A most basic precept of the law is the attorney-client privilege. A litigant being able to speak freely and completely with his or her counsel without the fear of the conversation being revealed has been a cornerstone of American jurisprudence.

Although the concept of the attorney-client privilege is recognized in ERISA matters, it is modified by the fiduciary exception. Most communications between fund counsel and a fund are directed to a plan administrator with rarely any communication directed to participants and/or beneficiaries. However, it is those participants and the beneficiaries who are the clients. The fiduciaries and administrators are not the “client” personally but only in their representative roles.

In addition, the subject matter of the communication determines the privilege and if disclosure to plan participants and beneficiaries (the “client”) is required. The subject matter dealing with a fiduciary function is neither privileged nor protected from disclosure to participants and beneficiaries. Fiduciary functions include plan management or administration. In contrast, communications relating to settlor functions (including plan design, amendments, or modification) do not require disclosure to participants or beneficiaries.

Specific procedures should be established by fund counsel to minimize errors involving communications with fund administrators or trustees. If a participant or beneficiary files a lawsuit and the cause of action involves a fiduciary function, communications between the plan administrator and other fiduciaries and counsel may have to be disclosed in litigation.

A California district court recently foreclosed a former independent contractor’s claims for benefits from ERISA-governed plans when it found that plaintiff was not a “participant” as defined by ERISA and thus did not have statutory standing to assert his ERISA claims. Alders v. YUM! Brands, Inc., No. 8:21-cv-01191-PSG-DFM (C.D. Cal. Feb. 1, 2022).

After working for 25 years as an independent contractor, plaintiff filed suit claiming that he had been misclassified as an independent contractor and, as a result, was wrongfully excluded from defendants’ various retirement plans. Defendants moved to dismiss the claims, in part on the grounds that plaintiff lacked statutory standing under ERISA because he was not a participant in the plans.

The court agreed with defendants and dismissed the claims. The court explained that only plan participants, beneficiaries, fiduciaries, and the Secretary of Labor are entitled to bring claims under ERISA Section 502(a). “Participant” was the only possible fit for plaintiff but did not apply here because a former employee claiming participant status must have a colorable claim to benefits, not just allege in a conclusory manner, as plaintiff did, that he should have been a participant. Further, plaintiff’s own complaint contradicted the allegation that he was a participant in the plans as it repeatedly stated that he was excluded from participating in defendants’ retirement plans. As such, plaintiff lacked the right to sue and his claims were dismissed.

A Massachusetts district court recently ordered defendants in an ERISA fiduciary breach case to produce certain communications with their in-house and outside counsel, rejecting defendants’ argument that the communications occurred in the context of attorneys advising a 401(k) plan’s sponsor and fiduciaries as to their potential fiduciary liability. In re GE ERISA Litig., 2022 U.S. Dist. LEXIS 16586 (D. Mass. Jan. 26, 2022).

The parties’ discovery dispute arose in one of the many class action lawsuits pending against 401(k) plan sponsors and fiduciaries concerning the management of their 401(k) plans. During the course of discovery, defendants withheld communications with their attorneys regarding their 401(k) plan’s investment policy, investment directives, and fiduciary committee charters on the basis of attorney-client privilege. Plaintiffs moved to compel production, arguing that the documents were not privileged due to the fiduciary exception to the attorney-client privilege. Under that doctrine, courts have held that legal advice to plan fiduciaries about plan administration is not protected by attorney-client privilege because such advice is given to the plan fiduciaries on behalf of and for the benefit of the plan participants, thus it is not proper to shield such communications from participant view.

Defendants argued that the communications fell into one of the exceptions to the fiduciary exception, wherein attorney-client privilege re-attaches to communications if the legal advice relates to the plan fiduciaries’ personal liability. In particular, defendants argued that attorneys reviewed plan documents, like investment policies and charters, to advise the fiduciaries on the risk of fiduciary liability given the increasing frequency of 401(k) litigation against employers.

The district court ordered the communications to be produced and differentiated between attorney review based on pending or anticipated litigation, which is privileged, and review based on “a general fear of liability,” which is not privileged. The court was “not persuaded that the prevalence of other 401(k) litigation during the relevant time period is a specific enough litigation risk” to trigger the protection of attorney-client privilege because “guarding against a generalized risk of litigation is a fiduciary duty and does not create a divergence between the interests of the fiduciaries and Plan beneficiaries,” and allowing a fiduciary to fall back on the excuse would cause the fiduciary exception to “cease to function as intended.”

