TD Ameritrade, Charles Schwab, TIAA Latest Victims of MOVEit Breach Lawsuits

Following the cyberattack, which impacted at least 60 million individuals, several major financial services firms are getting hit with litigation.  

Since the data breach at the encrypted file transfer software program MOVEit that occurred in May and hit financial firms, universities, the U.S. federal government and California public retirement systems, several major financial services firms are facing lawsuits.  

One of the most recent complaints was filed on August 28 against Charles Schwab Corp. and its subsidiary, TD Ameritrade Inc., accusing the institutions of failing to immediately notify the approximately 61,160 of their customers who were exposed in the breach.  

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.

These customers had Social Security numbers, financial account information and other sensitive data exfiltrated by hackers, according to the lawsuit filed in U.S. District Court for the District of Nebraska.  

Keren Jeanfort, of Boynton Beach, Florida, received on or about August 22 a “Notice of Data Breach” letter from “TD Ameritrade Client Services,” dated August 3, the complaint states. Jeanfort claims that the exposure of her private data increases her risk of fraud and identity theft and is seeking recovery for the diminished value of her information and time spent addressing the breach. 

The complaint states that there are individuals completely unaware their personal information has been compromised, and they are at “significant risk of identity theft and various other forms of personal, social and financial harm.” 

Both companies are accused of negligence, unjust enrichment and breach of implied contract. 

A spokesperson from Charles Schwab said in emailed statement, “
Generic and conclusory allegations are often devoid of accuracy and context. Our focus is protecting our clients. We do that by not only standing by them in such matters but by thoroughly investigating any incident that may affect them. Our notification practices are consistent with our mission to see the world through our clients’ eyes and are in keeping with our regulatory obligations.”

A complaint was also filed in the U.S. District Court for the Eastern District of Virginia on Wednesday against Genworth Financial, over allegations that it failed to protect its 2.5 million customers’ data from the breach. Plaintiff April Manar, a Missouri resident, who is asking to represent all the individuals affected by the breach. A spokesperson at Genworth said the company does not comment on pending litigation. 

TIAA, Prudential Lawsuits 

Earlier this month, TIAA was also hit with a lawsuit, which was filed in U.S. District Court for the Southern District of New York. This complaint was brought by Andrew Lopez on behalf of former and current employees of companies that used TIAA to process benefits. Law firm Israel David LLC is representing the plaintiffs.  

Lopez’s complaint claims TIAA failed to properly secure and safeguard personally identifiable information, including individuals’ names, Social Security numbers, genders, dates of birth and physical addresses.  

TIAA had partnered with vendor PBI Research Services, which provides search tools to financial services institutions like TIAA. PBI worked with PSC Software for the storage and transfer of TIAA’s client data entrusted to PBI, and the transfer used PSC’s MOVEit transfer file services for a variety of purposes, including the transfer of participants’ personal information. 

“In undertaking the responsibility, TIAA and PBI were both obligated to only hire vendors who maintain adequate data and security practices and PSC is obligated to ensure that their file transfer systems—like MOVEit—are secure,” the complaint states.  

However, due to vulnerabilities in PSC’s MOVEit software, the complaint states that the personal information entrusted by TIAA to PBI by more than 2.3 million retirees, pension holders and other financial customers was compromised.  

The suit also accuses PBI of not disclosing the data breach to those affected until nearly six weeks after the breach was discovered, and criticizes that the Notice of Breach did not disclose the specifics of the attack or any measures taken to ensure the protection of personal information.  

TIAA did not offer any remediation, according to the suit, but PBI offered 24 months of identity theft protection for victims of the data breach.  

TIAA did not immediately respond to requests for comment.  

Prudential was also recently sued by plaintiff Bruce Parker, who had given the company his personally identifiable information and who accused the company of failing to protect his and other victims’ information. In this case, the plaintiffs are seeking restitution, an award of actual damages, compensatory damages, statutory damages, statutory penalties and attorneys’ fees and costs.  

Prudential offered two years of free credit monitoring services to its more than 320,000 impacted customers; the plaintiff is asking the company to provide 10 years.  

How Plan Sponsors Can Protect Themselves 

Wendy Von Wald, a fiduciary liability product manager at the Travelers Companies Inc., an insurance company based in Hartford, says the overall breach is significant in that MOVEit is a data aggregator with “far-reaching implications,” as opposed to a discrete hit on just one entity. 

“For plan sponsors, it really is a bit of a wake-up call to watch more of their service providers and be more aware of [their] entities who are moving large pieces of data or storing [data],” Von Wald says. 

