A federal District Court judge in Illinois sided with the U.S. Department of Labor (DOL) in ordering Alight Solutions, LLC, an ERISA plan services provider, to comply with an administrative subpoena seeking documents pertaining to alleged cybersecurity breaches. The Court’s order in the case, Walsh v. Alight Solutions, LLC, Dkt. # 20-cv-02138 (N.D. Ill.), is significant as it mandated production of a great deal of information concerning Alight’s cybersecurity practices, finding Alight’s objections on grounds of irrelevance and burdensomeness insufficient to overcome the DOL’s broad investigatory authority and the presumption that investigative subpoenas should be enforced.

According to the Court’s order, the DOL’s investigation of Alight began back in July 2019 based in part on its discovery that Alight had processed unauthorized distributions from its ERISA plan clients’ accounts as a result of cybersecurity breaches and, further, had failed to promptly report the breaches and restore the unauthorized distributions to the affected accounts. DOL’s subpoena sought documents on a number of topics, including Alight’s cybersecurity policies, procedures, assessment reports, and training of its workforce; its business continuity plans pertaining to information security; and communications or other documents regarding any cybersecurity incident pertaining to its ERISA plan clients, dating back to 2015.
Continue Reading District Court Enforces DOL Investigative Subpoena Against Plan Service Provider Concerning Alleged Cybersecurity Breaches