What Now? Retirement Plan Cybertheft Is ERISA Lawsuit To Watch

New York, NYOn October 6, 2021, when Paula Disberry submitted a claim for benefits from the Colgate-Palmolive Company Employees Savings and Investment Plan (Plan”), she discovered that $750,000 in retirement savings was gone. She’d been robbed.

Plan fiduciaries tut-tutted that this was certainly a terrible thing, but insisted that they did nothing wrong. No money was forthcoming. Disberry v. Emp. Relations Comm. Of Colgate-Palmolive raises urgent questions about what ERISA’s fiduciary “duty of prudence” really means in the light of twenty-first century cyber threats. This is an ERISA lawsuit, to watch in 2023.

Nightmare facts

              
Paula Disberry worked for Colgate-Palmolive from December 1993 to March 2004 in England, Mexico, and the United States. She began to make contributions to her Plan account in 1998. She left the company in March 2004, and has lived in South Africa since 2008. As of March 17, 2020, her account balance in the Plan was just over $750,000.  This was a significant portion of her retirement savings.

When Disberry moved to South Africa in 2008, she updated her contact information with the Plan, including a physical mailing address, an email address, and a cell phone number. She updated her contact information again in 2016. That information has not changed since that 2016 update.

On January 29, 2020, an unknown individual contacted the Plan's Benefits Information Center through a telephone customer service center operated by Alight Solutions, the Plan’s third-party administrator.  The caller pretended to be Disberry and asked Alight to update her contact information.

Alight sent a temporary personal identification number by “snail mail” to Disberry’s South Africa address. Disberry never received the letter and alleges that that the fraudster - and/or others working with her - intercepted her mail and stole the temporary PIN.

On February 24, 2020, the thief used the temporary PIN to create a new permanent PIN for Disberry’s account. The fraudster also caused Alight to change the phone number and email addresses associated with the account to a new number and email address.

On March 9, 2020, the thief used Alight’s website to request a direct deposit at a Bank of America branch with a Las Vegas address. The looter made several more attempts to have the balance in Disberry’s account deposited to the Las Vegas bank account. She also changed the mailing address in South Africa to an address in Las Vegas.

On March 20, 2020, BNY Mellon, the Plan’s Trustee, mailed a check for $601,144.42 ($751,430.53, the gross amount of the distribution, less mandatory tax withholdings) to the Las Vegas mailing address. Whoever received the check cashed or deposited it at a bank in Las Vegas on March 27, 2020.

Disberry discovered that the money was missing on September 14, 2020. She asked Alight to put a freeze on the account, but by then it was too late. The money was gone.

Red flags         

   
Disberry alleges that the Plan, Alight and BNY Mellon should have become suspicious that fraudulent activity was taking place because:

• within the span of less than two months the fraudster changed Disberry’s phone number, email address, mailing address, bank account information, and then requested an immediate cash distribution of the entire account;
• the fraudster changed Disberry’s contact information such that her phone number and email address were in one country while her mailing address was in a different country;
• although Plaintiff was not yet 59 ½ years old, the fraudster asked for an immediate cash distribution instead of a tax protected roll-over distribution, resulting in an additional 10 percent tax penalty;
• the fraudster failed to contact the International Benefits Department prior to requesting a distribution while residing in a foreign country, although the Plan's Summary Plan Description strongly recommended that this be done; and
• there were many attempts to access Disberry’s s Plan account online and via telephone within a short time span, many of which were unsuccessful. 

The thieves also tried to take Disberry’s balance from another retirement account managed by the Momentum Gibraltar Pension Plan. That effort failed, however, because of the other plan’s security measures, which included a phone and email alert to previously listed contacts, and a telephone call to Disberry’s financial adviser.

How safe are your retirement savings?  

In December 2022, the Southern District of New York dismissed Disberry’s Complaint with respect to BNY Mellon, but declined to do so against Alight and the Employee Relations Committee. In January 2023, Disberry amended her Complaint to add a state negligence charge against the Employer Relations Committee, and in March, the court granted a motion that would allow Alight to protect proprietary business information. The lawsuit clearly has a long way to go yet, though.

There is very little case law or regulatory guidance on the question of what steps plan sponsors should take to protect participants’ accounts from cybercrime. Plan sponsors need some certainty about what ERISA’s requirement of prudent management means. More importantly, though, workers should be able to expect that their retirement savings are protected from increasingly sophisticated thieves.