Amid the current work-from-home environment, these are hazardous times for plan sponsors, administrators or any other providers with fiduciary liability that may fall prey to cyber criminals looking to exploit lax protocols.
A case in point involves the apparent theft of more than $400,000 from a lawyer’s 401(k) Profit Sharing Plan by cyber criminals. The plan sponsor originally sued the third-party administrator and plan custodian for cybersecurity breach, only to be counter-sued by the third-party administrator and custodian for contribution and indemnity claims.
Before getting into the counterclaim, let’s review the background from the original suit. In Leventhal v. MandMarblestone Grp., Jess Leventhal and his firm, Leventhal, Sutton & Gornstein (LSG), originally filed suit in 2018 seeking to hold the plan’s TPA, MandMarblestone Group (MMG) and plan custodian, Nationwide Trust, liable for the theft of the entire balance in his 401(k) account. In that complaint, Leventhal argued that MMG and Nationwide should be held liable under ERISA for facilitating fraudulent withdrawals from his 401(k) account by criminals who posed as the office administrator of his law firm. More specifically, among the allegations is that MMG breached its obligation under the plan service agreement by failing to “confirm accurate vesting and eligibility for each distribution under the LSG plan” prior to forwarding the fraudulent distribution requests.
On Dec. 31, 2015, Leventhal prepared a withdrawal request in the format required by Nationwide to withdraw $15,000 from his account in the LSG plan. He then provided that form to the LSG office administrator, who subsequently emailed it to MMG, reportedly using her office email account. At that point, Leventhal received his fund distribution properly and without incident via a wire sent from Nationwide to Leventhal’s bank account.
Separately, the purported cyber criminals were able to obtain a copy of Leventhal’s original withdrawal form—likely via some form of hacking. Thereafter, these individuals apparently posed as the firm’s office administrator, transmitting a series of fraudulent emails that appeared to come from the office administrator’s email and attaching fraudulent withdrawal forms to MMG seeking additional withdrawals from Leventhal’s account.
However, on these occasions, the forms requested that funds be sent to a different bank account—and one that was not Leventhal’s. Over the course of a month, these individuals were able to empty Leventhal’s account in the LSG plan of more than $400,000 without his knowledge.
For its part, the case notes that Nationwide then distributed the funds to the bank account fraudulently designated by the cyber criminals, even though that account did not belong to Leventhal and had never been authorized or used by him previously. What’s more, the agreement with Nationwide reportedly required “an authentic, hard-copy non-reproduced signature of the plan sponsor or plan administrator or administrator firm.” As such, the case alleges that Nationwide was not authorized to distribute plan assets without first confirming the authenticity of the signatures contained on any distribution form it received.
What’s more, the case contends that neither Nationwide nor MMG implemented safeguards “to ensure that a designated receiving bank account was actually correct, authorized and associated with an eligible participant in the LSG plan.” Moreover, it notes that even a “cursory review” of the documents surrounding the fraudulent transfers reveals that the defendants “carelessly failed to notice and investigate the numerous red flags that characterized each of the fraudulent requests submitted by the cyber-criminals.”
As a result, the claims in the original case included alleged breach of contract, breach of fiduciary duty under ERISA and negligence, and asked for pecuniary damages to include compensatory, investment losses and opportunity costs, punitive damages and interest, costs and attorneys’ fees.
The original case is still ongoing, but it was pared back last year. On May 2, 2019, a motion to dismiss filed by MMG and Nationwide was granted, in part, by Judge Mitchell Goldberg of the U.S. District Court for the Eastern District of Pennsylvania, who allowed the ERISA claim to move forward, but dismissed state-law claims of negligence and breach of contract.
Fast forward to today. In response to “answer, affirmative defenses, and counterclaims” by TPA MMG and (custodian) Nationwide, Judge Goldberg ruled May 27, 2020, that counterclaims for contribution and indemnity—which contend that Leventhal as a named plan fiduciary and his firm as the plan sponsor are partly responsible for the theft—can move forward.
