Shortly after the U.S. Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) issued its cybersecurity guidance for employee retirement plans and updated its audit inquiries to include compliance with these guidelines, a federal court in Chicago ruled an employee benefit services provider must comply with a subpoena requesting, among other things, documents and communications relating to the provider’s information security and cybersecurity plans and controls.
In Walsh v. Alight Solutions, LLC, No. 20-cv-2138 (N.D. Ill. Oct. 28, 2021), the DOL sought enforcement of an administrative subpoena against Alight Solutions (the Company) — a recordkeeping, administrative, and consulting services provider to ERISA plan clients. The agency’s investigation was prompted, in part, by the alleged discovery that the Company had processed unauthorized distributions due to cybersecurity breaches relating to its ERISA plan clients’ accounts, which it had not corrected.
The subpoena called for “all documents” in the Company’s “possession, custody, [or] control” in response to 32 inquiries. These inquiries included specific requests for, among other things, all documents and/or communications relating to the Company’s:
- communications, event logs, and reports of any incident involving information security and/or cybersecurity relating to any ERISA plan clients;
- system penetration testing or other ethical hack reports from the Company, the Company’s service providers, or the Company’s ERISA plan clients (eventually narrowed by the DOL to such testing or reports that relate to any ERISA plan clients);
- information security or cybersecurity controls (including internal cybersecurity procedures and policies, patch management reports, and cybersecurity assessment reports);
- crises management plans and corporate continuity plans relating to information security and/or cybersecurity;
- cybersecurity awareness training; and
- physical access controls, including key cards, biometric controls, and video cameras relating to information security and/or cybersecurity (narrowed by the DOL to controls that relate to any ERISA plan clients).
In determining whether the subpoena should be enforced, the court recognized the Secretary of Labor must demonstrate: (1) the subpoena is within the authority of the agency; (2) the demand is not too indefinite, and (3) the information sought is reasonably relevant to the DOL’s investigation. The court also acknowledged its duty to consider the potential burden of compliance on the Company.
The court squarely rejected the Company’s arguments that the DOL’s subpoena power only extends to ERISA fiduciaries, finding the DOL has broad subpoena power and may investigate “merely on suspicion that the law is being violated, or even just because it wants assurance that it is not.” The court also found that the requests were not too indefinite because the Secretary outlined in 32 paragraphs its specific requests, which it further clarified during litigation. Lastly, the court recognized the requests were relevant to the investigation, as the requests permissibly sought information that may be relevant to whether ERISA violations had occurred.
With respect to the potential burden of compliance, the Company argued that compliance “would require thousands of hours of work just to identify potentially responsive documents” in addition to “the time and expenses outside counsel would incur reviewing, de-identifying, and producing those materials.” Although the court recognized the burden of compliance may potentially be significant, the court ruled the Company must comply with the subpoena and found the burden did not outweigh the potential relevance of the requests, citing EEOC v. Quad/Graphics, Inc., 63 F.3d 642, 648 (7th Cir. 1995) (upholding district court’s enforcement of subpoena in case in which the responding party estimated that compliance would require more than 200,000 hours).
The court also rejected the Company’s request to “de-identify” the data produced so that it did not disclose the ERISA plan involved. The court noted federal law would protect this information from disclosure by the DOL to outside parties.
What are the takeaways from Walsh v. Alight Solutions? First and foremost, it demonstrates that information security and cybersecurity are clearly a new and important area of interest for the DOL. Although not explicitly stated, the inquiries listed in the subpoena suggest the DOL is looking into what providers are doing to safeguard their own systems to address privacy and security, specific documents that describe those safeguards and controls, as well as whether the provider has had any incidents involving cybersecurity relating to its ERISA plan clients. Moreover, Walsh v. Alight Solutions also reminds us that the DOL has broad subpoena power and authority to investigate compliance with the laws enforced by the department, including compliance by ERISA plan service providers. Accordingly, providers (and by extension, ERISA plans) will want to think carefully about their current practices, including their communications and procedures, to address cybersecurity threats.