An ex-participant whose 401(k) account was drained of some $750,000 by a “fraudster” has filed suit against the plan fiduciaries, the recordkeeper and the trustee for alleged breaches of fiduciary duty in not preventing the theft.
The participant-plaintiff here is one Paula Disberry, who worked for Colgate-Palmolive from December 1993 to March 2004, in England, Mexico and the United States. Disberry left Colgate-Palmolive to return to England in March 2004, but left her 401(k) savings in the Colgate-Palmolive plan. As of March 17, 2020, her account balance under the Plan was just over $750,000. Disberry moved to South Africa in 2008, and upon moving there she updated her contact information with the Plan. According to the suit (Disberry v. Emp. Rels. Comm. of the Colgate-Palmolive Co., S.D.N.Y., No. 22-cv-05778, complaint filed 7/7/22) in June 2016, she again submitted to the Plan an update of her contact information, which consisted of her physical mailing address, email address and cellphone number. Her contact information has remained the same since that time.
What Happened
In or about August 2020, she tried to access her account—but was blocked from doing so, told that she was entering the incorrect username ID and password. She then contacted Colgate-Palmolive and the Benefits Information Center (run by Alight, who was the plan’s recordkeeper) to request access and information about her account—and on Sept. 14, 2020, was informed that the entire balance of her Plan account, totaling $751,430.53, had been distributed from the Plan in a single taxable lump sum. She later learned that the account balance had been distributed in March 2020 to an individual with an address and bank account in Las Vegas.
The suit cites information from Alight that this “fraudster” first contacted the Benefits Information Center by telephone on Jan. 29, 2020, identified herself as Disberry, and requested to update the contact information that was on file with the Plan. In turn, Alight sent a temporary personal identification number (PIN) by mail to Disberry’s South Africa address. Somehow the fraudster and/or others working in conjunction with her intercepted the mail and acquired the PIN.
PIN ‘Drop’
On Feb. 24, 2020, the fraudster again contacted the Benefits Information Center, used the temporary PIN, and created a new permanent PIN. They also then requested that Disberry’s phone number be changed to a new number, and that her email address be changed to a new email address. And then later that month, the fraudster requested information on how to reset the online user ID and password, received that instruction, and then made those changes.
On March 9, 2020, the fraudster accessed Disberry’s Plan account online, added information for direct deposit for a Bank of America branch with a Las Vegas address, and on March 17, 2020, the fraudster accessed Disberry’s Plan account using the Colgate-Palmolive Benefits website and requested a distribution of Disberry’s entire Plan account via direct deposit to the Bank of America account in Las Vegas, which had been added the prior week. The fraudster also changed Disberry’s address online from the address in South Africa to an address in Las Vegas. Told by the benefits representative that the Plan did not offer distributions by direct deposit, the fraudster then told the benefits representative that she wanted a total distribution by check, to be sent to the Las Vegas address that the fraudster had added to the account earlier that same day—and on March 20, 2020, the distribution was processed for $751,430.53 gross ($601,144.42 net of mandatory tax withholdings). Subsequently, a confirmation of payment notice was sent by mail to the Las Vegas address.
The suit claims that according to a report of a fraud investigation conducted by Alight in September 2020 (after Disberry alerted them to the theft of Plan assets), at least seven additional phone calls to the Benefits Information Center and at least 11 additional website log-in attempts were made by the fraudster (and/or others acting in concert with the fraudster) during the first half of 2020, during which the individual attempted to access Disberry’s account information, but was unable to authenticate the call or was unable to provide the PIN, address, phone number or email address on file for the account. However, on Sept. 14, 2020, immediately upon discovery of the fraud, Disberry contacted Colgate-Palmolive. Alight placed a freeze on Disberry’s account (even though there were no longer any funds in it), reviewed the activity associated with the account, and “based on this review, determined that Ms. Disberry appeared to have been the victim of identity theft and theft of Plan funds.”
