Alight Solutions Must Comply with Subpoena Issued by DOL in Cybersecurity Incident Investigation
A subpoena was issued to Alight Solutions by the U.S. Department of Labor (DOL) for documents related to a cybersecurity breach that potentially resulted in Employee Retirement Income Security Act (ERISA) violations. Alight provides recordkeeping, administrative, and consulting services for over 750 employee benefit plans with more than 20 million plan participants.
The DOL began investigating Alight in 2019 after discovering unauthorized distributions due to security breaches. The DOL stated in its brief to the Seventh Circuit that Alight “failed to disclose those breaches and unauthorized distributions to plan clients for months.” The DOL then began investigating these incidents to determine whether any parties involved in the breaches had violated (or would violate) ERISA (the Employee Retirement Income Security Act of 1974). During the investigation, the DOL issued a subpoena that Alight argued was overly broad and burdensome and that the DOL did not have the authority to issue.
However, the Seventh Circuit ruled that the DOL has broad power to issue subpoenas like this and to investigate non-fiduciaries, even if such entities only service ERISA plans in an administrative capacity. The court agreed with the DOL, stating that the DOL’s authority under the law depends on the information requested and its relation to an actual or potential ERISA violation. Walsh v. Alight Solutions, LLC, No. 21-3290, 2022 WL 3334450 (7th Cir. Aug. 12, 2022).
In the opinion, the court said, “Whether or not Alight is a fiduciary does not affect the department’s investigatory authority [. . .] Even if Alight only has information about another entity’s ERISA violation, the statute grants the department authority to compel its production from Alight. A contrary rule would allow ERISA fiduciaries to avoid liability altogether by outsourcing recordkeeping and administrative functions to nonfiduciary third parties, evading regulatory oversight. Congress did not confine the department’s investigatory power in this manner.” Furthermore, the court stated that “[a]s the [U.S.] Supreme Court has long recognized,
Congress incorporated into ERISA ‘a standard of loyalty and a standard of care,’” which means that “the reasonableness of Alight’s cybersecurity services, and the extent of any breaches, is therefore relevant to determining whether ERISA has been violated — either by Alight itself or by the employers that outsourced management of their ERISA plans to Alight.”
Alight also argued that in order to comply with the subpoena it would require thousands of hours of work; however, the court was not persuaded by this argument, stating that Alight did not present evidence that compliance was unduly burdensome. The court said that case law supports the notion that “large production requests are not necessarily unduly burdensome,” but that this holding was narrow in that federal “[a]gencies should not read this result as granting leave to issue administrative subpoenas that are overly cumbersome or that seek information not reasonably relevant to the investigation at hand.”