New Lawsuit Highlights Importance of Cybersecurity for Retirement Plans

A former 401(k) plan participant is suing the plan sponsor and plan providers after unauthorized distributions were made from her account.

A former participant in the Estee Lauder 401(k) plan has sued the plan sponsor and plan providers for failing to safeguard her retirement account.

According to the complaint, in September and October 2016, an unknown person or persons stole the participant’s retirement savings by withdrawing a total of $99,000 in three separate unauthorized distributions from her account in the plan.

The lawsuit names as defendants Estee Lauder; Alight Solutions, whose predecessor Hewitt Associates was the recordkeeper to the plan at the time; and State Street Bank & Trust, the plan’s custodian.

Alight Solutions said it has no comment. Estee Lauder and State Street did not respond to a request for comment.

The complaint says by June 30, 2016, the participant’s account balance in the Lauder Plan had grown to more than $90,000. However, in October, she received by mail two documents entitled “Confirmation of Payment – 401(k) Savings Plan,” one of which stated the plan had distributed $37,000 from the participant’s account to a checking account at Suntrust Bank. The second stated that the plan had distributed $50,000 from her account to a checking account at TD Bank.

In addition, when the participant received by mail her plan account statement for the third quarter of 2016, it showed a withdrawal of $12,000. She received no confirmation letters for this withdrawal, but learned from Estee Lauder that the $12,000 had been distributed on September 29, 2016, to an account at Woodforest National Bank.

The complaint says the participant never requested or authorized any distribution from the plan and never had any account at Woodforest National Bank, Suntrust Bank, or TD Bank.

Upon receiving the first confirmation of payment, she telephoned the Hewitt Customer Service Center at the number on the confirmation form and was informed that her remaining account balance was $3,791. The Customer Service Center stated that it would investigate the unauthorized distributions, but never provided the participant with any information regarding its investigation.

According to the complaint, between October 24, 2016, and January 2, 2017, the participant made at least 23 calls to the Customer Service Center regarding the unauthorized distributions. Ultimately, it informed her that it had completed its investigation, no money had been recovered, and her plan account would not be made whole for the losses.

On or about October 25, 2016, the participant reported the unauthorized distributions to the San Francisco Police Department and the FBI, and placed a fraud alert on her credit file with Equifax.

On November 7, 2016, State Street emailed her and requested that she complete an “Affidavit of Forgery” for each unauthorized distribution. The participant returned the requested affidavits the same day, but State Street did not contact her further.

The lawsuit claims that the defendants breached their fiduciary duties of loyalty and prudence by causing or allowing the unauthorized distributions of plan assets; failing to confirm authorization for distributions with the plan participant before making distributions; failing to provide timely notice of distributions to the plan participant by telephone or email; failing to identify and halt suspicious distribution requests, such as requests for multiple distributions to accounts in different banks; failing to establish distribution processes to safeguard plan assets against unauthorized withdrawals; and failing to monitor other fiduciaries’ distribution processes, protocols and activities.

In addition, Estee Lauder is being sued for not timely providing plan documents that were requested by the participant’s lawyer.

Among other things, the lawsuit seeks an order that the defendants restore to the participant’s plan account $99,000, plus investment earnings thereon from the distribution dates to the date of judgment.

The case highlights the importance of provider process reviews regarding cybersecurity. There are also things retirement plan sponsors and participants can do to safeguard accounts.

Andy Adams and Jay Schmitt, with Strategic Benefits Advisors, have provided information about what makes retirement plan data vulnerable and actionable steps to protect it from fraud.

The cybersecurity threat is so pervasive that lawmakers have asked the Government Accountability Office (GAO) to examine the cybersecurity of the U.S. retirement system.