Abbott Defendants Again Escape ERISA Cybersecurity Lawsuit

The court rejected claims in the amended complaint that Abbott’s decision to hire Alight Solutions, another defendant in the case, was a breach of the fiduciary duties of prudence and the duty to monitor.

The U.S. District Court for the Northern District of Illinois, Eastern Division, has ruled once again in an Employee Retirement Income Security Act (ERISA) lawsuit involving Abbott Laboratories and the Abbott Laboratories Stock Retirement Plan.

Technically, the latest ruling grants Abbott Lab’s motion to dismiss an amended complaint that was filed in the suit after the court soundly rejected the plaintiff’s initial formulation. The original suit had been filed in April by a retired participant in the Abbott Laboratories Stock Retirement Plan, who alleged that failures in website and call center protocols resulted in $245,000 in unauthorized distributions from her account.

Get more!  Sign up for PLANSPONSOR newsletters.

Back in October, Judge Thomas M. Durkin of the U.S. District Court for the Northern District of Illinois found that the complaint’s “conclusory statements” failed to sufficiently allege that Abbott was a fiduciary. The judge determined the complaint also failed to allege that any fiduciary acts supposedly taken by Abbott linked it to the alleged theft. Durkin pointed out that while the complaint alleged that the call center and website were used to perpetuate the theft, it also indicated that both are operated by a third-party provider.

In briefly restating the background of the case, the ruling notes that, on or about December 29, 2018, an identity thief visited abbottbenefits.com, accessed the plaintiff’s retirement account (which had more than $362,500 at the time) and added direct deposit information for a SunTrust bank account. A few days later, the thief dialed the plan’s customer service phone line and claimed to be the plaintiff. The thief told the customer service representative that she tried to process a distribution online but was unsuccessful.

As the ruling recalls, the service representative responded by reading aloud a home address and asking the thief if she still lived there. The service representative then said that a new bank account—such as the SunTrust account set up a few days earlier—must be on file for seven days before money can be transferred from the retirement account. On January 8, the thief again called the plan’s customer service phone line. The representative did not ask the thief any security questions, the ruling states, opting instead to send a one-time code to the plaintiff’s on-file email address. The plaintiff has no record of receiving that email.

The thief then asked the representative to transfer $245,000 from the plaintiff’s retirement account to the SunTrust account. The representative complied. On January 9, a letter was sent via first-class mail to the plaintiff, advising her of the transfer, which arrived on January 14. She called the customer service phone line on January 15, and the representative immediately froze the plan account.

After restating that information, the ruling notes that the amended complaint seeks to paint Abbott Lab’s decision to hire the third party, Alight, as a breach of the fiduciary duties of prudence and the duty to monitor. These arguments are camped in the suggestion that Alight had been previously involved in cybersecurity incidents.

The ruling addresses the prudence and loyalty arguments separately, and the court finds that both fall flat. On the point of prudence, the court notes the 7th U.S. Circuit Court of Appeals has expressly stated that a plaintiff who brings a breach of fiduciary claim, including one based on imprudence, must “plausibly allege action that was objectively unreasonable.”

“[Plaintiff] fails to do so here,” the ruling states. “Although she claims that the Abbott defendants were imprudent for hiring Alight, the incidents referenced in her amended complaint occurred after Alight was first offered the job. Indeed, Alight was hired in 2003, and the first incident identified by [plaintiff] occurred in 2013. The court cannot infer that the Abbott defendants breached their duty of prudence by hiring Alight in 2003 based on events a decade later. To be sure, [plaintiff] also argues that the Abbott defendant breached their duty of prudence by renewing Alight’s contract in 2015. But [plaintiff’s] claim still fails, because the incidents that pre-date Alight’s rehiring do not give rise to the inference that renewing Alight’s contract was objectively unreasonable.”

The court similarly rejects the arguments based on the duty to monitor.

“The court previously dismissed the duty to monitor claim against the Abbott defendants because the conclusory allegations in [plaintiff’s] original complaint amounted to nothing more than speculation,” the ruling states. “Plaintiff’s amended complaint now contains over a dozen new allegations, and many of them are quite detailed. The problem with the new allegations, however, is that none of them speak to whether the Abbott defendants monitored (or failed to monitor) Alight’s performance vis-à-vis the Abbott Labs Stock Retirement Plan.”

The full text of the ruling is available here.

«