A recently filed ERISA case raises extremely troubling questions about the safety of 401(k) plan participant account assets and the proper allocation of financial responsibility when account assets are stolen. In Berman v. Estee Lauder Inc., No. 3:19-cv-06489 (N.D. Cal. filed Oct. 9, 2019), a “term vested” participant in the Estee Lauder Companies 401(k) Savings Plan alleges that her account balance, which stood at more than $90,000 in June of 2016, was reduced to a mere $3,800 by a series of three unauthorized withdrawals in September and October of that year. Each such withdrawal involved an electronic transfer of funds to a different bank. The Complaint alleges a Kafkaesque set of facts under which an innocent plan participant’s account balance is depleted almost entirely, where most of the plan’s fiduciaries and service providers are allegedly either non-communicative or minimally communicative, and where no one has stepped forward to accept financial responsibility and reimburse the losses. We expect that the proceedings in this case will be of interest to both the plan sponsor and recordkeeping service provider communities, as 401(k) plans are confronting an increase in the number of attempts by criminals to impersonate plan participants and abscond with 401(k) account balances. The case alleges that the Estee Lauder 401(k) Plan, acting through its recordkeeper, Alight Solutions LLC (formerly Hewitt Associates, LLC), processed a series of three unauthorized distributions from the plaintiff’s account in the amounts of $12,000, $37,000 and $50,000, respectively, over the course of approximately three weeks beginning on September 29, 2016 and ending on October 18, 2016. The participant alleges that she learned of the transactions after the fact, through a combination of mailed transaction confirmations and her third quarter 2016 account statement. The Complaint recites that, although the participant immediately notified the recordkeeper’s customer service center of the issue, reported the unauthorized distributions to her local police department and the FBI, and completed affidavits of forgery requested by the plan’s custodian, she was ultimately informed by the recordkeeper’s customer service center that the investigation had run its course, that none of the missing funds had been recovered, and that her plan account would not be reimbursed. Moreover, the participant alleges no representative of either Lauder, Inc. or the plan’s Benefits Committee ever contacted her concerning the theft. It is also alleged that contact from the plan’s custodian was limited; no further custodian contact took place following submission of the forgery affidavits. The lawsuit asserts that each of the defendants breached fiduciary responsibilities of loyalty and prudence owed under ERISA by allowing the unauthorized distributions and for failing to detect and halt the fraudulent distribution requests. The participant seeks restoration of the amounts missing from the participant’s account, together with investment earnings and reasonable attorneys’ fees. Although the Complaint provides only the plaintiff’s version of the facts, the allegations suggest that each of the named defendants may have concluded it had not breached a duty of care in processing the allegedly fraudulent distributions and felt no obligation to restore or to participate in a restoration of the account balance. The Court will need to consider, among other things, whether the plan’s recordkeeper acted as a fiduciary by processing the fraudulent distributions through its call center or website and, if so, whether a duty was breached by its failure to detect the fraud. For the 401(k) plan industry as a whole, the facts of this case expose some ugly truths about the potential vulnerability of 401(k) plan assets to theft. A number of recordkeepers routinely restore 401(k) account balances that have been fraudulently withdrawn even though the recordkeeper believes it followed all of its security procedures in processing the withdrawal. In such cases, the fraudsters typically have acquired sufficient amounts of personal information about the participant to penetrate security protocols. This case suggests, that at least for some plan service providers, the willingness to cover fraudulent withdrawals may have run out. Importantly, it is worth noting that the plaintiff could have, but has not yet, named the plan itself as a defendant in a claim for benefits under section 502(a)(1)(B) of ERISA. In this regard, the plaintiff could claim that the plan itself is liable for the full $90,000 of account benefits that was reported on her mid-year 2016 account statement. If such a claim were brought, it could raise additional questions as to how a 401(k) plan should allocate fraud losses among all of the remaining participants in the plan.