FEDERAL COURT UPHOLDS 401K PLAN ADMINISTRATOR COUNTERCLAIMS AGAINST CYBER THEFT VICTIM
On May 27, 2020, the United States District Court for the Eastern District of Pennsylvania issued a landmark ruling in early phases of Leventhal v. MandMarblestone Grp. LLC, Civil Action No. 18-cv-2727, by refusing to dismiss a counterclaim seeking to hold poor cyber hygiene acts against a victim of cyber fraud. Depending on the ultimate outcome of the Leventhal matter, victims of cyber scams and thefts may be held partly responsible for their poor cyber hygiene.
The Leventhal Sutton & Gornstein Law Firm and its 401K plan (collectively, LSG) filed suit against their plan administrator, MandMarblestone Group, LLC (MMG) and plan custodian, Nationwide Trust Company for breaching their fiduciary duties under Employment Retirement Income Security Act of 1974, 29 U.S.C. § 1001, et seq. (ERISA). LS&G Firm "sponsored" the Plan for the benefit of its employees.
On December 31, 2015, Jess Leventhal, a member of the firm with a 401K account, withdrew $15,000 from his Plan account by completing a withdrawal request form, which is the method prescribed by Nationwide. Leventhal then emailed the form to MMG. Subsequently, Nationwide transferred the requested $15,000 to Leventhal from the account.
Sometime after December 31, 2015, "unknown criminal(s)" obtained a copy of Leventhal's original withdrawal form by using an "unknown method of cyber-fraud possibly relating to the electronic transmission of that form." Posing as Leventhal, the criminals sent several fraudulent withdrawal forms to MMG, which appeared to originate from Leventhal's office email account.
The fraudulent withdrawal forms requested that Defendants send the funds to a bank account that did not belong to Leventhal. Nationwide distributed the funds to the bank account designated by cyber-criminals, despite it never previously being authorized or used by Leventhal. Nationwide also failed to authenticate the withdrawal forms and signatures.
Eventually, the criminals drained Leventhal’s account from $400,000 to $0. Neither Nationwide nor MMG contacted Leventhal to verify the authenticity of the withdrawals. Law enforcement officials did not apprehend the criminals or recover the stolen funds. Leventhal’s insurance claims were also denied.
LSG and Leventhal agreed that like Nationwide and MMG, they too are fiduciaries of the plan under ERISA. Accordingly, MMG asserted counterclaims against them alleging that their activities were causative of the fraud:
Plaintiffs' own carelessness with respect to their employees and their computer/IT systems and policies, including their decision to permit [an employee] to work remotely from Texas and use her personal e-mail for official employment duties, permitted the cyber-fraud or other criminal fraud to occur. To the extent MMG is liable under ERISA as alleged, Mr. Leventhal, his law partners, and the LSG Firm, are equally liable in their capacity as the named fiduciaries of the LSG Plan.
LSG and Leventhal filed a Motion to Dismiss this counterclaim (and others). However, the Court found that “MMG has satisfactorily pled that Plaintiffs breached their fiduciary duties.”
While the Leventhal matter is far from over, this “carelessness” defense now has standing to survive early Motions to Dismiss and will force plaintiffs, large and small, to defend internal actions and cyber hygiene policies. Individuals and businesses need to pay attention, as the days of claiming cybersecurity naivete may be over.
Seek professional assistance in setting up corporate policies to prevent these types of incidents.