A federal District Court judge in Illinois sided with the U.S. Department of Labor (DOL) in ordering Alight Solutions, LLC, an ERISA plan services provider, to comply with an administrative subpoena seeking documents pertaining to alleged cybersecurity breaches. The Court’s order in the case, Walsh v. Alight Solutions, LLC, Dkt. # 20-cv-02138 (N.D. Ill.), is significant as it mandated production of a great deal of information concerning Alight’s cybersecurity practices, finding Alight’s objections on grounds of irrelevance and burdensomeness insufficient to overcome the DOL’s broad investigatory authority and the presumption that investigative subpoenas should be enforced.
According to the Court’s order, the DOL’s investigation of Alight began back in July 2019 based in part on its discovery that Alight had processed unauthorized distributions from its ERISA plan clients’ accounts as a result of cybersecurity breaches and, further, had failed to promptly report the breaches and restore the unauthorized distributions to the affected accounts. DOL’s subpoena sought documents on a number of topics, including Alight’s cybersecurity policies, procedures, assessment reports, and training of its workforce; its business continuity plans pertaining to information security; and communications or other documents regarding any cybersecurity incident pertaining to its ERISA plan clients, dating back to 2015.
The Court began its analysis by noting that the broad subpoena power permits DOL to “investigate merely on suspicion that the law is being violated, or even just because it wants assurance that it is not.” Alight nevertheless argued that the subpoena power extends only to ERISA fiduciaries and, as a non-fiduciary, it was not required to respond to the subpoena. The Court flatly rejected that argument, concluding that nothing in the relevant statute or caselaw supported such a claim. Alight also contended that the document requests in the subpoena were “too indefinite.” The Court did not find any of them to be so indefinite that Alight should be relieved of its compliance obligation. In addition, Alight objected to many of the requests on the ground that they sought information not relevant to the investigation, but the Court rejected this argument as well.
Alight further claimed that compliance with the subpoena would be unduly burdensome, requiring “thousands of hours of work just to identify potentially responsive documents” in addition to the time and expense that outside counsel would incur in reviewing, redacting, and producing the materials. Even after the DOL modified the requests to address some of Alight’s concerns, Alight still asserted that the subpoena would require it to pull, review, and produce potentially tens of thousands of documents related to its ERISA business. Weighing the relevance of the requests against the burden on Alight, however, the Court found the balance favored the DOL.
The decision, coming on the heels of the DOL’s detailed April 2021 guidance on cybersecurity for benefit plans and service providers, illustrates that information security continues to be a significant area of concern for the DOL. Indeed, many of the document requests in the subpoena mirror those addressed in the guidance, and the DOL now regularly requests the information in plan audits. Plan service providers and fiduciaries therefore are well advised to review the DOL’s guidance and their cybersecurity practices. For additional information, see the August 6, 2021 post in our ERISA Claim Defense Blog, “Department of Labor Focuses on Cybersecurity for Benefit Plans.”