ERISA Claims Arising from Unauthorized Retirement Account Access
Cybersecurity breaches concerning workers' personal information and retirement savings have increased liability risks for benefit plans and third-party administrators under federal benefits laws. In February 2021, the U.S. Government Accountability Office (GAO) issued a report warning about these increased legal risks for ERISA plan fiduciaries due to cyber breaches. The GAO also warned that outsourcing various functions involving retirement plans to third-party administrators could increase the potential for unauthorized access to participants' information.
In recent years, the GAO's warnings have become a reality. For example, Paula Disberry, a retired employee of Colgate-Palmolive, has sued her former under ERISA, alleging that plan fiduciaries breached their legal duties by failing to prevent someone from hacking into her 401(k) account. In her case, the hacker took over her retirement account and drained it of more than $750,000. The case is Disberry v. Employee Relations Committee of the Colgate-Palmolive Co. et al., case number 1:22-cv-05778, U.S. District Court for the Southern District of New York.
Similar claims that individual retirees brought against Abbott Laboratories in 2020 and Estee Lauder in 2019 resulted in a settlement. In those cases, the retirees claimed that plan fiduciaries breached their duties under ERISA by allowing unauthorized distributions from their retirement accounts.
Seventh Circuit Affirms DOL Authority to Investigate Cybersecurity Breaches
In Martin Walsh v. Alight Solutions LLC, case number 21-3290, the U.S. Court of Appeals for the Seventh Circuit recently considered a challenge to the U.S. Department of Labor (DOL)'s authority to investigate cybersecurity breaches. Alight Solutions LLC provides administrative and recordkeeping services for over 750 employee benefits plans. The company appealed an Illinois federal court-ordered subpoena issued in a DOL investigation into whether cybersecurity breaches caused unauthorized distributions from ERISA plan accounts. In its challenge, Alight argued that investigating it for nonfiduciary acts fell outside the scope of the DOL's authority. Nonetheless, the Seventh Circuit rejected Alight's argument and ordered it to comply with the subpoena, forcing it to turn over the requested documents to the DOL.
The Illinois federal district court refused to stay the subpoena pending appeal. A federal magistrate judge did approve a protective order limiting how federal agencies could share the information that the DOL obtained during its investigation.
Proposed Class Action Targets Benefits Administration Company
After benefit administration company Transamerica Retirement Solutions advised him that a 2021 cybersecurity breach resulted in the theft of his personal information, employee plan participant Eric Giannini sued the company in a New York federal district Court. In Giannini v. Transamerica Retirement Solutions LLC, case number 7:21-cv-10282, U.S. District Court for the Southern District of New York, Giannini alleges state tort claims on behalf of thousands of individual retirement fund plan participants affected by the data breach. Giannini seeks more than $5 million in damages and an injunction prohibiting Transamerica from misusing private information and requiring it to issue prompt and complete disclosures. Giannini also asks for changes in Transamerica's cybersecurity policies and at least three years of credit monitoring services for affected class members in his suit.
Benefit Plan Consulting Firm Faces Mega Class Action Over Security Leak
Horizon Actuarial Services LLC is facing a class action consisting of five consolidated lawsuits covering more than 2.5 million people. The consolidated suit, pending in the U.S. District Court for the Northern District of Georgia, stems from a November 2021 data breach involving sensitive information from participants in more than two dozen employee benefit plans, including several multi-employer plans. The cases are Sherwood v. Horizon Actuarial Services LLC, case number 1:22-cv-01495; Quan v. Horizon Actuarial Services LLC, case number 1:22-cv-01531; Bedont v. Horizon Actuarial Services LLC, case number 1:22-cv-01565; Torrano v. Horizon Actuarial Services LLC, case number 1:22-cv-01674; and Hill v. Horizon Actuarial Services LLC, case number 1:22-cv-01676, U.S. District Court for the Northern District of Georgia.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.