 

 

Yesterday, the Supreme Court issued its unanimous decision in Hughes v. Northwestern University, No. 19-1401, just one of more than 150 similar class action suits filed around the country in the last few years. The case was brought by retirement plan participants alleging that plan fiduciaries breached their duties under ERISA relating to recordkeeping and investment fees charged to plan participants. Specifically, plaintiffs alleged that Northwestern breached its ERISA-imposed duty of prudence by (1) paying excessive recordkeeping fees (using multiple recordkeepers and allowing recordkeeping fees to be paid through revenue sharing); and (2) offering mutual funds with excessive investment management fees.

The district court granted Northwestern’s motion to dismiss, and the Seventh Circuit affirmed. Regarding the recordkeeping claim, the Seventh Circuit found no ERISA violation, explaining that ERISA does not require a sole recordkeeper, and that there is “nothing wrong – for ERISA purposes – with plan participants paying recordkeeper costs through expense ratios” under a revenue sharing agreement.

The Seventh Circuit also rejected the excessive investment fee claim, concluding that the types of funds plaintiffs wanted (low-cost index funds) were available to them, thus “eliminating any claim that plan participants were forced to stomach an unappetizing menu.”

Plaintiffs appealed to the Supreme Court, which granted certiorari to address this question: “[w]hether allegations that a defined-contribution retirement plan paid or charged its participants fees that substantially exceeded fees for alternative available investment products or services are sufficient to state a claim against plan fiduciaries for breach of the duty of prudence under ERISA.”

In a unanimous decision authored by Justice Sotomayor (minus Justice Barrett, who recused herself because she sat on the Seventh Circuit at the time it decided the case), the Supreme Court held that the Seventh Circuit erred in affirming the district court’s dismissal of the claims. Importantly, the Court did not decide whether plaintiffs had plausibly alleged a violation of the duty of prudence. Instead, the Court vacated the judgment of the Seventh Circuit and remanded the case for further analysis.

With respect to the excessive investment fee claim, the Court relied on its 2015 decision in Tibble v. Edison Int’l, 575 U.S. 523 (2015), maintaining that plan fiduciaries have a duty to “conduct their own independent evaluation to determine which investments may be prudently included in the plan’s menu of options” and to “remove an imprudent investment from the plan within a reasonable time.” As such, the Hughes Court found it was not a defense that the plan offered low-cost index funds (“the types of funds plaintiffs wanted”) in addition to the challenged funds. Holding that “[t]he Seventh Circuit’s exclusive focus on investor choice elided this aspect of the duty of prudence,” the Court vacated the decision in favor of Northwestern and remanded to the Seventh Circuit to “reevaluate the allegations as a whole … consider[ing] whether [plaintiffs] have plausibly alleged a violation of the duty of prudence as articulated in Tibble.”

The Court’s stance on the recordkeeping claim is less clear. It appears to have lumped that claim in with the investment claim when referring to the application of Tibble. But Tibble did not address recordkeeping fees, and recordkeeping fees are not always a function of investment choices.

Although remanding the case, the Court took time to stress that the pleading standards set forth in Ashcroft v. Iqbal, 556 U. S. 662 (2009), and Bell Atlantic Corp. v. Twombly, 550 U. S. 544 (2007), continue to apply to Rule 12(b)(6) motions in these cases. Equally important, the Court cited to its more recent decision in Fifth Third Bancorp v. Dudenhoeffer, 573 U.S. 409, 425 (2014). There, the Court endorsed rigorous application of the 12(b)(6) pleading standard to protect plan fiduciaries from meritless, hindsight claims that second-guess fiduciary decisions, and to avoid “the threat of costly duty-of-prudence lawsuits.”

Relying on Dudenhoeffer, the Hughes Court explained that “the appropriate inquiry” into whether investment options and fees are prudent “will necessarily be context specific.” As such, the Hughes Court recognized that “[a]t times, the circumstances facing an ERISA fiduciary will implicate difficult tradeoffs, and courts must give due regard to the range of reasonable judgments a fiduciary may make based on her experience and expertise.”

