Alight, Abbott Labs sued over account breach

A participant in the Abbott Labs retirement plan claims that a fraudster emptied her account of $245,000, according to a recent lawsuit filed against the company and the plan’s record keeper, Alight Solutions.

The plaintiff, Heide Bartnett, alleges in her April 3 lawsuit in U.S. District Court in the Northern District of Illinois that the defendants did not enforce certain security protocols that would have prevented her account from being emptied.

The companies “failed to enforce a security question routine set up for security purposes on the defendants’ website … and instead simply provided a one-time code over-the-phone that was used to loot Ms. Bartnett’s account,” the lawsuit reads. “Then, rather than communicating with Ms. Bartnett via email concerning changes to her account, as defendants knew Ms. Bartnett preferred, they mailed notices, allowing the theft to be consummated and $245,000 to be transferred out of the country via email to an Indian IP address before Ms. Bartnett could take any steps to halt the fraud.”

The theft occurred in January 2019, and perpetrators reportedly were able to get the full balance of Bartnett’s retirement account disbursed to them, minus tax withholdings. About $49,000 in withheld taxes was restored to her account, according to the complaint, and about $60,000 was later recovered by a bank and deposited back into her account, the lawsuit notes.

A year ago, Abbott Labs informed Bartnett that it would not make her account whole, according to the complaint. But in December, the company offered to restore 10% of the stolen assets, the plaintiff stated.

Bartnett alleges that the companies breached their fiduciary duty under the Employee Retirement Income Security Act. She is seeking to have her account balance restored, plus interest and attorneys’ fees.

“While we can’t comment on any specific litigation, we take data security and protection of accounts seriously, and are committed to maintaining an aggressive approach to fraud prevention as threats evolve,” an Alight spokesperson said in a statement.

The company regularly communicates with clients about its policies and practices on fraud prevention, the spokesperson said. The communication also includes notices about account credentials being compromised by outside sources, according to Alight.

“We continually evaluate and update our security protocols as the threat landscape evolves to ensure our measures meet or exceed industry standards,” according to the statement. “This includes multi-factor authentication, account alerts via multiple channels and specialized teams available to immediately assist customers who receive alerts for changes they did not authorize.”

Abbott Labs did not immediately respond to a request for comment.

The case follows a settlement last month that Alight, along with Estee Lauder, the plan sponsor, reached with a different participant who reported $99,000 stolen from a retirement account.

The new case might have resulted from the Estee Lauder litigation, said David Levine, principal at Groom Law Group.

The complaint clearly asserts allegations against Alight and Abbott Labs, but the companies certainly have cybersecurity and anti-fraud practices in place, Levine said.

“There is a whole question about the employee’s control of their own email account. That isn’t addressed here,” he said. “This is totally the classic example of ‘Who’s to blame, and is this a blameless breach?’”

Record keepers, which are not plan fiduciaries, for years have dealt with fraud instigated by participants’ former spouses or aggrieved family members who take distributions, Levine noted.

The ongoing issues of cybersecurity and fraud raise questions about the levels of guarantees and protection that record keepers provide, he said. Over the past several years, plan providers have touted guarantees to replenish assets in accounts that are emptied due to cybersecurity breaches.

“The takeaway on this is, what is the account guarantee?” Levine said. That involves a balance between what insurance coverage record keepers and plan sponsors have available and are willing to pay for. That is more salient now than ever as the record-keeping business sees its margins squeezed by competition for low cost.

“Providers are trying to give people comfort. And a lot of time when there is fraud, they do pay out,” Levine said. But, “if you want an ironclad guarantee, you’re going to have a pay a lot for the service.”

Moreover, participants today expect to get access to their account assets quickly and easily, and that can conflict with security measures, he noted.

“There is no standard required here,” Levine said. “The real question is who is responsible in the future. And this is going to continue to evolve.”

DOL investigation

The recent lawsuit is separate from an ongoing Department of Labor investigation. On April 6, the DOL filed a request in court that Alight provide documents related to certain retirement plans.

The investigation, which began last year, resulted from “unauthorized distributions as a result of cybersecurity breaches relating to its ERISA plan clients’ accounts,” the DOL wrote in a court filing. “Alight failed to immediately report cybersecurity breaches and the related unauthorized distributions to ERISA plan clients after its discoveries. In some instances, Alight failed to disclose cybersecurity breaches and unauthorized distributions to its ERISA plan clients for months, if at all.”

A spokesperson for Alight said in an email that “it’s important to know that we have no evidence to suggest any compromise of our systems.”

“We have been working with the DOL to better understand their request, but their specific asks and intent remain broad and unclear," the spokesperson said. “We will continue to work with them to provide necessary information while protecting the privacy of our clients and their people.”