As I have noted in prior posts (most recently here), an important concern these days for insurance industry observers and commentators is “silent cyber” — that is, the coverage for cyber-related losses under traditional property and casualty insurance policies, as opposed to purpose-built cyber insurance policies. For example, in one recent case (discussed here), a court found coverage for cyber losses under a business owner’s policy. While the possibility for finding cyber coverage under several other types of coverage is frequently discussed, one line of coverage that is not frequently considered is fiduciary liability coverage. However, a recent lawsuit, in which a corporate benefits plan participant lost funds to a cyber thief, suggests a way in which a cyber loss potentially could trigger a fiduciary liability policy.
The plaintiff’s April 3, 2020 complaint in the action against Abbott Laboratories and other defendants can be found here. An interesting April 16, 2020 memo from the Groom Law Group about the case can be found here.
Heide Bartnett is a retired former employee of Abbott Laboratories. Bartnett is a participant in the Abbot Laboratories Corporate Benefits Stock Retirement Plan, a 401(k) savings plan. Alight Solutions LLC provides contract administration, record-keeping, and information management services for the plan. As of December 31, 2018, Bartnett had a balance of approximately $362,000 in her plan account.
On December 29, 2018, an intruder attempted to access Bartnett’s account through the plan website. The intruder apparently already had possession of the last four digits of Bartnett’s social security number and her date of birth, as well as access to Bartnett’s email account. When attempting to log into Bartnett’s account, the intruder selected the “forgot password” option. The intruder elected to receive a one-time access code via email rather than answer security questions. The intruder used the one-time code provided to access Bartnett’s account. The intruder then changed the account password and added direct deposit information for a Sun Trust bank account. In her subsequent complaint, Bartnett alleged that the notice to her of the changed account information was sent to her via U.S. mail, rather than via email as was her preferred means of communication about the account.
On December 31, 2018, an individual contacted the Abbott Benefits Service Center and told the customer service center representative that he had unsuccessfully tried to process a distribution online from Barnett’s account, and was told that there is a seven day waiting period that applies before funds can be transferred to a new account.
On January 8, 2019, an individual contacted the service center to again request a transfer of funds. Before processing the request, a one-time access code was send to Bartnett’s email account. The code was used to authorize access to the account. The individual requested that $245,000 be sent to the Sun Trust account. The funds were transferred to the Sun Trust bank account. On January 9, 2019, a notice of the funds transfer was sent to Bartnett via U.S. mail, rather than by email.
On January 15, 2019, Bartnett contacted Abbott Corporate Benefits to report that she had discovered that money was missing from her account. She was told to contact police. As a result of the subsequent police investigation, Sun Trust was able to recover approximately $59,000 of the transferred funds. The police investigation also uncovered that the IP address from which Bartnett’s account was accessed was assigned to an individual in India.
On April 3, 2020, Bartnett filed a lawsuit in the Northern District of Illinois against Abbott Laboratories; Abbott Corporate Benefits; Abbott Laboratories Stock Retirement Plan; the individual designated as the plan administrator; and against Alight Solutions. The complaint alleges that the defendants failed to use the level of care, skill, prudence, and diligence required of an ERISA fiduciary to protect Bartnett’s plan assets. The complaint also asserts a claim under the Illinois Consumer Fraud and Deceptive Practices Act. Bartnett seeks to be reimbursed for her lost funds, as well as punitive damages and her attorney fees and costs.
Bartnett’s claims against Abbott Labs and its benefit plan presumptively would trigger the company’s fiduciary liability policy (although to be sure whether or not there would be coverage under the policy would be subject to all of the policy’s terms and conditions). As I noted at the outset of this post, the reason this is interesting to me is that the possibility for finding cyber coverage under a fiduciary liability policy doesn’t come up very often. Fiduciary liability insurance coverage is not usually a part of the “silent cyber” discussion.
How often fiduciary liability insurance might figure in the loss recovery following a cyber security incident is an interesting question. Other claimants in similar circumstances might not assert claims under ERISA, and depending on what actually is alleged, coverage other than the fiduciary liability could be triggered, including even the affirmative coverage under a cyber liability policy.
Bartnett’s claims against Alight Solutions, the contract service provider for the plan, presents its own separate set of issues. The claims against Alight potentially might trigger Alight’s E&O coverage and it also might potentially trigger Alight’s cyber coverage as well or the company’s crime policy.
One potential issue for Alight is that its employee voluntarily transferred the funds in response to a fraudulent request from an imposter. The question will be whether these events represent “social engineering fraud” and whether it would be covered under the company’s cyber insurance. The question of coverage for social engineering fraud is a hot topic; in some instances, carriers have argued that these types of losses are not covered either under a cyber policy or even a crime policy unless the policies have been specially endorsed to provide affirmative coverage for social engineering fraud (and the coverage afforded for social engineering fraud is usually subject to a sublimit, as well).
As detailed at greater length in the law firm memo to which I linked above, this sequence of events also may have some important loss prevention lessons as well, particularly with respect to security features controlling account access. The law firm memo suggests that plan fiduciaries may want to evaluate whether there “other practical practices that could balance the need for accessibility to funds with the protection of plan participants.”
One other feature of this lawsuit is that Abbott Labs is being sued for security breaches that occured at a third-party service provider. Even though it was Abbott’s benefit plans website that the intruder access in order to change the password on Bartnett’s account and to set up the Sun Trust bank account, it was personnel at Alright Solutions that allowed the intruder to submit the request for transfer of funds out of Bartnett’s account, and it was the same personnel that actually authorized the transfer to take place. As I noted in my recent discussion of the data breach-related shareholder derivative suit recently filed against Laboratory Corporate of America, and that also involved alleged security lapses at or by a third-party service provider, it would likely be an unwelcome surprise to many corporate officials that they could be targeted for liability in a lawsuit against them for security lapses or breaches taking place at or involving the facilities of a third-party service provider. These two cases highlight the extent to which companies’ potential security breach liability includes potential liability for breaches taking place at their third-party service provider.
The law firm memo also notes that as a result of the economic disruption during the current pandemic, there could well be a flurry of participant activity with respect to benefit plans with respect to distributions, loans, and other account transactions. The memo notes that “it is important to recognize that the uptick in participant distribution and loan activity also presents an opportunity for cybercriminals and fraudsters to take advantage.”
In that regard, it is particularly disturbing to me that the cyber thief who stole Bartnett’s funds clearly was targeting her. Even before he first tried to access her plan account, the thief had already secured access to her email account; had the last four digits to her social security number; and had her birthdate information. The thief’s crime was a staged attack, in which he built toward his assault on her account by assembling key pieces of information before then attempting to steal her funds. The sequence of events underscores the extent of vulnerability consumers and others face with respect to cybersecurity and the need for vigilance.
Special thanks to a loyal reader for sending me a link to the law firm’s memo.