Moving forward, trial courts, including the Hughes district court, are tasked with weighing these or similar allegations against a “context specific” backdrop, taking into account the fiduciary’s reasonable options and decisions, and disallowing claims based on hindsight and second guessing. Context in these cases should include, among other things, what options were available and when, whether comparators offered by plaintiffs are identical to the funds selected by plan fiduciaries, and whether funds were selected because revenue sharing was available with those funds to offset recordkeeping fees, etc.

The Eleventh Circuit recently affirmed an Alabama district court’s decision granting summary judgment in favor of Allstate Insurance Company in a consolidated ERISA class action challenging Allstate’s decision to stop paying premiums on retired employees’ life insurance policies. Klaas v. Allstate Ins. Co., 2021 U.S. App. LEXIS 38473 (11th Cir. Dec. 28, 2021).

For many years, as part of its employee welfare benefit plan, Allstate offered employees who met certain qualifications life insurance that continued into retirement. Beginning in 1990, Allstate distributed summary plan descriptions (SPDs) to its employees, describing the retiree life insurance benefits as “provided at no further cost” to the retiree. At times, Allstate also made representations to employees, both orally and in writing, that their retirement life insurance benefits were “paid up” or “for life.” However, the SPDs also contained (1) reservations of rights, which reserved to Allstate the right to change, amend, or terminate the plan at any time; and (2) “no vesting” provisions stating that neither participants nor beneficiaries had any vested rights in the plan’s benefits.

In 2013, as a cost reduction measure, Allstate informed former employees who retired after 1990 that it would stop paying the premiums on their life insurance policies at the end of 2015. One putative class of retired employees filed suit in September 2013 and the other filed suit in March 2015. Both proposed classes alleged that Allstate violated ERISA § 502(a)(1)(B) by cancelling the insurance benefits, and that it violated its fiduciary duty under ERISA § 502(a)(3) by making written and oral misrepresentations about the benefits. After extensive discovery, the district court granted summary judgment in Allstate’s favor on both claims. Plaintiffs appealed and the Eleventh Circuit affirmed.

Beginning with plaintiffs’ claims under ERISA § 502(a)(1)(B), which allows a participant or beneficiary to bring suit “to recover benefits due to him under the terms of his plan,” the Eleventh Circuit focused exclusively on the SPDs’ reservations of rights and “no vesting” provisions. SPDs, the opinion noted, are “the statutorily established means of informing participants of the terms of the plan and its benefits,” and are construed according to general rules of contract interpretation. Because the SPDs unambiguously gave Allstate the right to change, amend, or terminate the plan at any time, and expressly clarified that employees had no vested rights under the plan, the appellate court agreed with the district court that plaintiffs failed to establish that benefits were actually “due” under “the terms of the plan” for purposes of ERISA § 502(a)(1)(B).

As for plaintiffs’ breach of fiduciary duty claims, the Eleventh Circuit found them time barred by ERISA § 413, a statute of repose (not limitations) which generally bars claims for breach of fiduciary duty after the earlier of (1) six years of the breach or (2) three years after the earliest date on which the plaintiff had actual knowledge of the breach. ERISA § 413 provides an exception, however, for breach of fiduciary duty claims based on “fraud or concealment,” in which case the repose period is six years and runs from “the date of discovery of such breach or violation.”

The Eleventh Circuit applied the six-year period running from the breach and concluded that any action by Allstate that could give rise to a breach of fiduciary duty claim took place outside of the repose period. Regardless of whether the plaintiffs were misled, the record confirmed that Allstate last made representations about benefits being either “paid up” or “paid for life” in 2006. The first class of plaintiffs did not file suit until 2013, and the second class of plaintiffs did not file suit until 2015.  Hence, both suits were untimely.

The breach of fiduciary duty claims drew a separate opinion from Judge Brasher, who concurred only in the judgment that the claims were time barred. Judge Brasher reasoned that plaintiffs’ breach of fiduciary duty claims sounded in fraud, and hence the repose period did not begin to run until plaintiffs became aware of the fraud. Judge Brasher concurred with the judgment, however, because the district court found no evidence of fraud, plaintiffs did not argue fraud on appeal, and it was doubtful that the suits could have been deemed timely even if the “fraud exception” to ERISA § 413 applied. He opined, however, that if, on summary judgment, plaintiffs had shown that Allstate fraudulently promised “paid up” insurance and concealed its failure to provide that insurance within six years of their lawsuit, the breach of fiduciary duty claims would have been timely.

