Main Menu Main Content
Photo of Court Enforces DOL Subpoena Seeking ERISA Plan’s Cybersecurity Information

Court Enforces DOL Subpoena Seeking ERISA Plan’s Cybersecurity Information

Hodgson Russ Employee Benefits Newsletter
December 31, 2021

A district court has enforced an administrative subpoena issued by the Department of Labor (DOL) seeking an ERISA plan service provider’s cybersecurity records. The subpoena is part of an investigation into the service provider after it allegedly processed unauthorized distributions as a result of cybersecurity breaches relating to its ERISA plan clients. Moreover, it is alleged that the service provider, Alight Solutions, did not immediately report the cyber breaches and the related unauthorized distributions to its clients after Alight discovered the breaches and instead waited months to notify the affect plans.

The issue before the court was simply whether it should enforce the subpoena. To be enforceable, an administrative subpoena must satisfy three requirements: 1) the subpoena must be within the authority of the DOL, (2) the demand must not be too indefinite, and (3) the information sought must be reasonably relevant to the investigation. The court had no problem finding that all of these requirements were met. Federal law provides the DOL with broad subpoena power, so the first requirement was easy to satisfy. Interestingly, Alight argued that the subpoena was not within the authority of the DOL because “the subpoena power only extends to entities classified as ‘fiduciaries’ under ERISA.” The court, however, noted nothing in the statute or controlling case law suggested this was accurate.

As it relates to the second requirement, the court noted Alight’s argument wasn’t that the subpoena was too indefinite, but rather that compliance would be extremely burdensome. Since the burden on the subpoenaed party isn’t the standard though, the court sided with the DOL again.

Third, on the relevance of the information sought, the court said “In the ERISA context, the proper scope of an investigation can be determined ‘only by reference to the statute itself; the appropriate inquiry is whether the information sought might assist in determining whether any person is violating or has violated any provision of Title I of ERISA.’” Obviously, the cybersecurity information sought was relevant in determining whether Alight violated any provision of ERISA.

This case is a reminder for plan sponsors and service providers to update their cybersecurity policies and practices. In April of this year, the DOL issued sub-regulatory guidance for retirement plan sponsors, providers, and participants designed to help ensure retirement assets are adequately protected. The policies and practices identified in this guidance should be implemented as soon as possible given that the DOL is becoming more concerned about ERISA plan’s cybersecurity.

Walsh v. Alight Solutions, LLC, No. 20-cv-02138 (N.D. Ill. 2021).