Seventh Circuit Court of Appeals Affirms Department of Labor’s Petition to Enforce Administrative Subpoena

Key Takeaway: The Seventh Circuit ruled that the Department of Labor can subpoena non-fiduciaries and investigate cybersecurity breaches.

On August 12, 2022, the U.S. Court of Appeals for the Seventh Circuit affirmed a district court order requiring benefits plan recordkeeper Alight Solutions (Alight) to produce documents to the U.S. Department of Labor regarding cybersecurity incidents that involved Alight. The decision is the latest development in a Department of Labor investigation into Alight with regard to cybersecurity breaches that began in July 2019. As part of that investigation, the Department of Labor sent Alight an administrative subpoena seeking documents. Alight produced some documents, but objected to producing others. The Department of Labor then petitioned the Northern District of Illinois to enforce the subpoena. Alight opposed enforcement of the subpoena, arguing, among other things, that the Department of Labor lacked authority to investigate Alight because it was not a fiduciary in connection with the at-issue conduct. The district court granted the Department of Labor’s petition, and Alight appealed.

The Seventh Circuit agreed with the district court, and affirmed. With regard to Alight’s argument that the Department of Labor could not investigate non-fiduciaries, the Seventh Circuit ruled that nothing in ERISA’s statutory regime limited the scope of the Department of Labor’s investigations to just ones involving fiduciaries. Rather, as the court found, the Department of Labor can obtain documents and information from non-fiduciaries that are relevant to investigations of potential ERISA violations by other entities. Alight also argued—for the first time on appeal—that the Department of Labor lacks authority to investigate cybsersecurity incidents. The court rejected this as well, explaining that “the reasonableness of Alight’s cybersecurity services, and the extent of any breaches,” “is relevant to determining whether ERISA has been violated—either by Alight itself, or by the employers that outsourced management of their ERISA plans to Alight.”

The case is Walsh v. Alight Solutions, LLC, No. 21-3290, in the Seventh Circuit Court of Appeals, and the decision is available here.