The Eleventh Circuit’s opinion reinforces the importance of placing clear, unambiguous reservations of rights and “no vesting” provisions in SPDs. It also strikes a cautionary note that employers should be mindful of how they describe their benefits to their employees. Written or oral descriptions of benefits should always be accompanied by a disclaimer, consistent with the SPD, that benefits are subject to change, modification, or cancellation.

When a district court faces a claim for benefits under ERISA Section 502(a)(1)(B) where it believes that mistakes were made, but the record is not sufficiently developed to award benefits, the court may remand the matter to the plan administrator for further administrative review. Remands such as this have been affirmed by circuit courts for decades, though the Supreme Court has yet to weigh in on the issue.

Nevertheless, a recent concurrence in Card v. Principal Life Insurance Company, 2021 U.S. App. LEXIS 32599 (6th Cir. Nov. 2, 2021), may indicate that at least some members of the federal judiciary are beginning to consider whether ERISA authorizes remands.  In that case, the concurrence questioned why a private litigant (there, the plan administrator) would get a second bite at the apple via a remand rather than have the district court supervise additional litigation using normal rules of civil procedure.

The underlying material facts of Card are simple enough. The plaintiff sought disability benefits, which were provided by an ERISA plan and insured by the defendant. When the defendant denied the claim, the plaintiff filed suit to recover the benefits. The district court found in favor of the defendant. The Sixth Circuit reversed, finding that the defendant had not properly analyzed whether plaintiff could perform the tasks of her regular job or occupation. Rather than awarding the plaintiff benefits, the Sixth Circuit remanded the matter to the plan administrator (the defendant) for further analysis.

When the defendant did not complete its review of certain claims within 45 days (as required by ERISA regulations), the plaintiff filed a motion to reopen the case. The district court denied the motion for lack of jurisdiction, as the Sixth Circuit’s remand order remanded the matter directly to the defendant for further consideration. On appeal, the Sixth Circuit, in a per curiam opinion, vacated the district court’s order, concluding that the district court retained jurisdiction. The Sixth Circuit acknowledged that the phrasing of its prior opinion was confusing but concluded that it should be interpreted as remanding the case to the district court to retain jurisdiction while the administrator completed its review.

In short, and as the concurrence recognized, this case represents nothing more than a rote application of the law regarding remands that applies in each and every circuit, 2021 U.S. LEXIS 32599 at *13, and it corrects an ambiguity regarding the district court’s retention of jurisdiction pending completion of the plan administrator’s review.

As for the question in the concurrence about the court’s authority to remand a claim to the plan administrator, a remand is a proper exercise of a court’s remedial powers under ERISA Section 502(a), 29 U.S.C. § 1132(a). King v. Hartford Life & Accident Ins. Co., 414 F.3d 994, 1005 (8th Cir. 2005) (en banc). In addition, “ERISA trusts plan administrators to make the first determination as to the availability of benefits” and therefore “remand may be appropriate in some, or even many, cases.” Glista v. UNUM Life Ins. Co. of America, 378 F.3d 113, 132 (1st Cir. 2004); see also Conkright v. Frommert, 559 U.S. 506, 513-522 (2010) (when a plan administrator errs in its first exercise of discretion in interpreting the terms of the plan, it must be given another chance to exercise its discretion, with that second interpretation subject to deference). Indeed, the concurrence recognized that the practice of remanding to the plan administrator for further consideration is “well established” in the Sixth Circuit.

That said, the case is representative of increased attempts by the plaintiffs’ bar to convince courts to treat routine ERISA benefits cases like routine litigation. Some courts in the Ninth Circuit will allow for alternative pleading of breach of fiduciary duty claims and claims for benefits, even if the sole basis of the breach of fiduciary duty is the denial of the benefit claim. The Seventh and Ninth Circuits have concluded that state law bans on discretionary language in insurance policies apply to ERISA plan documents if the benefit at issue is insured, even if the document that is the source of discretion is not an insurance policy. And the districts are a hodge-podge of standards regarding the permissible scope of discovery when the abuse of discretion standard applies. When the de novo standard applies, depositions are not out of the question for some judges.

Thus, when faced with a claim for benefits, it is important to know the law in the proper district and to have familiarity with the plaintiff’s counsel to better understand whether the litigation will track what most practitioners would consider to be “standard,” or whether the litigation will be more akin to non-ERISA litigation.

