October 2, 2022

Volume XII, Number 275

Advertisement

September 30, 2022

Subscribe to Latest Legal News and Analysis

September 29, 2022

Subscribe to Latest Legal News and Analysis

Alight Solutions Must Comply with Subpoena Issued by DOL in Cybersecurity Incident Investigation

A subpoena was issued to Alight Solutions by the U.S. Department of Labor (DOL) for documents related to a cybersecurity breach that potentially resulted in Employee Retirement Income Security Act (ERISA) violations. Alight provides recordkeeping, administrative, and consulting services for over 750 employee benefit plans with more than 20 million plan participants.

The DOL began investigating Alight in 2019 after discovering unauthorized distributions due to security breaches. The DOL stated in its brief to the Seventh Circuit that Alight “failed to disclose those breaches and unauthorized distributions to plan clients for months.” The DOL then began investigating these incidents to determine whether any parties involved in the breaches had violated (or would violate) ERISA (the Employee Retirement Income Security Act of 1974). During the investigation, the DOL issued a subpoena that Alight argued was overly broad and burdensome and that the DOL did not have the authority to issue.

However, the Seventh Circuit ruled that the DOL has broad power to issue subpoenas like this and to investigate non-fiduciaries, even if such entities only service ERISA plans in an administrative capacity. The court agreed with the DOL, stating that the DOL’s authority under the law depends on the information requested and its relation to an actual or potential ERISA violation. Walsh v. Alight Solutions, LLC, No. 21-3290, 2022 WL 3334450 (7th Cir. Aug. 12, 2022).

In the opinion, the court said, “Whether or not Alight is a fiduciary does not affect the department’s investigatory authority [. . .] Even if Alight only has information about another entity’s ERISA violation, the statute grants the department authority to compel its production from Alight. A contrary rule would allow ERISA fiduciaries to avoid liability altogether by outsourcing recordkeeping and administrative functions to nonfiduciary third parties, evading regulatory oversight. Congress did not confine the department’s investigatory power in this manner.”  Furthermore, the court stated that “[a]s the [U.S.] Supreme Court has long recognized,

Congress incorporated into ERISA ‘a standard of loyalty and a standard of care,’” which means that “the reasonableness of Alight’s cybersecurity services, and the extent of any breaches, is therefore relevant to determining whether ERISA has been violated — either by Alight itself or by the employers that outsourced management of their ERISA plans to Alight.”

Alight also argued that in order to comply with the subpoena it would require thousands of hours of work; however, the court was not persuaded by this argument, stating that Alight did not present evidence that compliance was unduly burdensome. The court said that case law supports the notion that “large production requests are not necessarily unduly burdensome,” but that this holding was narrow in that federal “[a]gencies should not read this result as granting leave to issue administrative subpoenas that are overly cumbersome or that seek information not reasonably relevant to the investigation at hand.”

Copyright © 2022 Robinson & Cole LLP. All rights reserved.National Law Review, Volume XII, Number 231
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Kathryn Rattigan Attorney Cybersecurity Data Privacy
Associate

Kathryn Rattigan is a member of the firm's Business Litigation Group and Data Privacy + Cybersecurity Team. She advises clients on data privacy and security, cybersecurity, and compliance with related state and federal laws. Kathryn also provides legal advice regarding the use of unmanned aerial systems (UAS, or drones) and Federal Aviation Administration (FAA) regulations. She represents clients across all industries, such as insurance, health care, education, energy, and construction.

Data Privacy and Cybersecurity Compliance

Kathryn helps clients comply...

401-709-3357
Advertisement
Advertisement
Advertisement