When Paula Disberry learned that her retirement savings of more than $750,000 had been drained from her account, she felt physically ill.
"Emotions of disbelief, frustration, and the feeling of being powerless came in waves," Ms. Disberry said in an email. "I was in shock for a number of days but forced myself to focus on the priorities of protecting my remaining assets and trying to recover my retirement savings. That has given me purpose, but the theft is never far from my mind."
As a result of the alleged theft, Ms. Disberry is suing Colgate-Palmolive Co. and plan fiduciaries, claiming they violated the Employee Retirement Income Security Act via a breach of fiduciary duty. Her case highlights the importance of robust cybersecurity measures in protecting retirement accounts and underscores the need for vigilance from both plan sponsors and record keepers, lawyers say.
"There are billions of dollars in pension assets that are at risk if there are not broad controls and procedures in place to make sure that accounts are protected," said Robert R. Gower, San Francisco-based director of law firm Trucker Huss APC, which focuses on ERISA and employee benefits cases.
Ms. Disberry started working for Colgate-Palmolive in 1993 and became eligible for the company's defined contribution retirement plan in 1998. She worked as the global director of customer marketing for three years before leaving the company in 2004. The Colgate-Palmolive Co. Employees Savings and Investment Plan, New York, had $3.4 billion in assets as of Dec. 31.
According to Ms. Disberry's lawsuit, an individual impersonating her accessed the entire balance in her account in March 2020, after changing much of her account information, including the phone number, email address and address on file.
Ms. Disberry submitted a claim for her plan benefits in October, but the plan's claims administrator denied her request, according to the lawsuit.
The defendants "failed to take reasonable steps to protect their plan participants and their plan assets," said Kirsten Scott, lead attorney for the plaintiff and a San Francisco-based partner at Renaker Scott LLP, in an interview. "They were on what seems to be autopilot, oblivious to the multiple red flags that should have triggered scrutiny and further action."
The lawsuit names the defendants as Colgate-Palmolive's employee relations committee; the plan's record keeper, Alight Solutions LLC; and the plan's custodian, Bank of New York Mellon Corp. However, "where the blame lies is to be fleshed out in discovery," Ms. Scott said.
The Department of Labor issued cybersecurity guidance for protecting retirement benefits in April 2021. The guidelines include tips for plan sponsors and fiduciaries on selecting a service provider with strong cybersecurity protocols; best practices for plan fiduciaries and record keepers to manage cyber risks; and online security tips for plan participants and beneficiaries.
At a conference in October 2021, Ali Khawar, acting assistant secretary of labor for the department's Employee Benefits Security Administration, said cybersecurity attacks could threaten the future of retirement savings altogether.
"The concern that I have is that for all the work that we've done to encourage people to save, we are one very significant cybersecurity attack from having trust in the system completely dissipate," Mr. Khawar said.
The SPARK Institute Inc., a non-profit organization that represents record keepers, investments managers and other players in the retirement industry, also developed best practices for fraud control in July 2021, building off the Labor Department's guidance. SPARK divides its practices into seven categories, including authentication, fraud surveillance and customer reimbursement policy. It also issues separate guidance for plan sponsors, participants and record keepers, which Executive Director Tim Rouse said is reflective of the need for a collective effort on cybersecurity practices.
"We absolutely believe that it's a shared responsibility," Mr. Rouse said. "So, everyone in that security chain has a role to play."
But there are often challenges when negotiating contracts with record keepers in determining "who holds responsibility in the event that there is fraudulent access to an account," Trucker Huss' Mr. Gower said.
In Ms. Disberry's case, there were "at least seven additional phone calls to the benefits information center and at least 11 additional website log-in attempts" involving the individual who accessed her account during the first half of 2020, but these attempts were unsuccessful, the complaint states.
This highlights why "you have to have employees who are on the lookout for red flags when people call because they're having trouble stealing the money online," said Carol I. Buckmann, a New York-based partner at Cohen & Buckmann PC. "There really needs to be good employee training as well as an adequate system in place."
According to the lawsuit, the perpetrators also attempted to access Ms. Disberry's funds in two other pension plan accounts but were unsuccessful in both cases. In one case, the plan required a photo ID to distribute funds, and in the other, the plan notified Ms. Disberry via phone and email that her personal information was altered, as well as contacted her financial adviser.
"Other plans were able to put up roadblocks that ultimately were effective whereas the ERISA fiduciaries in this case did not," Ms. Scott said.
The retirement industry historically dealt with only family fraud, but that started to change about four years ago, SPARK's Mr. Rouse said. Now, through an increasing number of outside security breaches, individuals have "acquired personally identifiable information about each of us, and (are) using it to then get into individuals' accounts and try to get money out of accounts," he said.
There has also been an increase in web-based retirement accounts, which can sometimes even be accessed via apps on smartphones, Mr. Gower said.
Ultimately, the law is lagging in terms of keeping up with changing technology, Ms. Buckmann said.
"ERISA was adopted in 1974, and nobody had computers or had to worry about this issue," she said. "So, there's nothing specific in ERISA about this."
Ms. Buckmann said while the Labor Department's guidance does offer some relief, the guidance is not binding, so "it doesn't have the same legal status as regulation."
"I think the law ought to require (plan sponsors), not just as a best practice, but as a legal matter, to make sure that … there are procedures in place (for) the record keeper to keep that data safe," she said, adding that she would prefer congressional action to binding guidance from the Labor Department.
The retirement industry is working to keep up with cyberthreats, but the threats change quickly, Mr. Rouse said.
"As the industry responds to the cybercriminals, cybercriminals are learning things, and adapting and trying new things," he said. "So, it's a constant battle."
Although things move quickly, the least a company can do is follow the cybersecurity practices it has already established, Ms. Scott said.
"I think that having robust procedures in place designed to protect plan participants and plan assets from cybersecurity breaches is really important, but then following their own procedures, and kind of being very alert to red flags and breakdowns in the system is critical," Ms. Scott said.
In Ms. Disberry's case, the complaint states that "defendants failed to follow their own procedures, including but not limited to failing to wait for 14 days after Ms. Disberry's address was changed before processing and distributing plan assets."
Alight Solutions declined a request for additional comment, but in a previous statement, it said: "We take fraud seriously and once we learned of this fraud incident, we took immediate action, including working with U.S. and South African law enforcement to support their investigations. Our security and fraud detection policies and practices meet or exceed industry standards and have proven effective in thwarting fraudulent activity and staying in front of the constantly evolving threat landscape."
Officials at Colgate-Palmolive and BNY Mellon could not be reached for comment.
According to the complaint, Ms. Disberry has resided in South Africa since 2008, including in 2020, when an individual accessed the funds in her account via a mailed check, and later cashed that check at a bank in Las Vegas.
Ms. Disberry said she worries other Colgate-Palmolive employees could face the same theft she did, and Ms. Buckmann said the case could act as a "deterrent" to individuals participating in these plans.