In December 2020, Congress passed the “No Surprises Act” (NSA) as part of the Consolidated Appropriations Act of 2021. The NSA applies most commonly in situations where a patient receives out-of-network medical services from a provider to whom the patient had no meaningful opportunity to consent, as in the case of emergency room care or a service performed by an ancillary provider in connection with a scheduled surgery, such as an anesthesiologist. The intent of the NSA is to protect patients from later receiving large “surprise bills” from such out-of-network providers.

On October 7, 2021, the Biden Administration published a second interim final rule implementing the NSA (September Rule) issued by the Departments of Health and Human Services, Labor, and Treasury (Departments). The NSA and its implementing rules are scheduled to go into effect on January 1, 2022.

The NSA’s process requires the provider to submit the out-of-network bill directly to the insurer. If the insurer disputes the bill, the parties may engage in a 30-day “open negotiations” process. If no settlement is achieved, either party may initiate NSA’s prescribed independent dispute resolution (IDR) process – namely a “baseball-style” arbitration in which the provider and insurer submit their best and final offers to the arbitrator, and the arbitrator must select one or the other.

If the parties opt for arbitration, the statutory language provides that in determining which offer is the most “reasonable,” the arbitrator “shall” consider several factors, namely: (1) the “qualifying payment amount” (QPA), which in practice will typically be the insurer’s median in-network rate for similar services in that geographic location; (2) the provider’s level of experience and quality of outcomes; (3) the market shares of both parties; (4) patient acuity; (5) the teaching status, case mix, and scope of services of the out-of-network facility; and (6) demonstrations of good faith efforts (or lack thereof) by the provider to “go in-network” during the previous four years. The arbitrator may also request, or either party may offer, any other relevant information. However, the arbitrator may not consider: (1) the provider’s “usual and customary charge;” (2) the amount the provider would have billed for the service if the NSA did not apply; or (3) the amount a public payer (like Medicare) would have paid.

While the statutory language does not give presumptive weight to any single factor, the September Rule creates a presumption that the QPA is the appropriate rate. The rule further provides that it is not the arbitrator’s role to determine whether the QPA has been calculated correctly. Finally, the rule requires that the arbitrator “must select the offer closest to the [QPA]” unless the arbitrator finds “credible information” that the QPA is “materially different from the appropriate out-of-network rate,” or if the offers are “equally distant from the [QPA] but in opposing directions.”

On December 9, 2021, the American Medical Association and the American Hospital Association – joined by other medical providers and facilities – filed suit (No. 21-3231) against the Departments in the U.S. District Court for the District of Columbia. The suit challenges the portions of the September Rule that create a presumption that the QPA is the appropriate payment. Plaintiffs allege that this presumption conflicts with the NSA’s statutory text and contravenes the legislative intent of creating an IDR process that does not favor providers or insurers. Plaintiffs seek to vacate the disputed provisions of the September Rule, but they do not seek to enjoin the NSA or the undisputed portions of the rule from taking effect on January 1, 2022.

The Departments have not yet answered the Complaint. Jackson Lewis P.C. will post updates as the suit develops.

 

 

 

In Avenoso v. Reliance Standard Life Insurance Company, No. 21-1772, 2021 U.S. App. LEXIS 35264 (8th Cir. Nov. 30, 2021), the Eighth Circuit clarified its position in a circuit split over the proper judicial procedure for deciding ERISA benefits cases.

The underlying case concerned the defendant’s denial of long-term disability benefits under an ERISA plan after the defendant disability insurer found the plaintiff retained sedentary work capacity. After exhausting his administrative appeals, the plaintiff filed a lawsuit in the United States District Court of Minnesota alleging the benefits denial violated ERISA. Both parties moved for summary judgment, with the district court finding for plaintiff.

On appeal, the Eighth Circuit ruled that the district court’s decision on summary judgment was improper because it weighed evidence, made credibility determinations, and made findings on disputed factual questions in the administrative record. The Eighth Circuit confirmed that it stands with the Second, Seventh, Eleventh, Ninth, and Sixth Circuits in refusing to recognize the First Circuit’s exception, which permits district courts to weigh facts and resolve conflicts in evidence when deciding summary judgment in cases resolving ERISA claims for benefits under 29 U.S.C. § 1132(a)(1)(B).

