A federal District Court judge in Illinois sided with the U.S. Department of Labor (DOL) in ordering Alight Solutions, LLC, an ERISA plan services provider, to comply with an administrative subpoena seeking documents pertaining to alleged cybersecurity breaches. The Court’s order in the case, Walsh v. Alight Solutions, LLC, Dkt. # 20-cv-02138 (N.D. Ill.), is significant as it mandated production of a great deal of information concerning Alight’s cybersecurity practices, finding Alight’s objections on grounds of irrelevance and burdensomeness insufficient to overcome the DOL’s broad investigatory authority and the presumption that investigative subpoenas should be enforced.

According to the Court’s order, the DOL’s investigation of Alight began back in July 2019 based in part on its discovery that Alight had processed unauthorized distributions from its ERISA plan clients’ accounts as a result of cybersecurity breaches and, further, had failed to promptly report the breaches and restore the unauthorized distributions to the affected accounts. DOL’s subpoena sought documents on a number of topics, including Alight’s cybersecurity policies, procedures, assessment reports, and training of its workforce; its business continuity plans pertaining to information security; and communications or other documents regarding any cybersecurity incident pertaining to its ERISA plan clients, dating back to 2015.
Continue Reading District Court Enforces DOL Investigative Subpoena Against Plan Service Provider Concerning Alleged Cybersecurity Breaches

ERISA-covered plans hold millions of dollars or more in assets and maintain a large amount of personal data on participants, therefore, such plans can be tempting targets for cyber-criminals. Recognizing this, the Employee Benefits Security Administration (EBSA) of the U.S. Department of Labor issued its first-ever cybersecurity guidance concerning employee benefit plans this spring.  Further, in June 2021, just two months after issuing the guidance, government investigators began seeking information from plan sponsors about cybersecurity policies and procedures.  While such requests thus far have been limited to ongoing audits, plan sponsors and fiduciaries would be wise to review EBSA’s guidance and implement its suggestions as appropriate.

The EBSA guidance, which is directed to plan sponsors and fiduciaries as well as recordkeepers and plan participants, is set forth in three separate publications.
Continue Reading Department of Labor Focuses on Cybersecurity for Benefit Plans