UPDATED DEC. 20, 2021
With cybersecurity of increasing concern to plan fiduciaries, participants—and regulators—a participant has sued his plan’s recordkeeper for breach of an implied contract to keep his data secure—as well as a breach of fiduciary obligation.
The suit was brought by one Eric Giannini “on behalf of individual retirement fund plan participants who used Transamerica’s services and had their sensitive PII accessed by unauthorized parties because of a lapse in network security in or around June of 2021”—alleging “…failure to exercise reasonable care in securing and safeguarding their client’s sensitive information—including names, addresses, Social Security Numbers, and retirement fund contribution amounts, collectively known as personally identifiable information (‘PII’ or ‘Private Information’).”
Plaintiff Giannini claims that he wasn’t notified of the breach until “nearly 4 months after his information[i] was first accessed” and that he “has experienced a number of harms as a result of the Data Breach incident since Transamerica’s systems were accessed, including the misuse of his identifying information for fraudulent purchases.”
The suit claims that the members of the class “will continue to experience various types of misuse of their PII in the coming years, including but not limited to unauthorized credit card charges, unauthorized access to email accounts, and other fraudulent use of their financial information,” and that “there has been no assurance offered from Transamerica that all personal data or copies of data have been recovered or destroyed.” While he acknowledges that Transamerica offered Equifax credit monitoring (two years’ worth), the suit argues that “…does not guarantee the security of Plaintiff’s information,” and that “to mitigate further harm, Plaintiff chose not to disclose any more information to receive these services connected with Transamerica.”[ii]
The suit alleges that “some of the risks associated with the loss of personal information have already manifested themselves,” noting that while Giannini received a “cryptically written notice letter from Defendant stating that his information was released, and that he should remain vigilant of fraudulent activity on his accounts, with no other explanation of where this information could have gone, or who might have access to it. Mr. Giannini has already spent hours on the phone trying to determine what negative effects may occur from the loss of his personal information.” Oh, and it states that “in addition to spending time on the phone monitoring his credit accounts, Plaintiff Giannini has also received an influx of spam calls and emails.”
Beyond that he claims to have received notices of purchase requests and applications for services in his name that he has never asked for or ordered, directly affecting his credit and financial record—including one specific reference to a bill related to cellular data equipment that he never ordered. The suit claims that the plaintiffs “did not receive the full benefit of the bargain, and instead received services that were of a diminished value to that described in their agreements with Transamerica”—and that they “were damaged in an amount at least equal to the difference in the value of the services with data security protection they paid for and the services they received.”
The suit argues that the plaintiffs “would not have obtained services[iii] from Defendant had Defendant told them that it failed to properly train its employees, lacked safety controls over its computer network, and did not have proper data security practices to safeguard their Private Information from theft.”
On the issue of credit monitoring—the suit states that the plaintiff “could not trust a company that had already breached his data,” and that the credit monitoring offered from Equifax “does not guarantee privacy or data security for Plaintiff, who would have to expose his information once more to get monitoring services. Thus, to mitigate harm, Plaintiff and class members are now burdened with indefinite monitoring and vigilance of their accounts.” The suit also expressed concerns that 24 months wasn’t sufficient, and that “while some harm has already begun, the worst may be yet to come.” The suit also cautioned that “identity monitoring only alerts someone to the fact that they have already been the victim of identity theft (i.e., fraudulent acquisition and use of another person’s Private Information)—it does not prevent identity theft.”
Ultimately, the suit explains that “Giannini greatly values his privacy, especially in the administration of his finances, and would not have paid the amount that he did for retirement plan administration services if he had known that his information would be maintained using inadequate data security systems.”
While recordkeepers (and third-party administrators generally) have not been viewed as fiduciaries, this suit crafts an argument that, if not under ERISA, they should be considered that under law because of what was called a “special relationship” between Defendant and Plaintiff and class members, “whereby Defendant became a guardian of Plaintiff’s and class members Private Information, Defendant became a fiduciary by its undertaking and guardianship of the Private Information, to act primarily for the benefit of its customers, including Plaintiff and class members for the safeguarding of Plaintiff and Class member’s Private Information.”
Transamerica has denied the accuracy of the claims made in the suit. “The allegations in the lawsuit are inaccurate and misleading,” according to acompany spokesperson. “At no time did unauthorized individuals gain access to Transamerica’s systems as the lawsuit suggests. The allegations that Transamerica failed to meet legal or regulatory obligations are false. Transamerica is proud of the services we provide to our retirement plan clients, and we will vigorously defend against this lawsuit. We remain dedicated to providing the highest quality of care and security to our customers.”
NOTE: In litigation there are always (at least) two sides to every story. However factual it may turn out to be, the initial lawsuit in any action is only one side, and one generally crafted toward a particular result. In our coverage you'll see descriptions of events qualified with statements such as “the suit says,” or “the plaintiffs allege”—and those qualifiers should serve as a reminder of that reality.
[i] In October 2021, Plaintiff Giannini received a notification letter from Defendant stating that his PII was taken, which included Giannini’s “name, address, Social Security number, and figures related to retirement plan distributions and tax information.”
[ii] There is at least a possible clue that the arguments presented are drawn from other, similar suits, as at one point it reads: “Plaintiff and class members read, reviewed, and/or relied on statements made by or provided by Transamerica and/or otherwise understood that Transamerica would protect its patients’ Private Information if that information were provided to Transamerica” (emphasis added).
[iii] The suit claims that Defendant, Plaintiff, and class members entered into implied contracts for the provision of financial services, as well as implied contracts for the Defendant to implement data security adequate to safeguard and protect the privacy of Plaintiff’s and class members’ Private Information.