Von Wald adds that it is important for plan sponsors not only to make sure that service providers have the right protocols and procedures in place, but also that they are carrying the right levels of insurance and have the response capabilities to deal with a breach.  

Plan sponsors themselves also need to ensure that they are properly training their fiduciaries and employees about cybersecurity risks, according to Von Wald.  

Former American Airlines Pilot Doubles Down on ESG Complaint

The plaintiff responds to an American Airlines motion to dismiss by alleging he was, in fact, defaulted into ESG-related funds that underperformed. 

A former American Airlines pilot is continuing a push to collect damages from the airline and its benefits committee for allegedly defaulting him and thousands of other participants into underperforming funds that have a focus on environmental, social and governance investing. 

Plaintiff Bryan P. Spence’s amended complaint in Spence v. American Airlines Inc., filed on Tuesday in U.S. District Court for the Northern District of Texas, looks to rebut arguments made by American Airlines in a motion to dismiss filed in early August. In his amended filing, Spence sets out to prove that 37% of his retirement savings were invested in BlackRock Inc.’s Target Date 2045 fund, which he alleges uses ESG considerations. 
 
“Defendants have included funds in the Plan that are managed by investment managers that pursue nonfinancial and nonpecuniary ESG policy goals through proxy voting and shareholder activism,” the complaint states. “These investment managers have voted for many of the most egregious examples of ESG policy mandates, on issues such as divesting in oil and gas stocks, banning plastics, and requiring ‘net zero’ emissions, which do not contribute to the company’s profitability or increasing shareholders’ returns.”  
 
In its motion to dismiss the case, American Airlines argued that the ESG-linked funds in question were not available in the core investment menu, but rather through the self-directed brokerage window, meaning participants would have had to go in and individually select them. American Airlines also argued that Spence, in fact, had not been invested in the ESG-related funds.  

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

Judge Reed O’Connor had previously slated a trial date to begin on June 24, 2024.  

In the amended complaint, Spence alleges there were “four investment menu options” for participants to choose from, including options managed by BlackRock Inc. and State Street Global Advisors, two firms he argues follow ESG-based investing strategies.  

The complaint points out that Spence had 37.8% of his retirement savings invested in Target Date 2045, managed by BlackRock. The plaintiff then cites various media citations of BlackRock and its chairman and CEO, Larry Fink, discussing the benefit of ESG investing. 

Spence listed the following firms as managing funds in the core investment menu as well, arguing that all follow ESG investment strategies:

  • American Beacon Advisors 
  • TCW Group 
  • Loomis, Sayles & Co. 
  • Artisan Partners 
  • Thompson, Siegel & Walmsley LLC 
  • Morgan Stanley Investment Management 
  • State Street Global Advisors 

“Many of these funds are not branded or marketed as ESG funds; however, the actions of their investment advisors and managers give rise to the same ERISA violations as those funds that do market themselves as ESG funds,” the complaint states. 

By choosing these funds, Spence argues, the American Airlines committee was not following its fiduciary obligation to participants because it was “selecting and retaining poorly performing and more expensive ESG funds as investment options, and by failing to investigate and monitor the fund managers’ proxy voting and shareholder activism.” 

In its request for dismissal, American Airlines argued that Spence’s “inability” to allege that ESG funds were available in the core investment plan lineup, and therefore subject to fiduciary selection and monitoring by the plan committee, was grounds for dismissal of the case. 

The attorneys also argued, however, that an assertion in the complaint that plan fiduciaries should not consider investment products from managers who have cast a proxy vote for an ESG-based policy, regardless of performance, is “as wrongheaded as it sounds.” 

“Acceptance of Plaintiff’s theory would compel ERISA fiduciaries to ignore actual investment performance and instead screen out investment options ‘based on non-pecuniary factors’ (i.e., the manager’s proxy voting record), potentially harming participants by depriving them of access to some of the best performing, most popular, and highest rated funds on the market,” they wrote. 

American Airlines also challenged Spence to provide analysis of the fund performance as compared with other options—something the amended complaint does not do.  

Neither attorneys for either side nor representatives for American Airlines replied to a request for comment.  

Spence is represented by Hacker Stephens LLP and Sharp Law LLP; American Airlines is represented by attorneys with the law offices of Kelly Hart & Hallman LLP and O’Melveny & Myers LLP.  

The American Airlines retirement plan includes agents, management, and support staff employees; Transport Worker Union employees; flight attendants; and pilots, according to the filing. The plan has more than 100,000 participants and approximately $26 billion in assets, the filing noted. 

«