A subpoena was issued to Alight Solutions by the U.S. Department of Labor (DOL) for documents related to a cybersecurity breach that potentially resulted in Employee Retirement Income Security Act (ERISA) violations. Alight provides recordkeeping, administrative, and consulting services for over 750 employee benefit plans with more than 20 million plan participants.

The DOL began investigating Alight in 2019 after discovering unauthorized distributions due to security breaches. The DOL stated in its brief to the Seventh Circuit that Alight “failed to disclose those breaches and unauthorized distributions to plan clients for months.” The DOL then began investigating these incidents to determine whether any parties involved in the breaches had violated (or would violate) ERISA (the Employee Retirement Income Security Act of 1974). During the investigation, the DOL issued a subpoena that Alight argued was overly broad and burdensome and that the DOL did not have the authority to issue.

However, the Seventh Circuit ruled that the DOL has broad power to issue subpoenas like this and to investigate non-fiduciaries, even if such entities only service ERISA plans in an administrative capacity. The court agreed with the DOL, stating that the DOL’s authority under the law depends on the information requested and its relation to an actual or potential ERISA violation. Walsh v. Alight Solutions, LLC, No. 21-3290, 2022 WL 3334450 (7th Cir. Aug. 12, 2022).

In the opinion, the court said, “Whether or not Alight is a fiduciary does not affect the department’s investigatory authority [. . .] Even if Alight only has information about another entity’s ERISA violation, the statute grants the department authority to compel its production from Alight. A contrary rule would allow ERISA fiduciaries to avoid liability altogether by outsourcing recordkeeping and administrative functions to nonfiduciary third parties, evading regulatory oversight. Congress did not confine the department’s investigatory power in this manner.”  Furthermore, the court stated that “[a]s the [U.S.] Supreme Court has long recognized,

Congress incorporated into ERISA ‘a standard of loyalty and a standard of care,’” which means that “the reasonableness of Alight’s cybersecurity services, and the extent of any breaches, is therefore relevant to determining whether ERISA has been violated — either by Alight itself or by the employers that outsourced management of their ERISA plans to Alight.”

Alight also argued that in order to comply with the subpoena it would require thousands of hours of work; however, the court was not persuaded by this argument, stating that Alight did not present evidence that compliance was unduly burdensome. The court said that case law supports the notion that “large production requests are not necessarily unduly burdensome,” but that this holding was narrow in that federal “[a]gencies should not read this result as granting leave to issue administrative subpoenas that are overly cumbersome or that seek information not reasonably relevant to the investigation at hand.”

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.