they targeted the physical mailbox at the participant’s home; they appear to have stolen the participant’s quarterly statement and used that information to develop their profile. Some service providers (mostly smaller ones) are appallingly lax when it comes to collecting employee data.  Last year I spoke with the owner of a small TPA that told me they collected all data via Excel spreadsheets delivered by regular e-mail.  Just in that one case, there are probably 20,000 participant records compromised.”

Plan sponsors do share some level of responsibility

In the event of a successful hack of a 401(k) plan, Brown says plan sponsors do have some level of responsibility regardless of the circumstances.

“In some cases, they will make clients whole regardless of the circumstances. Others treat this as a shared responsibility and even publish parameters,” Brown explains. “For example, Lincoln Financial publishes a set of expectations for clients and then guarantees to make clients whole as long as they hold up their side by not sharing passwords and other basic security requirements. This is interesting, because the cyber guarantee has become a business differentiator for some plan sponsors.”

Brown says plan sponsors should put renewed attention on cyber defense strategies, including the proper training of plan participants in how to best protect their own funds.

“I’d like to see more ‘secure by default’ settings applied to these accounts, rather than letting people opt-in to controls like multifactor authentication (MFA),” Brown says. “It still takes some time and attention to turn on alerts and other settings that could indicate a problem. We need to make security easier on the end users. Users also need to immediately report issues and you need to make sure they know how to do that. The faster an incident is investigated, the greater the likelihood that the money can be recovered. Time is not on your side in these scenarios.”

READ MORE:

• 5 steps to reduce the risk of 401(k) plan litigation
• COVID-19′s changing cyberfraud claim standards — here’s what plan sponsors can do
• Benefit plans and cybercrime in a post-COVID world
• Cyber security fears keeping CEOs up at night