A recently filed lawsuit against a trust company serving as a 401(k) plan trustee, the second of its kind in the last few months, highlights the need for plan sponsor diligence in protecting participant data and accounts in an increasingly electronic world. We only have one side of the story so far, the allegations in the complaint, but the trustee is charged with permitting a thief to get almost $125,000 from the business owner’s account. This was done through phone, email and bank accounts not associated in the trustee’s records with the owner’s account. It took several weeks for the trustee to notify the business owner, and the trustee only did so when it received and prevented a second fraudulent distribution request. The trust company has not yet restored the account.
An Illinois district court issued a split decision in a case involving the cybertheft of retirement plan assets, allowing the plan administrator and plan sponsor to be dismissed, but requiring the recordkeeper to defend allegations that it breached its fiduciary duties under the Employee Retirement Income Security Act (ERISA). Bartnett v. Abbott Laboratories, et. al. (N.D. Illinois, Case No. 1:20-cv-02127) is one of several recent lawsuits filed against plan sponsors and recordkeepers for allowing cyber-thieves to pilfer large distributions from participants’ retirement plan accounts.
Heide Bartnett, a former employee of Abbott Laboratories (Abbott) and participant in Abbott’s 401(k) plan, alleges that a hacker accessed her 401(k) account online, changed the password, added a new bank account and requested a $245,000 distribution from the 401(k) plan’s recordkeeper, Alight Solutions LLC (Alight) to be deposited into the newly added account. The imposter also called Alight several times to ask questions about the distribution.