The Eighth Circuit acknowledged that, under its precedent, when a plan administrator is granted discretionary authority under an ERISA plan to determine benefits claims, the district court typically only makes legal conclusions at a subsequent bench trial – i.e., whether under the applicable record a reasonable factfinder could reach a certain outcome. However, when the plan administrator is not granted discretionary authority under the plan, the district court must review the administrative record de novo and act as a factfinder at a subsequent bench trial. Here, the plan administrator was not granted this discretionary authority. Accordingly, at a bench trial, the district court would have weighed evidence and acted as a factfinder in its de novo review to determine whether benefits were due. As a result, the Eighth Circuit held the district court was not justified in resolving factual issues at summary judgment.

The Eighth Circuit concluded, however, that the district court’s error was harmless under FRCP 61, and it affirmed the district court’s decision granting plaintiff summary judgment. Of controlling import, the parties confirmed that neither had new evidence to submit should the court remand the case for a bench trial. Thus, the same district judge would be deciding the same issue on the same record during a bench trial, and the district court’s factfinding would be reviewed for clear error on appeal. Accordingly, the Eighth Circuit applied the clear error standard here, concluding the district court’s finding that the plaintiff lacked sedentary work capacity was not clearly erroneous.

Avenoso serves as an important reminder to the parties in ERISA benefit claim cases to evaluate the most efficient way to resolve these cases. They are often decided on the administrative record with the judge as the factfinder. In these circumstances, using FRCP 52 to conduct a bench trial “on the paper” (instead of summary judgment) can avoid the issues (including the potential costs of further remand and litigation) raised in the Avenoso appeal.

 

Today, the Supreme Court heard oral arguments in Hughes v. Northwestern University, No. 19-1401, just one of about 150 similar class action suits filed around the country in the last few years. The case was brought by retirement plan participants alleging that plan fiduciaries breached their duties under ERISA relating to recordkeeping and investment fees charged to plan participants. Specifically, Plaintiffs alleged that Northwestern breached its ERISA-imposed duty of prudence by (1) paying excessive recordkeeping fees (using multiple recordkeepers and allowing recordkeeping fees to be paid through revenue sharing); and (2) offering mutual funds with excessive investment management fees.

The district court granted Northwestern’s motion to dismiss, and the Seventh Circuit affirmed. The Seventh Circuit found no ERISA violation based on Northwestern’s recordkeeping arrangement. The court explained that ERISA does not require a sole recordkeeper, and there is “nothing wrong – for ERISA purposes – with plan participants paying recordkeeper costs through expense ratios” under a revenue sharing agreement.

The Seventh Circuit also rejected the excessive investment fee claim, concluding that the types of funds plaintiffs wanted (low-cost index funds) were and are available to them, thus “eliminating any claim that plan participants were forced to stomach an unappetizing menu.”

Plaintiffs appealed to the Supreme Court, which granted certiorari to address this question: “[w]hether allegations that a defined-contribution retirement plan paid or charged its participants fees that substantially exceeded fees for alternative available investment products or services are sufficient to state a claim against plan fiduciaries for breach of the duty of prudence under ERISA.”

During oral argument today, various members of the Court appeared to struggle to devise a motion to dismiss standard in these cases, with Justices Alito, Gorsuch, Breyer, Kagan, and Kavanaugh each pressing the parties about what facts they believed must be pled to open the courthouse door to plaintiffs, particularly relating to investment fees. Although a key issue in Plaintiffs’ amended complaint was the use of a revenue sharing, rather than a per-participant fee, there was little to no inquiry or recognition by the Justices on the impact of revenue sharing in offsetting fees, as a reason for selecting a more expensive share class as an investment option.

Equally surprising was Justice Roberts’ line of questioning on the scope of ERISA’s fiduciary duty of prudence, asking Plaintiffs’ counsel at one point whether the standard was the “highest” duty or an “average” duty, something more akin to negligence.

There appeared to be more coalescence on the recordkeeping claim. Several members of the Court indicated they approve of the Seventh Circuit’s finding that ERISA does not require a sole recordkeeper, and that Plaintiffs’ argument that the Plan should have been able to obtain a $35 per participant fee, without more, was insufficient to state a claim.