The counterclaim alleges, among other things, that the plan sponsor-plaintiffs’ “own carelessness” with respect to their employees and their computer/IT systems and policies—including their decision to permit an employee to work remotely and use personal e-mail for official employment duties—enabled the cyber fraud or other criminal fraud to occur.
More specifically, TPA MMG alleges that plan sponsor-plaintiffs’ careless conduct included their decision to permit an LSG Firm employee, whose email account was eventually hacked and utilized to commit the underlying fraud at issue, to work remotely from Texas and to use her personal e-mail—which according to the complaint turned out to be an AOL account—for her employment duties. The claim further argues that, to the extent MMG is liable under ERISA as alleged, Leventhal and his firm are “equally liable” in their capacity as the named fiduciaries of the LSG Plan.
Leventhal and LSG contend that MMG’s counterclaims for contribution and indemnity should be dismissed based upon precedent holding that ERISA preempts such claims against co-fiduciaries, but MMG argued that dismissal of its counterclaims would be inappropriate given the circuit split and lack of binding precedential authority on this issue.
On those issues, Judge Goldberg agreed with MMG, noting that, while other circuits are divided on the issue, the U.S. Court of Appeals for the Third Circuit has not yet weighed in on whether contribution and/or indemnity claims are viable under ERISA. “District Courts within the Third Circuit ‘have largely concluded that a right of contribution between fiduciaries does exist in the ERISA context,’” Goldberg wrote, further noting that “nothing within the ERISA statute forecloses these types of claims.”
The counterclaim also puts forward the premise that, in the event that it is judicially determined that plaintiffs are entitled to recover on their remaining cause of action against MMG, Leventhal and LSG are alone jointly and severally liable, or liable to MMG by way of contribution or indemnity.
As for the notion that the plan sponsor Judge Goldberg rejected that claim, however, noting that MMG’s and Nationwide’s affirmative defenses—seeking to bar or reduce their liability based on co-fiduciary plaintiffs’ alleged proximate cause of the losses—are legally insufficient. “While MMG and Nationwide can pursue claims of contribution and indemnity and resolve any issues regarding causation of losses through their counterclaims, they cannot reduce their joint and several liability owed by ERISA fiduciaries for plan losses through the assertion of such affirmative defenses,” the judge wrote.
The judge did, however, permit Nationwide leave to amend its answer to include counterclaims for contribution and indemnity, consistent with this opinion.
Additionally, on May 30, 2019, Nationwide filed a third-party complaint against the alleged cyber criminals who defrauded the plan, contending that the defendants conspired and fraudulently withdrew the funds from the retirement account, which spurred the present litigation, but Judge Goldberg rejected that complaint as well. The judge noted, among other things, that the third-party complaint falls short of the requisite pleading standard and fails to allege that the Texas defendants are either fiduciaries or “parties in interest” to the plan. He also ruled that allowing the third-party complaint would “unduly complicate the action by introducing the extraneous questions of remedies permitted in the third-party action.”
This is not the first time that the immediacy of account access, coupled with a decidedly slower process of transaction confirmations has produced litigation, or where a customer service center operation has played a role and been a party to it (see Recordkeeper, Plan Sponsor Charged in 401(k) Account Theft). While there has certainly been a growing concern about cybersecurity risks, there have also been recent cases where individuals within the sponsoring employer and others where TPA or recordkeeping staff have taken advantage of their access to misappropriate funds.
As for this case, the ruling here is merely a determination by the court that the arguments presented are sufficient to support consideration of the claims, rather than an adjudication of those claims on the merits. While this case involves activities that occurred well before the current pandemic-induced working-from-home environment, it should serve as a reminder of the need to ensure that authentication and approval protocols are sufficient to meet the growing threats of those who are constantly striving to steal from our retirement.