A plan sponsor that initially fended off a data breach claim
now finds itself confronting an amended version of that suit.
The suit, filed against the fiduciaries of the Abbott Labs
retirement plan and Alight Solutions, LLC, the recordkeeper for the plan, alleged
that the defendants “failed to enforce a security question routine set up for
security purposes on the Defendants’ website”… and “instead simply provided a
one-time code over the phone that was used to loot Ms. Bartnett’s account.” And
then, “rather than communicating with Ms. Bartnett via email concerning changes
to her account, as Defendants knew Ms. Bartnett preferred, they mailed notices,
allowing the theft to be consummated and $245,000 to be transferred out of the
country via email to an Indian IP address before Ms. Bartnett could take any
steps to halt the fraud.” Ms. Bartnett is, of course, the plaintiff in the case.
In early October U.S. District Judge Thomas M. Durkin of the
U.S. District Court for the Northern District of Illinois dispensed with the
allegations involving the plan fiduciaries, at the time noting “the complaint
fails to allege any fiduciary acts taken by Abbott Labs, no less link them to
the alleged theft. And while the complaint alleges that the call center and
website were used to perpetuate the theft, it also indicates that both are
operated by Alight.” Judge Durkin also set aside claims that had been made
against Marlon Sullivan, administrator and named fiduciary of the Abbott Labs
plan, finding no evidence that Sullivan “misled” or acted contrary to the
exclusive purpose of providing benefits to plan participants, nor that he
failed to make sound investment decisions on behalf of the plan. He did,
however, leave open the claims against Alight, finding “…sufficient allegations
on the face of the complaint to infer that Alight acted as a fiduciary by
exercising discretionary control or authority over the plan’s assets. And even
though Alight argues that its actions were purely ministerial, Bartnett’s
complaint challenges that assertion.”
Following that, plaintiff Bartnett filed an Amended
Complaint to try and remedy the shortcomings noted by Judge Durkin—but the
Abbott Labs defendants now argue (Bartnett v. Abbott Laboratories et al., case
number 1:20-cv-02127, in the U.S. District Court for the Northern District of
Illinois) that “review of the new allegations reveals that Bartnett has once
again failed to identify any facts that support her claims.”
‘Prior Incidents’
The Abbott Labs defendants protest that plaintiff Bartnett
“includes allegations of what she claims are “prior incidents[i]” of
“unauthorized distributions” by Defendant Alight Solutions, LLC,” but that even
if those were deemed sufficient (and, as you might expect, they don’t view them
that way), “… (a) most of the alleged “incidents” do not involve unauthorized
distributions, and (b) the two that do were publicly disclosed only after
Abbott had renewed its contract with Alight, and after the theft of Bartnett’s
funds. As a consequence, these new allegations have little to nothing to do
with the current dispute, and are certainly not sufficient to sustain breach of
fiduciary duty claims against Abbott or Sullivan. Bartnett’s claims against
these Defendants should therefore be dismissed, this time with prejudice.”
The defendants also point out that a new allegation by
Bartnett (who is represented by Todd Rowden, James Oakley and Donnell Bell of
Tat Stettinius & Hollister LLP)—that after she was told by an Alight
representative that she “had received back” all she would get, the Abbott
in-house lawyer told Bartnett’s counsel to disregard that statement (“the
person who provided information has no authority to speak on the ultimate
resolution”) as the matter now rested with her and Abbott’s legal department.
The filing notes that, after this exchange, the Abbott in-house lawyer did
offer for Abbott to make an additional payment to help Bartnett with her loss,
“but Bartnett rejected that offer and filed this lawsuit instead.”
Ultimately, the Abbott Labs defendants argue that the
plaintiff fails to state a claim based on the decision to hire, or to renew the
contract with Alight, which it first hired in November 2003, since “the alleged
incidents all post-date Abbott’s hiring of Alight, and most of them post-date
the contract renewal as well.” In sum, “Abbott cannot have breached a fiduciary
duty by hiring Aon Hewitt in 2003 based on events a decade later.” As for being
a target of hackers, they note that “…if simply being targeted by cyber
criminals disqualifies a company from being hired under a duty of prudence, it
is likely every large corporation and government agency in the country would
fail the test.”
As for those data breaches, the defendants note that the
“2015 breaches are the only ones potentially prior to the September 29, 2015
contract renewal, and both were minor. The first involved a manual mailing
error by Aon Hewitt of client information to “an unintended recipient,” and the
second involved a participant who “inadvertently accessed an embedded bookmark
on a file” sent by Aon Hewitt which allowed him to see other participants’
social security numbers.”
“Under Bartnett’s reasoning, it would be impossible for
employers to do business with any benefits companies that have had a data
breach, which would drive Alight and most of the rest of the financial industry
out of business entirely,” they write.
Failure to Monitor
As for the claim that they failed to monitor Alight, the
Abbott Labs defendants described this (using the words of Judge Durkin from the
previous dismissal as “wholly conclusory and “amounts to nothing more than
speculation.” Moreover, they note that the duty to monitor is only that it be
done at “reasonable intervals”—and “Bartnett still cannot explain how
monitoring would have detected, much less prevented, the unauthorized
distributions to her identity thief occurring in a two-week span.”
“The only new facts alleged by Bartnett that possibly relate
to the duty to monitor,” they write, “are in Paragraphs 56-57 and 59 of her
Amended Complaint, where she refers to allegations of unauthorized transfers by
Alight in Berman v. Estee Lauder, Case No. 4:19-cv-6489 (N.D. Cal.) and by the
Department of Labor in an ongoing investigation of Alight. Again, however,
Bartnett fails to recognize the timing of these allegations” (October 2019).
The Abbott Labs defendants go on to comment “Bartnett does not allege how
Abbott could have known of the complaint’s allegations ten months before it was
filed, when Bartnett’s funds were stolen in January 2019. The same is true of
the Department of Labor investigation, which did not begin until July 2019 (six
months after the theft) and was not made public until April 2020.”
Exhaust ‘Shun’?
Oh, and finally, the Abbott Labs defendants argue that
Plaintiff Barnett has failed to exhaust her administrative remedies under the
plan, as outlined in the Summary Plan Description—indeed, they note that
“Bartnett admits that she failed to follow this claims and appeals procedure,”
that “she and her prior counsel informally negotiated with an Abbott in-house
attorney culminating in an offer by Abbott for an additional payment in
December 2019, which Bartnett rejected.” However, they note that “those
discussions are not a substitute for the formal administrative review process
under the Plan,” and “That Bartnett deemed an appeal unlikely to be successful
does not make it futile.”
And thus, they conclude “For all of the foregoing reasons,
Abbott and Sullivan respectfully request that the Court dismiss Plaintiff’s
claims against them with prejudice.”
Will they? Time will tell.
Click
here for the original article.