Abbott Escapes Retirement Plan Cybersecurity Suit

A federal judge found Abbott defendants were not fiduciaries with regard to the alleged acts, but claims against Abbott's retirement plan recordkeeper were allowed to stand.

Abbott Laboratories defendants have been dismissed from a lawsuit alleging failures related to an employee’s retirement account theft.

U.S. District Judge Thomas M. Durkin of the U.S. District Court for the Northern District of Illinois, however, denied recordkeeper Alight Solutions’ motion to dismiss.

The lawsuit was filed in April by a retiree participant in the Abbott Laboratories Stock Retirement Plan. The lawsuit alleges that failures in website and call center protocols resulted in $245,000 in unauthorized distributions from the participant’s plan account. The complaint specifically alleges the defendants breached their fiduciary duties of loyalty and prudence “by causing, allowing or processing unauthorized distributions of [plaintiff’s] account assets; failing to confirm authorizations for distributions with [plaintiff] before making distributions; failing to provide timely notice of distributions to [plaintiff] by telephone or email; failing to identify and halt suspicious distribution requests, such as requests for multiple distributions to accounts in different banks; failing to establish distribution processes to safeguard the plan’s assets against unauthorized withdrawals; failing to monitor other fiduciaries’ distribution processes, protocols and activities; and related acts and omissions.”

Durkin found that the complaint’s “conclusory statements” failed to sufficiently allege that Abbott Labs was a fiduciary. He said the complaint also fails to allege any fiduciary acts taken by Abbott Labs links it to the alleged theft. Durkin pointed out that while the complaint alleges that the call center and website were used to perpetuate the theft, it also indicates that both are operated by Alight.

The plaintiff argued that Abbott Labs is a functional fiduciary because all defendants failed to take necessary steps to protect plan assets. But Durkin said that alleging what all defendants failed to do does not establish whether any individual defendant is a fiduciary under the statute. He explained that the plaintiff must sufficiently allege that Abbott Labs meets the statutory definition of fiduciary and that it acted in its capacity as a fiduciary when it took the actions subject to the complaint. Because she didn’t do so, her Employee Retirement Income Security Act (ERISA) breach of fiduciary duty claim against Abbott Labs fails.

Durkin next discussed defendant Marlon Sullivan, who is the administrator and named fiduciary of the retirement plan. For that reason, there is no dispute that he had a fiduciary duty to the plaintiff. The plaintiff contended that Sullivan breached his duty of loyalty because the website misrepresents how plan assets are administered and safeguarded. But, again, Durkin pointed out that the complaint indicates that Alight—not Sullivan or anyone else—operates the website. “The court cannot infer that Sullivan misled plan participants through a website he does not operate,” the judge wrote in his opinion.

As for the plaintiff’s duty of prudence claim against Sullivan, Durkin pointed out that such claims traditionally arise in the context of making investments on behalf of an ERISA plan. The plaintiff does not contend that Sullivan or any other defendant failed to make sound investment decisions on behalf of the plan. However, she asserted that the duty of prudence extends to the “safeguarding of data and prevention of scams.” Durkin said the plaintiff has not pointed to any case law in the 7th U.S. Circuit Court of Appeals that states as much. He pointed out that the complaint does not allege that Sullivan knew about the unauthorized attempts to access the plaintiff’s account, and her account was frozen as soon as she told the call center about the improper withdrawal of funds. “In sum, [the plaintiff] has not alleged that Sullivan breached his duty of prudence,” the judge ruled.

The plaintiff also alleged that Sullivan “fail[ed] to monitor other fiduciaries’ distribution processes, protocols and activities.” Durkin found that allegation to be conclusory, adding that it amounts to “nothing more than speculation.” In addition, he noted that the complaint does not allege any monitoring process between Sullivan and Alight, let alone a defect in that process. “The complaint therefore fails to allege that Sullivan breached a fiduciary duty to monitor. Accordingly, the breach of fiduciary duty claim as to Sullivan is dismissed,” Durkin wrote.

The plaintiff also named the retirement plan as a defendant. Citing previous case law, Durkin said that while a plan may be sued in an action “to recover benefits due” to a participant under ERISA Section 502(a)(1)(B), it cannot be sued as a fiduciary in an action to recover “losses to the plan” under ERISA Section 502(a)(2). He dismissed the breach of fiduciary duty claim brought under ERISA Section 502(a)(2) against the retirement plan.

The plaintiff also named Abbott Corporate Benefits as a defendant and alleged that it is the sponsor of the retirement plan. The Abbott defendants argued that Abbott Corporate Benefits is not a legal entity and that the plaintiff’s allegation that Abbott Corporate Benefits is the plan sponsor is based on a misreading of the plan’s 2018 Annual Return/Report of Employee Benefit Plan Form 5500. That form identifies Abbott Labs as the plan sponsor, not Abbott Corporate Benefits, and lists Abbott Labs’ mailing address as “Corporate Benefits, D-589, AP6B-2, 1000 Abbott Park Road, Abbott Park, Illinois, 60064-6222.” Durkin dismissed the fiduciary duty claim against Abbott Corporate Benefits.

Alight Is a Fiduciary

“Unlike the sparse allegations concerning the Abbott defendants, there are sufficient allegations on the face of the complaint to infer that Alight acted as a fiduciary by exercising discretionary control or authority over the plan’s assets,” Durkin wrote. Alight argued that its actions were purely ministerial, but the plaintiff’s complaint challenged that assertion. “Since competing factual allegations and any reasonable inferences drawn from them must be resolved in favor of the nonmoving party at the pleading stage,” Alight’s factual assertions do not provide a proper basis to dismiss the plaintiff’s claim, Durkin said.

The lawsuit also includes an Illinois Consumer Fraud and Deceptive Practices Act (ICFA) claim against Alight. The ICFA prohibits “unfair or deceptive acts or practices … in the conduct of any trade or commerce.” Alight argued that the ICFA claim should be dismissed because it is pre-empted by ERISA and fails to sufficiently allege a deceptive or unfair act. But Durkin agreed with the plaintiff that it is not pre-empted by ERISA. He said the claim is premised on the allegations that Alight misrepresented the quality of its services and engaged in an unfair business practice, which have little to no bearing on the plan itself.

Durkin further explained that the complaint specifically alleged that Alight made representations online about the quality of its services and that those representations were misleading because Alight failed to protect the plaintiff’s retirement money. It also alleged that Alight engaged in an unfair business practice because it failed to implement proper security procedures online and over the phone, which led to the improper withdrawal of her funds. “The claim therefore seeks recovery for activities that occurred outside the terms of the plan. Accordingly, the ICFA claim is not pre-empted by ERISA,” he wrote in his opinion.

Durkin dismissed the ICFA claim based on a deceptive act. However, he found that the plaintiff sufficiently stated a claim for unfair business practice under ICFA. He said the allegation that Alight failed to protect the plaintiff’s personal information and properly notify her of important changes to her account, as well as the allegation that Alight’s failures allowed the scammer to steal hundreds of thousands of dollars in retirement funds and that proper security measures would have prevented the theft, are sufficient to state an ICFA claim for unfair business practices.