ERISA was enacted before the computer age, so it has no specific provisions on cybersecurity. The IRS and the Department of Labor haven’t issued any formal guidance that discusses ERISA cybersecurity responsibilities either. This means that the courts may eventually have to define the ERISA responsibilities of the parties who administer a plan when a cybersecurity breach results in theft of a participant’s account.
Based on long-standing ERISA law, it seems likely that plan sponsors will be held accountable for failing to fulfill their fiduciary responsibilities of prudence and loyalty when the vendors they hire allow a breach to occur. However, one reason the law has not been clarified to date is that often these participant claims have been settled quietly. Even a much-publicized lawsuit against Estee Lauder and its plan committee ended up being settled before trial. A pending suit against Abbott Labs could proceed to trial and there have also been two preliminary decisions in Leventhal v. MandMarblestone Group LLC, another case with the potential to clarify the rules.
The Facts.
In Leventhal, plaintiff sued because his account was drained of $400, 000 by an imposter. The imposter obtained a copy of the form used by plaintiff for a prior withdrawal and used it to pose as the law firm’s office administrator to direct distributions to a new bank not previously associated with the account. Plaintiffs claimed that the custodian, Nationwide, failed to authenticate withdrawal forms and signatures. The criminal authorities were unable to recover the funds and plaintiff’s insurance did not cover the loss.
Why This Case Is Different.
A key difference from the facts stated in other cybertheft lawsuits is that the participant here was a co-trustee of the plan. He was also a principal in the firm that both sponsored the plan and was listed in the plan document as the plan administrator. A prior decision did not dismiss fiduciary claims against MandMarblestone (MMG) as administrator (although it appeared from the later decision that MMG was not designated as the administrator in the plan document) or Nationwide, and subsequent decisions will undoubtedly sort out the fiduciary status of the parties. However, Nationwide argued that fiduciary status was not relevant because “[p]laintiff has failed to allege any breach of fiduciary duty under ERISA because there is no duty to prevent forgeries.”
State law claims for breach of contract and negligence were also filed against the defendants, but in the initial decision, the court held that these claims were preempted by ERISA.
Claims Against the Plaintiffs.
New counterclaims by the defendants allege that the law firm, not MMG, is the plan administrator and that the firm contributed to the breach by failing to take proper precautions, including letting an employee who appears to have been the office administrator work remotely from a home computer that was breached by the imposter. The court ruled that while fiduciaries may not reduce their own liability by alleging that other parties were negligent, claims could proceed against the plaintiffs for contribution and indemnification between co-fiduciaries. (This assumes, of course, that MMG and/or Nationwide are determined to be fiduciaries.) It also dismissed a third party complaint filed by Nationwide seeking contribution from the as yet unidentified imposters.
Good Procedures Help Deter Cybertheft.
While this litigation hasn’t yet proceeded to an analysis of the parties’ legal obligations, the fact statements suggest some procedures that this plan sponsor and its vendors could have adopted to help reduce the risk of cybertheft of accounts. For example, if the participant had been asked to confirm the transaction by text to a phone number on file, by a message to an email account on file, or even by an old-fashioned phone call to a landline before assets were transferred out of the account, a theft might have been prevented. Where online forms are filed, multiple authentications should be the norm. Making sure that remote workers use secure computers should also be a priority in this age of remote work. Newly issued IRS guidance permitting certain remote notarizations of participant elections and spousal consent and remote appearances before a plan representative in 2020 may increase the risk of cyberfraud and require new security procedures.
No procedures will ever be 100% effective in preventing these breaches, which is why the law firm should have had appropriate insurance. However, plan sponsors who are proactive in developing good cybersecurity procedures in consultation with outside experts and auditing their vendors’ procedures might avoid being found liable in a lawsuit such as this one.