Cybersecurity – Berman v. Estée Lauder, Inc.: Who is Responsible When Cyber Theft Occurs?

Cybersecurity concern has grown in recent years as breaches of trusted databases mount.

In 2019, in a breach of Capital One’s database, hackers accessed over 100 million credit card applications. This followed a $700 million settlement against Equifax concerning the 2017 breach of its database in which hackers accessed 147 million accounts. Although this was one of the most newsworthy breaches last year, smaller scale breaches are happening all the time, and even impacted retirement plan recordkeepers.

In the past, when unauthorized withdrawals were made from plan accounts, the recordkeeper often was willing to make the participant whole even when it appeared all of its security procedures were followed. However, as the incidence of electronic theft becomes more common, record keepers are becoming less willing to do so.

A case filed in U.S. District Court in California against Estée Lauder will look at how responsibility, in the event of electronic theft, should be allocated between participants, plan fiduciaries, and service providers. In this case, a hacker made three unauthorized electronic transfers to three different banks from a participant’s account in the Estée Lauder 401(k) plan. These transactions reduced the balance from $90,000 to $3,800.

The record keeper, Alight Solutions LLC (formerly Hewitt Associates), refused to take responsibility for the losses. After the participant became aware of the theft through written confirmations and her quarterly statement, she informed Alight’s service center, the police, and the FBI. She completed an affidavit of forgery required by Alight. Ultimately, she was informed that Alight’s investigation of the matter had run its course and no funds had been recovered.

Interestingly, the Estée Lauder 401(k) plan has not, as of yet, been named as a defendant. At this point, when electronic theft occurs from a plan, the responsibilities of plan fiduciaries are not entirely clear. Notwithstanding, at a minimum, fiduciaries should review the process and procedures service providers have in place to protect their systems and determine that these measures are up to industry standards. In addition, plan fiduciaries should review service provider contracts to ascertain that these contracts spell out the respective responsibilities of participants, sponsors, and the service provider in the event of electronic theft.


Securities and investment advisory services are offered solely through registered representatives and investment advisor representatives of Ameritas Investment Corp. (AIC), a registered Broker/Dealer, Member FINRA/SIPC and a registered investment advisor. AIC is not affiliated with Summit Group of Virginia LLP. Additional products and services may be available through Summit Group of Virginia LLP that are not offered through AIC. Representatives of AIC do not provide tax or legal advice. Please consult your tax advisor or attorney regarding your situation.

You are now leaving Summit Group 401(k) Consulting

Summit Group 401(k) Consulting provides links to web sites of other organizations in order to provide visitors with certain information. A link does not constitute an endorsement of content, viewpoint, policies, products or services of that web site. Once you link to another web site not maintained by Summit Group 401(k) Consulting, you are subject to the terms and conditions of that web site, including but not limited to its privacy policy.

You will be redirected to

Click the link above to continue or CANCEL