Justice Kagan appeared to be the only jurist clearly in favor of overturning the Seventh Circuit’s decision, with some support from Justices Sotomayor and Breyer. With Justice Barrett recused (she was still sitting on the Seventh Circuit at the time of the underlying decision), if Justice Kagan recruits only one more Justice, there could be a tie vote, but a tie vote would leave the Seventh Circuit decision intact.

 

Shortly after the U.S. Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) issued its cybersecurity guidance for employee retirement plans and updated its audit inquiries to include compliance with these guidelines, a federal court in Chicago ruled an employee benefit services provider must comply with a subpoena requesting, among other things, documents and communications relating to the provider’s information security and cybersecurity plans and controls.

In Walsh v. Alight Solutions, LLC, No. 20-cv-2138 (N.D. Ill. Oct. 28, 2021), the DOL sought enforcement of an administrative subpoena against Alight Solutions (the Company) — a recordkeeping, administrative, and consulting services provider to ERISA plan clients. The agency’s investigation was prompted, in part, by the alleged discovery that the Company had processed unauthorized distributions due to cybersecurity breaches relating to its ERISA plan clients’ accounts, which it had not corrected.

The subpoena called for “all documents” in the Company’s “possession, custody, [or] control” in response to 32 inquiries. These inquiries included specific requests for, among other things, all documents and/or communications relating to the Company’s:

  • communications, event logs, and reports of any incident involving information security and/or cybersecurity relating to any ERISA plan clients;
  • system penetration testing or other ethical hack reports from the Company, the Company’s service providers, or the Company’s ERISA plan clients (eventually narrowed by the DOL to such testing or reports that relate to any ERISA plan clients);
  • information security or cybersecurity controls (including internal cybersecurity procedures and policies, patch management reports, and cybersecurity assessment reports);
  • crises management plans and corporate continuity plans relating to information security and/or cybersecurity;
  • cybersecurity awareness training; and
  • physical access controls, including key cards, biometric controls, and video cameras relating to information security and/or cybersecurity (narrowed by the DOL to controls that relate to any ERISA plan clients).

In determining whether the subpoena should be enforced, the court recognized the Secretary of Labor must demonstrate: (1) the subpoena is within the authority of the agency; (2) the demand is not too indefinite, and (3) the information sought is reasonably relevant to the DOL’s investigation. The court also acknowledged its duty to consider the potential burden of compliance on the Company.

The court squarely rejected the Company’s arguments that the DOL’s subpoena power only extends to ERISA fiduciaries, finding the DOL has broad subpoena power and may investigate “merely on suspicion that the law is being violated, or even just because it wants assurance that it is not.” The court also found that the requests were not too indefinite because the Secretary outlined in 32 paragraphs its specific requests, which it further clarified during litigation. Lastly, the court recognized the requests were relevant to the investigation, as the requests permissibly sought information that may be relevant to whether ERISA violations had occurred.

With respect to the potential burden of compliance, the Company argued that compliance “would require thousands of hours of work just to identify potentially responsive documents” in addition to “the time and expenses outside counsel would incur reviewing, de-identifying, and producing those materials.” Although the court recognized the burden of compliance may potentially be significant, the court ruled the Company must comply with the subpoena and found the burden did not outweigh the potential relevance of the requests, citing EEOC v. Quad/Graphics, Inc., 63 F.3d 642, 648 (7th Cir. 1995) (upholding district court’s enforcement of subpoena in case in which the responding party estimated that compliance would require more than 200,000 hours).

The court also rejected the Company’s request to “de-identify” the data produced so that it did not disclose the ERISA plan involved. The court noted federal law would protect this information from disclosure by the DOL to outside parties.

What are the takeaways from Walsh v. Alight Solutions? First and foremost, it demonstrates that information security and cybersecurity are clearly a new and important area of interest for the DOL. Although not explicitly stated, the inquiries listed in the subpoena suggest the DOL is looking into what providers are doing to safeguard their own systems to address privacy and security, specific documents that describe those safeguards and controls, as well as whether the provider has had any incidents involving cybersecurity relating to its ERISA plan clients. Moreover, Walsh v. Alight Solutions also reminds us that the DOL has broad subpoena power and authority to investigate compliance with the laws enforced by the department, including compliance by ERISA plan service providers. Accordingly, providers (and by extension, ERISA plans) will want to think carefully about their current practices, including their communications and procedures, to address cybersecurity threats.