Skip to main content

You are here

Advertisement

Appellate Court Backs DOL in Cybersecurity Subpoena

Practice Management

A federal appellate court says that the Labor Department is allowed to pursue its inquiry into the cybersecurity practices at a large recordkeeper.

Judge Michael B. Brennan (joined in the opinion by Judges Frank H. Easterbrook and Ilana D. Rovner) of the U.S. Court of Appeals for the Seventh Circuit noted that the U.S. Department of Labor was investigating alleged cybersecurity breaches at Alight Solutions LLC—and, as part of its investigation the Department issued an administrative subpoena. Judge Brennan noted that Alight produced some documents but objected to many of the subpoena's requests[1]. Subsequently, the district court granted the Labor Department’s petition to enforce the subpoena, albeit with some modifications.

Alight argued on appeal that the subpoena is unenforceable because the Labor Department lacks authority to investigate the company, or cybersecurity incidents generally. Alight also argued that the subpoena's demands were too indefinite and unduly burdensome, and that the district court abused its discretion by denying Alight's request for a protective order to limit production of certain sensitive information.

The History

Judge Brennan noted that the Labor Department opened its investigation of Alight in July 2019 “prompted by a discovery that Alight processed unauthorized distributions of plan benefits due to cybersecurity breaches in its ERISA plan clients' accounts”—activity that the Labor Department claimed Alight “failed to report, disclose, and restore those unauthorized distributions.” For its part, Alight denied any knowledge of breaches resulting in unauthorized distributions.

After unsuccessful attempts by the parties to resolve Alight's objections, the Labor Department petitioned the district court to enforce the subpoena, while Alight continued to interact with the Department and produced additional materials—though Judge Brennan noted that Alight redacted most of the documents it produced to remove client identifying information, “which prevented the Department from discerning potential ERISA violations.”

Alight then Alight filed a memorandum opposing enforcement of the subpoena, arguing that the Labor Department “lacked the authority to investigate the company because Alight is not a fiduciary under ERISA, the subpoena was too indefinite to enforce and sought documents unrelated to ERISA plans, and enforcement would jeopardize confidential information Alight was contractually obligated to protect,” according to Judge Brennan. Alight also noted that although the subpoena requested documents back to Jan. 1, 2015, Alight was not formed until May 2017. Alight asked the district court to quash the subpoena, or at a minimum to limit the subpoena and enter a protective order permitting redactions.  All in all, based on a production sample, Alight's legal consultant projected full compliance with the subpoena would require "thousands of hours of work."

Judge Brennan noted that, ultimately, the district court granted the Department's petition to enforce the subpoena as modified by the Department's reply memorandum. The court found that the Department's investigatory authority was not limited to fiduciaries, and that the requested information was reasonably relevant to the ERISA investigation. It also ruled that the subpoena was not too indefinite, and that Alight's challenge to the indefiniteness of the subpoena related more to the burden of production than the clarity of the production requests. As to Alight's burden of compliance, the court applied the presumption that subpoenas should be enforced and decided that the balance between the relevance of the requested information and the cost of production favored enforcement.

Furthermore, he explained that the district court also declined to enter a protective order—Alight hadn’t formally moved for such an order, but as the court found that the Freedom of Information Act and 18 U.S.C. Section 1905 prohibited the Labor Department from publicizing Alight's confidential information, that court concluded that Alight had not shown good cause for redacting the requested documents.

The Appeal

Judge Brennan noted (Walsh v. Alight Sols. LLC, 2022 BL 281317, 7th Cir., No. 21-3290, 8/12/22) that there was no dispute regarding the Labor Department’s ability/authority to issue a subpoena—that Alight had challenged it on the basis that the agency lacked the authority to investigate non-fiduciaries, and ERISA does not authorize investigations into cybersecurity issues.

However, Judge Brennan concluded that, “Whether or not Alight is a fiduciary does not affect the Department's investigatory authority. Under 29 U.S.C. § 1134(a)(1), the Department has the power to launch investigations ‘in order to determine whether any person has violated or is about to violate any provision of this subchapter or any regulation or order thereunder.’" He went on to explain that “the statute does not limit the Department's investigatory authority to fiduciaries, or by who receives a subpoena. Instead, as the Department argued, its authority hinges on the information requested and its relation to an actual or potential ERISA violation.

Even if Alight only has information about another entity's ERISA violation, the statute grants the Department authority to compel its production from Alight.” Most significantly, he noted that, “A contrary rule would allow ERISA fiduciaries to avoid liability altogether by outsourcing recordkeeping and administrative functions to non-fiduciary third parties, evading regulatory oversight. Congress did not confine the Department's investigatory power in this manner.”

As for the matter of cybersecurity investigation, Judge Brennan determined that “this argument is forfeited”—specifically because he explained that “Alight did not challenge the Department's authority to investigate cybersecurity incidents in the district court,” and that while ultimately the issues raised might involve cybersecurity concerns, the arguments made by Alight were challenges to the notion that the Labor Department could investigate non-fiduciaries. Beyond that, however, Judge Brennan also commented that “the reasonableness of Alight's cybersecurity services, and the extent of any breaches, is therefore relevant to determining whether ERISA has been violated—either by Alight itself, or by the employers that outsourced management of their ERISA plans to Alight.”

Unreasonably Broad?

He also dismissed claims that the subpoena's requests are "too indefinite and unreasonably broad to be enforced in its entirety, without modification,” noting that the lower court had found that the subpoena's modified requests "are reasonably relevant to an investigation of compliance with ERISA."  He also noted that Alight’s estimates of the time required “may be high because it increased its own burden of production by redacting many documents it produced—a practice the district court later disallowed. Such self-imposed [*8] measures undermine our confidence that a company's production estimates are accurate.”

“Second,” he commented, “even if we credited Alight's estimates that production would require "thousands of hours of work"—an admittedly cumbersome task—Alight has not shown why that undertaking is unduly burdensome. While Alight has explained that it could be difficult to comply with the subpoena, it has not shown, for example, that "compliance would threaten the normal operation of [its] business."

That said, Judge Brennan cautioned that “agencies should not read this result as granting leave to issue administrative subpoenas that are overly cumbersome or that seek information not reasonably relevant to the investigation at hand.”

As for Alight’s arguments regarding confidentiality, Judge Brennan noted that, “while this information is sensitive, Alight has not shown how its disclosure to the Department would result in the information being revealed to a third party. As the district court observed, this confidential information is protected from disclosure under the Freedom of Information Act, and 18 U.S.C. § 1905 criminalizes the disclosure of confidential information by federal employees. Alight's only attempt to show good cause for the protective order is to note that the Department has experienced some data breaches and cyberattacks in the past. But this generalized concern, which exists for nearly every government subpoena, does not persuade us that the district court abused its discretion, especially when Alight itself is being investigated for alleged cybersecurity breaches that threatened ERISA plan participant information.”

And affirmed the decision of the district court in requiring that Alight respond to the subpoena.

Footnote

[1] More specifically, Judge Brennan noted that Alight produced a limited number of documents in response to about half of the subpoena's requests, but the company also objected to many of the inquiries—challenging the Labor Department's investigatory authority and purposes, criticized the subpoena's scope and burden, and emphasized its duty to keep certain information confidential.