Plan Sponsor Back in Crosshairs of Data Breach Suit

A plan sponsor that initially fended off a data breach claim now finds itself confronting an amended version of that suit.

The suit, filed against the fiduciaries of the Abbott Labs retirement plan and Alight Solutions, LLC, the recordkeeper for the plan, alleged that the defendants “failed to enforce a security question routine set up for security purposes on the Defendants’ website”… and “instead simply provided a one-time code over the phone that was used to loot Ms. Bartnett’s account.” And then, “rather than communicating with Ms. Bartnett via email concerning changes to her account, as Defendants knew Ms. Bartnett preferred, they mailed notices, allowing the theft to be consummated and $245,000 to be transferred out of the country via email to an Indian IP address before Ms. Bartnett could take any steps to halt the fraud.” Ms. Bartnett is, of course, the plaintiff in the case.

In early October U.S. District Judge Thomas M. Durkin of the U.S. District Court for the Northern District of Illinois dispensed with the allegations involving the plan fiduciaries, at the time noting “the complaint fails to allege any fiduciary acts taken by Abbott Labs, no less link them to the alleged theft. And while the complaint alleges that the call center and website were used to perpetuate the theft, it also indicates that both are operated by Alight.” Judge Durkin also set aside claims that had been made against Marlon Sullivan, administrator and named fiduciary of the Abbott Labs plan, finding no evidence that Sullivan “misled” or acted contrary to the exclusive purpose of providing benefits to plan participants, nor that he failed to make sound investment decisions on behalf of the plan. He did, however, leave open the claims against Alight, finding “…sufficient allegations on the face of the complaint to infer that Alight acted as a fiduciary by exercising discretionary control or authority over the plan’s assets. And even though Alight argues that its actions were purely ministerial, Bartnett’s complaint challenges that assertion.”

Following that, plaintiff Bartnett filed an Amended Complaint to try and remedy the shortcomings noted by Judge Durkin—but the Abbott Labs defendants now argue (Bartnett v. Abbott Laboratories et al., case number 1:20-cv-02127, in the U.S. District Court for the Northern District of Illinois) that “review of the new allegations reveals that Bartnett has once again failed to identify any facts that support her claims.” 

‘Prior Incidents’

The Abbott Labs defendants protest that plaintiff Bartnett “includes allegations of what she claims are “prior incidents[i]” of “unauthorized distributions” by Defendant Alight Solutions, LLC,” but that even if those were deemed sufficient (and, as you might expect, they don’t view them that way), “… (a) most of the alleged “incidents” do not involve unauthorized distributions, and (b) the two that do were publicly disclosed only after Abbott had renewed its contract with Alight, and after the theft of Bartnett’s funds. As a consequence, these new allegations have little to nothing to do with the current dispute, and are certainly not sufficient to sustain breach of fiduciary duty claims against Abbott or Sullivan. Bartnett’s claims against these Defendants should therefore be dismissed, this time with prejudice.”

The defendants also point out that a new allegation by Bartnett (who is represented by Todd Rowden, James Oakley and Donnell Bell of Tat Stettinius & Hollister LLP)—that after she was told by an Alight representative that she “had received back” all she would get, the Abbott in-house lawyer told Bartnett’s counsel to disregard that statement (“the person who provided information has no authority to speak on the ultimate resolution”) as the matter now rested with her and Abbott’s legal department. The filing notes that, after this exchange, the Abbott in-house lawyer did offer for Abbott to make an additional payment to help Bartnett with her loss, “but Bartnett rejected that offer and filed this lawsuit instead.”

Ultimately, the Abbott Labs defendants argue that the plaintiff fails to state a claim based on the decision to hire, or to renew the contract with Alight, which it first hired in November 2003, since “the alleged incidents all post-date Abbott’s hiring of Alight, and most of them post-date the contract renewal as well.” In sum, “Abbott cannot have breached a fiduciary duty by hiring Aon Hewitt in 2003 based on events a decade later.” As for being a target of hackers, they note that “…if simply being targeted by cyber criminals disqualifies a company from being hired under a duty of prudence, it is likely every large corporation and government agency in the country would fail the test.”

As for those data breaches, the defendants note that the “2015 breaches are the only ones potentially prior to the September 29, 2015 contract renewal, and both were minor. The first involved a manual mailing error by Aon Hewitt of client information to “an unintended recipient,” and the second involved a participant who “inadvertently accessed an embedded bookmark on a file” sent by Aon Hewitt which allowed him to see other participants’ social security numbers.”

“Under Bartnett’s reasoning, it would be impossible for employers to do business with any benefits companies that have had a data breach, which would drive Alight and most of the rest of the financial industry out of business entirely,” they write.

Failure to Monitor

As for the claim that they failed to monitor Alight, the Abbott Labs defendants described this (using the words of Judge Durkin from the previous dismissal as “wholly conclusory and “amounts to nothing more than speculation.” Moreover, they note that the duty to monitor is only that it be done at “reasonable intervals”—and “Bartnett still cannot explain how monitoring would have detected, much less prevented, the unauthorized distributions to her identity thief occurring in a two-week span.” 

“The only new facts alleged by Bartnett that possibly relate to the duty to monitor,” they write, “are in Paragraphs 56-57 and 59 of her Amended Complaint, where she refers to allegations of unauthorized transfers by Alight in Berman v. Estee Lauder, Case No. 4:19-cv-6489 (N.D. Cal.) and by the Department of Labor in an ongoing investigation of Alight. Again, however, Bartnett fails to recognize the timing of these allegations” (October 2019). The Abbott Labs defendants go on to comment “Bartnett does not allege how Abbott could have known of the complaint’s allegations ten months before it was filed, when Bartnett’s funds were stolen in January 2019. The same is true of the Department of Labor investigation, which did not begin until July 2019 (six months after the theft) and was not made public until April 2020.”

Exhaust ‘Shun’?

Oh, and finally, the Abbott Labs defendants argue that Plaintiff Barnett has failed to exhaust her administrative remedies under the plan, as outlined in the Summary Plan Description—indeed, they note that “Bartnett admits that she failed to follow this claims and appeals procedure,” that “she and her prior counsel informally negotiated with an Abbott in-house attorney culminating in an offer by Abbott for an additional payment in December 2019, which Bartnett rejected.” However, they note that “those discussions are not a substitute for the formal administrative review process under the Plan,” and “That Bartnett deemed an appeal unlikely to be successful does not make it futile.”

And thus, they conclude “For all of the foregoing reasons, Abbott and Sullivan respectfully request that the Court dismiss Plaintiff’s claims against them with prejudice.”

Will they? Time will tell.