Seventh Circuit upholds DOL cybersecurity subpoena against Alight requiring disclosure of client/plan name

On August 12, 2022, the Seventh Circuit Court of Appeals upheld a decision by a lower court in Walsh v. Alight Solutions LLC enforcing (with modifications) an administrative subpoena by the Department of Labor against Alight. The subpoena requires Alight to produce documents in connection with alleged cybersecurity breaches at Alight with respect to the retirement and health plans for which it provides recordkeeping services.

In this brief note on the case, we are going to focus on two of the court’s rulings – upholding DOL’s authority to investigate Alight and cybersecurity breaches and denying Alight’s requested protective order that would have prevented disclosure of “client identifying information” – both of which go to potential exposure of plan sponsors in this investigation and with respect to cybersecurity breaches generally.

To underline this point, consider the following from the court’s decision, requiring production of that client identifying information:

If Alight were to redact the names of its clients and the corresponding plan names, as the company advocates, the Department could not identify which employers may have violated ERISA. (Emphasis added.)

Clearly, the target of this subpoena is not (or not just) Alight, it is Alight’s sponsor clients.

Background

DOL began its investigation of Alight in July 2019, “prompted by a discovery that Alight processed unauthorized distributions of plan benefits due to cybersecurity breaches in its ERISA plan clients’ accounts.” In connection with its investigation, DOL sent Alight an administrative subpoena calling for Alight to produce documents going back to January 1, 2015.

Alight objected to the subpoena on several grounds, including that: DOL lacks authority to investigate Alight because it is not an ERISA fiduciary; DOL lacks authority to investigate cybersecurity incidents; the subpoena is “too indefinite and unduly burdensome;” and the lower court should have issued a protective order with respect to certain sensitive information, including certain client identifying information.

Authority to investigate Alight cybersecurity practices

ERISA section 504(a)(1) provides that, “in order to determine whether any person has violated or is about to violate any provision of [Title I of ERISA]” DOL has the power “to make an investigation, and in connection therewith to require the submission of reports, books, and records, and the filing of data in support of any information required to be filed with [DOL].”

Alight objected to DOL’s subpoena on the grounds that it was not a fiduciary and that DOL was “not authorized to investigate non-fiduciaries.” The court rejected this argument, finding that DOL “has the power to launch investigations ‘in order to determine whether any person has violated or is about to violate any provision of this subchapter or any regulation or order thereunder.’ (Emphasis added). … Even if Alight only has information about another entity’s ERISA violation, the statute grants the [DOL] authority to compel its production from Alight.”

Next, Alight argued that DOL did not have authority under ERISA to investigate cybersecurity issues. The court dismissed this objection on technical grounds (this issue had not been raised with the lower court). But it went on to say that “Alight’s merits argument is unconvincing. As the Supreme Court has long recognized, Congress incorporated into ERISA ‘a standard of loyalty and a standard of care.’”

Thus, in effect, Alight’s cybersecurity issues are ERISA issues:

The reasonableness of Alight’s cybersecurity services, and the extent of any breaches, is therefore relevant to determining whether ERISA has been violated—either by Alight itself, or by the employers that outsourced management of their ERISA plans to Alight. (Emphasis added.)

To connect the dots here, if DOL’s investigation discloses, e.g., a violation of ERISA’s prudence standard, Alight, as a non-fiduciary, might not be liable. But the relevant plan sponsor, who would be a fiduciary, might be.

Protective order

Alight argued that the lower court should have issued a protective order preventing the disclosure of: “(1) ERISA plan participant [personally identifiable information]; (2) confidential settlement agreements; and (3) client identifying information.”

The Seventh Circuit rejected this claim, finding generally that there were sufficient legal protections with respect to sensitive information.

The court’s discussion of its holding that Alight produce “client identifying information” (which Alight had attempted to redact) is particularly important for sponsors:

[T]he Department’s cybersecurity investigation directly implicates this [client identifying] information. If Alight were to redact the names of its clients and the corresponding plan names, as the company advocates, the Department could not identify which employers may have violated ERISA. There is no good cause basis to deny the Department access to this critical information. (Emphasis added.)

Again, the court’s language makes clear that it may be sponsors that are the ultimate litigation target of this investigation.

*     *     *

Cybersecurity is an emerging area of concern, for sponsors, providers, participants, and DOL. Clearly DOL sees possible ERISA prudence issues with respect to cybersecurity breaches. As the Alight subpoena litigation indicates, sponsor-fiduciaries may be held ultimately responsible for provider cybersecurity breaches.

Sponsors will want to review DOL’s 2021 cybersecurity guidance and consult with their own experts and with their providers concerning the adequacy of their providers’ cybersecurity protocols.

We will continue to follow this issue.