Cybertheft of participant accounts always happens to some other plan sponsor — until it doesn’t and you’re on the hook. Whether or not you’re liable, it’s a disaster waiting to happen. A recent lawsuit in its initial phase, Berman v. Estee Lauder Inc., highlights a position you don’t want to be in (assuming the plaintiff’s allegations hold up) — and what you can do to minimize the chances that you ever will.

The Allegations

The case involves a plan participant who discovered three unauthorized distributions from her 401(k) account, sent to three separate banks, over a three-week period. The three transfers totaled $99,000 and virtually wiped out her account balance.

She learned of the distributions from mailed transaction confirmations and her quarterly account statement. All three fraudulent distributions had occurred by the time she received the first mailed transaction confirmation statement.

The plaintiff claims that her employer (Estee Lauder, Inc.) never reached out to her about the fraudulent distributions after she sounded the alarm. She also claims that neither the plan’s recordkeeper nor the plan’s custodian was responsive to her efforts to recover the lost funds, and that many of her efforts to contact them were ignored.

She says she wasn’t kept apprised of any efforts to recover the funds, and was eventually informed that the investigation was unsuccessful and closed. At the time of the court filing, none of the parties had accepted responsibility for making the plaintiff whole.

The plaintiff had reported the fraudulent distributions not only to Estee Lauder and the service providers, but also local police and the FBI. She did, as requested by the plan custodian, promptly provide affidavits of forgery.

A Checklist

Her allegations against each defendant — the employer (but for unknown reasons not the retirement plan itself), recordkeeper and custodian — read like a checklist of steps plan sponsors and service providers should satisfy. They begin with a general charge of breach of “fiduciary duty of loyalty and prudence” — a breach that resulted in the Lauder plan making unauthorized distributions of the plaintiff’s plan assets.

The allegations themselves set out what can be any employer’s or plan sponsor’s steps to protect both themselves and their participants. This includes:

• Confirming authorization for distributions with the plan participant before making distributions,
• Providing timely notice of distributions to the participant by telephone or email,
• Identifying and halting suspicious distribution requests (suspicions might have been raised by the fact that each distribution went to different banks in short order),
• Establishing distribution processes to safeguard plan assets against unauthorized withdrawals, and
• Monitoring other fiduciaries’ distribution processes, protocols and activities to remain educated about the state of the art of participant protection.

As noted, the case is ongoing. The court could conclude that the recordkeeper isn’t a fiduciary, depending on the extent of its discretionary authority over the plan. Regardless, plan sponsors should clearly understand their own plan management function.

Protect Your Plan and Participants

For plan sponsors, the goal isn’t to evade liability but to prevent fraud through proactive scrutiny of your own processes and those of your service providers. Prioritizing speed of transactions (such as loans and distributions) above prudence in the name of exceeding participant expectations could be asking for trouble.

Be sure to complete your due diligence regarding your service providers’ accounting safeguards such as segregation of duties and personnel background checks. Also, buying cybertheft insurance can help make a victimized plan participant whole and dissuade him or her from resorting to litigation to seek restitution.