Walsh v. Alight Solutions LLC, 2022 WL 3334450 (7th Cir. 2022)
While investigating alleged cybersecurity breaches at a recordkeeping service provider for employer-sponsored health and retirement plans, the DOL issued a subpoena requesting a broad range of materials, including all “documents and communications relating to services offered to ERISA plan clients.” As background, the DOL’s investigative authority under ERISA includes the power to issue subpoenas for documents and records, and courts have generally given the DOL broad authority regarding the variety of materials that it can seek through a subpoena. After a trial court refused the service provider’s request to quash the subpoena and ruled that it was enforceable (with some modifications), the service provider appealed, arguing that the DOL was not permitted to investigate nonfiduciaries and thus was not authorized to issue the subpoena.
In upholding the trial court’s decision, the appellate court pointed out that ERISA authorizes the DOL to investigate potential ERISA violations by “any person”—regardless of fiduciary status. Indeed, the DOL could issue a subpoena to any entity to gather information about another entity’s potential violation of ERISA. Limiting the DOL’s investigative power to ERISA plan fiduciaries would enable fiduciaries to avoid liability by outsourcing administrative functions to nonfiduciary third parties. The court also rejected the service provider’s argument that the subpoena was too indefinite and burdensome, explaining that the company rooted its indefiniteness argument in the subpoena’s breadth rather than a lack of clarity. Moreover, the company’s estimates of the amount of time needed to comply with the subpoena lacked detail, and the company had not shown why the “admittedly cumbersome” task of complying with the subpoena would be “unduly” burdensome. Denying the service provider’s request for a protective order to prevent disclosure of certain confidential information, the court noted that federal law protects confidential information from disclosure and criminalizes its disclosure by federal employees. The court declined to consider the service provider’s claim that the DOL was not authorized to investigate cybersecurity breaches because the argument was raised for the first time on appeal. But the court also said that this argument was unconvincing, as potential cybersecurity breaches would be relevant to determining whether the service provider or its plan sponsor clients violated ERISA.
EBIA Comment: This case highlights both the DOL’s extensive subpoena power and its increased focus on cybersecurity (see, for example, our Checkpoint article). Plan sponsors and their service providers should adhere to good recordkeeping and cybersecurity practices so that they will be prepared to respond in the event the DOL comes to call. For more information, see EBIA’s ERISA Compliance manual at Section XXXVII.C (“Enforcing Investigative Requests: DOL Subpoena Power”). See also EBIA’s 401(k) Plans manual at Section XXXII.C (“DOL Investigations”) and EBIA’s Self-Insured Health Plans manual at Section XXXII.B (“DOL Civil Investigations (Audits) Under ERISA”).
Contributing Editors: EBIA Staff.