January 29, 2023

Volume XIII, Number 29


January 27, 2023

Subscribe to Latest Legal News and Analysis

January 26, 2023

Subscribe to Latest Legal News and Analysis

Federal Court Enforces DOL Subpoena Seeking Information about ERISA Plan Service Provider’s Cybersecurity Program and Incidents with ERISA Plan Clients

Shortly after the U.S. Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) issued its cybersecurity guidance for employee retirement plans and updated its audit inquiries to include compliance with these guidelines, a federal court in Chicago ruled an employee benefit services provider must comply with a subpoena requesting, among other things, documents and communications relating to the provider’s information security and cybersecurity plans and controls.

In Walsh v. Alight Solutions, LLC, No. 20-cv-2138 (N.D. Ill. Oct. 28, 2021), the DOL sought enforcement of an administrative subpoena against Alight Solutions (the Company) — a recordkeeping, administrative, and consulting services provider to ERISA plan clients. The agency’s investigation was prompted, in part, by the alleged discovery that the Company had processed unauthorized distributions due to cybersecurity breaches relating to its ERISA plan clients’ accounts, which it had not corrected.

The subpoena called for “all documents” in the Company’s “possession, custody, [or] control” in response to 32 inquiries. These inquiries included specific requests for, among other things, all documents and/or communications relating to the Company’s:

  • communications, event logs, and reports of any incident involving information security and/or cybersecurity relating to any ERISA plan clients;

  • system penetration testing or other ethical hack reports from the Company, the Company’s service providers, or the Company’s ERISA plan clients (eventually narrowed by the DOL to such testing or reports that relate to any ERISA plan clients);

  • information security or cybersecurity controls (including internal cybersecurity procedures and policies, patch management reports, and cybersecurity assessment reports);

  • crises management plans and corporate continuity plans relating to information security and/or cybersecurity;

  • cybersecurity awareness training; and

  • physical access controls, including key cards, biometric controls, and video cameras relating to information security and/or cybersecurity (narrowed by the DOL to controls that relate to any ERISA plan clients).

In determining whether the subpoena should be enforced, the court recognized the Secretary of Labor must demonstrate: (1) the subpoena is within the authority of the agency; (2) the demand is not too indefinite, and (3) the information sought is reasonably relevant to the DOL’s investigation. The court also acknowledged its duty to consider the potential burden of compliance on the Company.

The court squarely rejected the Company’s arguments that the DOL’s subpoena power only extends to ERISA fiduciaries, finding the DOL has broad subpoena power and may investigate “merely on suspicion that the law is being violated, or even just because it wants assurance that it is not.” The court also found that the requests were not too indefinite because the Secretary outlined in 32 paragraphs its specific requests, which it further clarified during litigation. Lastly, the court recognized the requests were relevant to the investigation, as the requests permissibly sought information that may be relevant to whether ERISA violations had occurred.

With respect to the potential burden of compliance, the Company argued that compliance “would require thousands of hours of work just to identify potentially responsive documents” in addition to “the time and expenses outside counsel would incur reviewing, de-identifying, and producing those materials.” Although the court recognized the burden of compliance may potentially be significant, the court ruled the Company must comply with the subpoena and found the burden did not outweigh the potential relevance of the requests, citing EEOC v. Quad/Graphics, Inc., 63 F.3d 642, 648 (7th Cir. 1995) (upholding district court’s enforcement of subpoena in case in which the responding party estimated that compliance would require more than 200,000 hours).

The court also rejected the Company’s request to “de-identify” the data produced so that it did not disclose the ERISA plan involved. The court noted federal law would protect this information from disclosure by the DOL to outside parties.

What are the takeaways from Walsh v. Alight Solutions? First and foremost, it demonstrates that information security and cybersecurity are clearly a new and important area of interest for the DOL. Although not explicitly stated, the inquiries listed in the subpoena suggest the DOL is looking into what providers are doing to safeguard their own systems to address privacy and security, specific documents that describe those safeguards and controls, as well as whether the provider has had any incidents involving cybersecurity relating to its ERISA plan clients. Moreover, Walsh v. Alight Solutions also reminds us that the DOL has broad subpoena power and authority to investigate compliance with the laws enforced by the department, including compliance by ERISA plan service providers. Accordingly, providers (and by extension, ERISA plans) will want to think carefully about their current practices, including their communications and procedures, to address cybersecurity threats.

Jackson Lewis P.C. © 2023National Law Review, Volume XI, Number 323

About this Author

Darran E. St. Ange Labor & Employment Attorney Jackson Lewis Berkeley Heights, NJ

Darran E. St. Ange is an Associate in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. His practice focuses on representing employers in workplace law matters, including preventive advice and counseling.

Lesley Pietras ERISA Knowledge Management Attorney Jackson Lewis New Orleans
Knowledge Management Attorney

Lesley Pietras is a knowledge management (KM) attorney for Jackson Lewis P.C.’s ERISA Complex Litigation group, and based in the New Orleans, Louisiana, office of Jackson Lewis P.C.

Prior to joining Jackson Lewis, Lesley practiced environmental law at firms in New Orleans and Washington, D.C. She also spent four years serving as a staff attorney with the legal division at the U.S. Court of Appeals for the D.C. Circuit.

Robert Rachal ERISA Lawyer Jackson Lewis Law Firm
Of Counsel

Robert W. Rachal is Of Counsel in the New Orleans, Louisiana, office of Jackson Lewis P.C. His practice focuses on complex ERISA fiduciary, benefits, and executive compensation litigation, including defending DOL investigations, and on advising ERISA fiduciaries.

His work has included advising fiduciaries and defending, across the country, companies, plan providers and plan fiduciaries in all types of complex ERISA litigation, e.g., from claims ESOP stock was overvalued, to claims 401(k) fees were excessive, or that pension plans owed greater benefits...