Bartnett v. Abbott Labs., 2021 WL 428820 (N.D. Ill. 2021)
A federal trial court has dismissed certain of a 401(k) plan participant’s claims stemming from an identity thief’s unauthorized withdrawal of $245,000 from her plan account. The thief had accessed the participant’s account through a website maintained by the plan’s TPA and added deposit information for a new bank account. Two of the TPA’s customer service representatives unwittingly gave information to the thief that facilitated the unauthorized plan withdrawal and deposit into the new account. The participant sued the plan, plan sponsor, and designated plan administrator (the “corporate parties”), alleging that they had breached ERISA fiduciary duties by hiring a TPA that fumbled its cybersecurity and data privacy responsibilities, lacked retirement plan experience, failed to provide quality administrative services, had inadequate policies and practices, and had been the subject of recent litigation and enforcement actions. The participant also sued the TPA, but those claims are proceeding separately and were not addressed in the court’s opinion.
At this stage of the proceedings, the corporate parties did not contest their fiduciary status or the participant’s harm, so the court focused on whether they had breached their fiduciary duties. Addressing the assertion that the corporate parties had breached their duty of prudence by hiring the TPA or renewing its contract, the court held that the participant failed to allege objectively unreasonable actions. Although the participant cited several incidents in which the TPA improperly disclosed personal information or allowed unauthorized withdrawals, all of the incidents occurred long after the decision to hire the TPA. And while some incidents happened before the contract renewal decision, they were limited in size and scope, did not involve significant lapses in security protocols, did not result in stolen client funds, and did not affect the participant’s plan. Thus, the court could not conclude that the rehiring decision was objectively unreasonable. Nor did the cited incidents support the participant’s claim that the corporate parties had breached their duty to monitor plan service providers, because fiduciaries are not required to monitor a service provider’s performance for other plans. As a result, the court dismissed all claims against the corporate parties.
EBIA Comment: Although this case involved identity theft, the court’s analysis did not specifically address cybersecurity standards. Notably, however, a recent Government Accountability Office report warns that 401(k) and other defined contribution retirement plans face significant cybersecurity risks and recommends that the DOL (1) formally state whether cybersecurity is an ERISA fiduciary responsibility, and (2) establish minimum expectations for mitigating cybersecurity risks. Pending any formal action by the DOL, strong security can help protect an organization’s business reputation, maintain good employee relations, avert litigation, and avoid the expense and inconvenience of breach notification. Although HIPAA’s security provisions do not apply to retirement plans, they can provide a framework for retirement plan fiduciaries. For more information, see EBIA’s 401(k) Plans manual at Sections XII.L (“Account Theft and Cybersecurity”) and XXIV.G.2 (“Selecting and Monitoring Service Providers”). See also EBIA’s HIPAA Portability, Privacy & Security manual at Section XXIX.E (“Developing Your Security Program”).
Contributing Editors: EBIA Staff