Fraud and forgery have always been of concern in commercial transactions. And the internet age has ushed in a whole new level of criminality. A recent ruling issued by a federal court in New York, Disberry v. Employee Relations Committee of the Colgate-Palmolive Company, 2022 WL 17807188 (S.D.N.Y. December 19, 2022) addressed the potential liability of persons charged with protecting employees’ retirement assets against identity theft and cybercrime.
Case Background: Identity Theft Resulting in Loss of Retirement Savings
The case involved a former Colgate-Palmolive employee, Paula Disberry, who was the victim of identity theft that resulted in losses of hundreds of thousands of dollars in retirement savings. After discovering the theft, Disberry sued her employer, a third-party service provider, Alight Solutions LLC, who controlled record keeping for the savings, and Bank of New York Mellon, the bank where the funds were maintained, seeking to recover her losses. The defendants tried to absolve themselves from the loss by filing motions to dismiss, but only the bank was successful in being removed from the lawsuit.
Alight Solutions operated a customer service center and a website that permitted employees to manage their retirement plan assets, including requests for distributions. An unknown criminal contacted the benefits information center pretending to be Disberry and was able to change the login and contact information and steal the funds. As soon as the plaintiff learned of the theft, she alerted Alight Solutions and law enforcement officials. Although Alight Solutions acknowledged that Disberry was the victim of identity theft, none of the parties responsible for maintaining her plan assets was willing to reimburse her. Disberry then sued the benefit plan, Alight Solutions, and Bank of New York Mellon for breach of fiduciary duty, maintaining the defendants were responsible for:
(1) causing or allowing the Plan to make unauthorized distributions of Plan assets,
(2) failing to identify and investigate suspicious activities and red flags,
(3) failing to identify and halt suspicious distribution requests,
(4) failing to confirm authorization for distributions with Plaintiff before making distributions,
(5) failing to provide timely notice of a request for distributions to Plaintiff by telephone or email,
(6) failing to establish distribution processes to safeguard Plan assets against unauthorized withdrawals, and
(7) failing to monitor other fiduciaries’ distribution processes, protocols, and activities.
Plan Administrator Overlooked Red Flags of Fraudulent Activity
The complaint further alleged the existence of many red flags that should have alerted the defendants of fraudulent activity:
(1) within the span of less than two months the fraudster changed Plaintiff’s phone number, email address, mailing address, and bank account information, and then requested an immediate cash distribution of Plaintiff’s entire $750,000 Plan account,
(2) the fraudster changed Plaintiff’s contact information such that her phone number and email address were in one country while her mailing address was in a different country,
(3) although Plaintiff was not yet 59 1//2 years old, the fraudster asked for an immediate cash distribution instead of a tax protected roll-over distribution, resulting in an extra 10% tax penalty,
(4) the fraudster failed to contact the International Benefits Department before requesting a distribution while residing in a foreign country, although the Plan’s Summary Plan Description (“SPD”) strongly recommended that this be done, and
(5) there were many attempts to access Plaintiff’s Plan account via telephone and online within a short time span, many of which were unsuccessful.
In response, both BNY Mellon and Alight Solutions denied they were fiduciaries. The court was unpersuaded as to Alight Solutions, finding that while it mostly engaged in ministerial acts, its direction to BNY Mellon to pay funds from the plaintiff’s account to non-authorized persons was a fiduciary act. The court also observed that the complaint clearly alleged “that Alight Solutions was the party that was having these interactions with the fraudster and that Alight Solutions at the very least is a party that should have been alerted to the possibility that someone was trying to hack into Plaintiff’s account.”
The specific “red flags” alleged in the complaint that should have alerted Alight Solutions to potential fraud were found “sufficient to establish the required ‘nexus’ between Alight’ Solution’s authority and control and the wrongdoing alleged in the Complaint. The court also suggested that in the event it is later determined that Alight Solutions was not a fiduciary that plaintiffs should plead state law claims of negligence in the alternative.
On the other hand, the court dismissed Bank of New York Mellon, finding it was not acting as a fiduciary when it issued payment. That defendant was acting solely as a directed trustee and lacked any discretionary responsibilities. The court further found that the “red flags” indicative of fraud pled in the complaint were only triggered “via contact with the perpetrator of the fraud – and only Alight Solutions had contact with the perpetrator of the fraud.” Further, although the bank was required to maintain an information security program, the court ruled it was “not responsible to establish or maintain individual accounts or the information associated therewith.” The court added in a footnote that it did not believe the plaintiff could allege actionable common law claims against BNY Mellon.
Plan Administrator Found Potentially Liable for Negligence in Protecting Retirement Assets Against Identify Theft
However, the court allowed the claims against the plan administrator to survive since “it remains to be seen whether the Committee did take reasonable steps to protect the assets of the Plan against fraud and theft.”
This case is not the only known incident of identity theft and theft of retirement funds involving Alight Solutions. In Walsh v. Alight Solutions LLC, 44 F.4th 716 (7th Cir. 2022), the U.S. Court of Appeals for the Seventh Circuit upheld an administrative subpoena served on Alight by the U.S. Department of Labor aimed at investigating fraud. See, DeBofsky, “Labor Department Gains Court’s OK to Pursue Cybercrime Investigation” (originally published by the Chicago Daily Law Bulletin on August 30, 2022). Awareness of other instances of identity theft from accounts in which Alight Solutions has recordkeeping responsibilities is a strong suggestion of potential negligence, especially in view of the series of “red flags” identified in Disberry’s complaint.
Having fiduciary responsibility means “something stricter than the morals of the market place. Not honesty alone, but the punctilio of an honor most sensitive is then the standard of behavior” according to the landmark ruling in Meinhard v. Salmon, 249 N.Y. 458, 164 N.E. 545 (1928) authored by Justice Benjamin Cardozo. The ERISA law also specifies that a fiduciary must act “with the skill, prudence, and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of like character and with like aims.” 29 U.S.C. § 1104(a)(1)(B). Alight Solutions was also contractually required to assume responsibility to maintain adequate security for the participants’ accounts and was also in the best position to have prevented the loss.
Plan Administrators Need to Use Due Diligence and Leverage Machine Learning to Detect and Prevent Identify Theft
Although Alight Solutions utilized security measures such as passwords and personal identification numbers to protect retirement accounts, obviously an additional layer of security was necessary since those measures were inadequate to protect against sophisticated identity theft. Consequently, between the plan participant and Alight Solutions, the recordkeeper was in a superior position to have prevented the loss. Given the ubiquity of cybercrime, the number of unusual activities that were taking place, and the amount of the transfer that was requested, a security alert should have been triggered to prevent the funds from being transferred without further verification. Machine learning and artificial intelligence techniques have reached a level of sophistication that almost all fraud is detectable; and only if organizations such as Alight Solutions are required to face potential liability will they have the incentive to implement such protections.