Seventh Circuit: Alight Solutions Must Respond to DOL Subpoena in Investigation of Cybersecurity Breaches

In Walsh v. Alight Solutions LLC, No. 21-3290, __F.4th__, 2022 WL 3334450 (7th Cir. Aug. 12, 2022), Defendant-Appellant Alight Solutions LLC, a company that provides administrative services for employers who sponsor healthcare and retirement plans, appealed the district court’s grant of the U.S. Department of Labor’s petition to enforce a subpoena related to the DOL’s investigation of alleged cybersecurity breaches at Alight.

On appeal, Alight argued the subpoena is unenforceable because: (1) the Department lacks authority to investigate a non-fiduciary or cybersecurity incidents generally; (2) the subpoena’s demands are too indefinite and unduly burdensome; and (3) the district court abused its discretion by denying Alight’s request for a protective order. The Seventh circuit rejected Alight’s arguments and affirmed the order.

First, the court found that whether Alight is a fiduciary does not impact the DOL’s investigatory authority under 29 U.S.C. § 1134(a)(1). The DOL can launch investigations to determine whether any person has violated or is about to violate any provision of the regulatory provisions. The court also found that Alight waived the argument that the DOL lacks authority to conduct cyber security investigations since it did not challenge the DOL’s authority in the district court. Even if Alight did not forfeit the argument, the court found it unconvincing. “The reasonableness of Alight’s cybersecurity services, and the extent of any breaches, is therefore relevant to determining whether ERISA has been violated—either by Alight itself, or by the employers that outsourced management of their ERISA plans to Alight.”

Second, the DOL’s administrative subpoena was not too indefinite, and Alight has not argued that the subpoena is unclear. The court also found that Alight’s estimate that complying with the subpoena “would require thousands of hours of work” did not demonstrate undue burden. Alight did not estimate the number of documents at issue or the cost of producing the documents. Even if production would require thousands of hours of work, it has not shown why that undertaking is unduly burdensome. It hasn’t shown, for example, that compliance with the subpoena would threaten the normal operation of its business.

Lastly, the court found that the district court did not err by denying Alight’s protective order over plan participant information, confidential settlement agreements, and client identifying information. Even though the information is sensitive, Alight did not show how its disclosure to the DOL would result in disclosure to a third party. “[T]his confidential information is protected from disclosure under the Freedom of Information Act, and 18 U.S.C. § 1905 criminalizes the disclosure of confidential information by federal employees.”