Other Attempts
Ostensibly for a procedural contrast, the suit notes that he fraudster also attempted to access Disberry’s funds under Colgate-Palmolive’s defined benefit pension plan, though it’s not at issue in this case. They were able to gain access to her defined benefit account sufficiently to alter certain personal information (changing the address on file to a Salt Lake City, UT address, another South African email address, and another South African mobile number), but were unable to obtain a lump sum distribution from that account “because of the security measures implemented by that plan, including but not limited to requiring proof of identification (e.g. driver’s license or passport) prior to distribution of funds.” The suit notes that Alight was not involved with administration of that plan, and that—unlike the defined benefit plan, “the Plan at issue in this case did not require proof of photo identification prior to distribution of funds.”
The fraudster must have really had it in for Dinsberry, because they also apparently tried to access her account under a pension plan sponsored by another former employer (the Momentum Gibraltar Pension Plan), and was also able to gain access to that account sufficient to alter certain personal information—but was unable to access funds “because of the security measures implemented by that plan, including a telephone and email notification of the requested change of personal details to the phone number and email address previously provided to that plan, and calling Ms. Disberry’s financial advisor (who had previously contacted the plan on Ms. Disberry’s behalf),” according to the suit.
The suit rejects the notion that “reasonable procedures” were in place or followed in the case at hand, noting that “the fact that within the span of less than two months, a person claiming to be a Plan participant changed the participant’s phone number, email address, mailing address, and bank account information, and then requested an immediate cash distribution of the participant’s entire $750,000 Plan account, should have been red flags that triggered further action to confirm that the requested distribution had come from the Plan participant”—calling out for special attention the change in country of residence, that the immediate cash distribution prior to age 59½ would trigger tax penalties, and that “they failed to contact the International Benefits Department prior to requesting a distribution while residing in a foreign country, despite the Summary Plan Description’s strong recommendation to do so, all should have been red flags that triggered further action to confirm the legitimacy of the distribution request.” Additionally, the suit points out that “the fact that a flurry of attempts to access a Plan account via telephone and online occurred within a short time span, many of which were unsuccessful, should have been a red flag prompting further action.”
The suit also comments that “the South African postal service has been in turmoil for several years, and is known for its lack of security, delays, corruption and mismanagement. Providing a temporary PIN via mail to a foreign address, especially where the security of the mail has not been established, without also notifying the participant of the PIN request via the phone number and/or email address on file, and without also notifying the participant of the request for disbursement of funds via phone and/or email, is not reasonable.”
The suit further claims that the defendants here failed to follow their own procedures, “including but not limited to failing to wait for 14 days after Ms. Disberry’s address was changed before processing and distributing Plan assets.”
Instead, they continue, “Defendants ignored numerous significant red flags, failed to follow their own procedures, and failed to implement reasonable procedures to detect and prevent fraud and theft of Plan assets.”
Other Cases
There have been a number of cases recently that have triggered lawsuits by participants in an effort to recover funds in similar circumstances, including participant accounts at Abbott Laboratories (Split Decisions in 401(k) Theft Suit for Plan Sponsor, RK), Estee Lauder (Recordkeeper, Plan Sponsor Charged in 401(k) Account Theft), MandMarblestone Group (Court Backs TPA Counterclaim on Plan Sponsor in 401(k) Cyber Theft Case) and Boeing (Man Charged with Retirement Account Thefts). What’s also interesting is that the suits typically label the recordkeeper as a fiduciary—a role they generally eschew as an agent of the plan sponsor/fiduciary only—but the suit says that as they controlled plan assets in approving/processing the distribution they had that status.
Will the court agree? Stay tuned.
NOTE: It’s worth remembering that the Labor Department has issued a set of guidance on the issue of cybersecurity—including a list of “online security tips” for participants included in that guidance. This, of course, is far from the sole instance of such activity, though it is the latest one resulting in capture and arrest. Indeed, recent reports of 401(k) thefts and an ongoing concern about cybersecurity (should) have everybody on the alert. Some have even triggered lawsuits against providers and plan sponsors. Here are some steps you, your plan sponsor clients, and their participants should take—now.
