401(k) plan not responsible for an identity theft that emptied a participant's account

[Peter Gulia]

The attached court decision found no responsibility to reinstate a 401(k) account that an ex-wife stole from her former husband.

The participant neglected to change his address in the plan's records when he moved from the marital residence.

The ex-wife used a plan mailing with information about identity-control procedures to change the participant's password.

Comments?

Foster_v_PPG_Industries.pdf

[MoJo]

The attached court decision found no responsibility to reinstate a 401(k) account that an ex-wife stole from her former husband.

The participant neglected to change his address in the plan's records when he moved from the marital residence.

The ex-wife used a plan mailing with information about identity-control procedures to change the participant's password.

Comments?

Hmmmm. I read it. I can't say I like it. I will read it more thoroughly when time permits. Thanks for posting the decision. My question is, why the plan did not report the theft to the criminal authorities (and would that not be a potential "breach" of their fiduciary duty to protect/recover plan assets when they became aware of the activity of the former spouse (who truly had no right to access the account under any theory I'm aware of)? There are several potential criminal violations involved here (including even mail fraud - as she requested a user ID knowing it would come through the mail, and then opened mail addressed to another to obtain the ID).

It would be interesting to see what the court would rule if this situation occurred and the parties were not "ex-spouses" but were rather un-related parties (such as you sell the house to someone and move, but don't change the address). Trust me, we have hundreds (if no thousands) of participants who are "lost" as a result of this happening).

[Guest Alonzo Church III]

The participnt did not sue the spouse, and per some of the footnotes in the decision, did not seem to try too hard to get the money out of her, because he figured he could get the money out of PPG. I wonder if the judge felt that there might have been collusion between the participant and the ex-spouse, and that influenced the decision.

What bothers me is that PPG also did not seem to work too hard at getting the money restored in the account . Would the steps taken by PPG here even meet the standards of EPCRS, when trying to collect an overpayment?

[mbozek]

The participnt did not sue the spouse, and per some of the footnotes in the decision, did not seem to try too hard to get the money out of her, because he figured he could get the money out of PPG. I wonder if the judge felt that there might have been collusion between the participant and the ex-spouse, and that influenced the decision.

What bothers me is that PPG also did not seem to work too hard at getting the money restored in the account . Would the steps taken by PPG here even meet the standards of EPCRS, when trying to collect an overpayment?

Plan did not sue ex because it would be an act of futility. According to the footnote at the bottom of P 5-6 Ms. Foster spent all of the 42k she received. Actions under ERISA are brought in equity (e.g., no jury trials) and plan can only recover specific plan assets that are in the possession of ex-spouse. Since Ex spent the distribution plan recovery would be bupkis -0. Same result if plan pays excess distribution to participant who has $1M in investment assets and loses the entire distribution in Vegas. No recovery because participant spent entire distribution. Plan is not required to waste assets in lawsuit if there is no possibility of recovering distribution.

[Peter Gulia]

While MoJo describes an additional reason why a plan's administrator might decline to reinstate a participant's account, it seems to me that the court's opinion squarely supports a view that - even in the absence of any conspiracy or collusion - neither the plan nor its administrator is responsible if the administrator designed and operated prudent identity and security procedures.

As a part of an explanation that its efforts to seek a return of the plan's money are enough to be prudent in the circumstances, an administrator might support its decisions with its finding that the plan might encounter difficulty proving the theft. In the absence of the thief's admission, some circumstances might involve inconclusive evidence that the human who caused a few sets of digits to be received by the plan's computer was anyone other than the participant.

Moreover, even with solid proof of what happened, a plan's administrator, trustee, or other fiduciary might decide that prudence calls for not spending other participants' accounts to pay for a still uncertain opportunity to obtain an uncertain recovery.

I think that the court's reasoning would support similar findings that the plan's administrator is not responsible in other situations, including Mojo’s moving-out example (whether selling a house or ending a rental).

Is it unfair to make a participant responsible for controlling his or her address and changing his or her password?