A defined contribution (DC) plan recordkeeper must comply with a broad Department of Labor (DOL) administrative subpoena seeking information about cybersecurity practices, the 7th US Circuit Court of Appeals has ruled (Walsh v. Alight Solutions, No. 21-3290 (7th Cir. Aug. 12, 2022)). The subpoena stems from DOL’s investigation of alleged cybersecurity breaches, which the agency says led to unauthorized benefit distributions. As part of the investigation, DOL is seeking a wide range of documents and communications, including information about Alight’s plan sponsor clients and participants.
The 7th Circuit upheld the lower court’s decision to enforce the subpoena, finding that DOL has broad authority to investigate potential ERISA violations, including cybersecurity issues affecting retirement plans.
DOL’s investigative powers. Alight argued that DOL can only investigate ERISA fiduciaries. The court disagreed, finding that ERISA gives DOL broad authority to investigate any actual or potential ERISA violation. The court said this authority extends to compelling a nonfiduciary service provider to turn over information so DOL can determine whether the provider’s clients have violated ERISA. If DOL lacked this authority, fiduciaries could otherwise “avoid liability altogether by outsourcing recordkeeping and administrative functions to non-fiduciary third parties,” the court reasoned. Though the decision isn’t surprising, the 7th Circuit appears to be the first appellate court to issue such a ruling.
DOL’s authority extends to cybersecurity practices. The lawsuit reflects DOL’s recent focus on cybersecurity, including last year’s guidance on best practices for plan sponsors, fiduciaries, recordkeepers and participants. Although Alight argued that cybersecurity is beyond DOL’s authority, the court sided with DOL, finding the reasonableness of cybersecurity practices and the extent of any breaches are relevant to determining whether recordkeepers — or their clients — have potentially violated ERISA’s standard of care.
Records may not be redacted. The court upheld the lower court’s denial of a protective order covering sensitive customer information — including client names, plan names and participant information — finding that federal law already prevents DOL from disclosing any confidential information. Without access to client and plan names, DOL couldn’t identify which employers might have violated ERISA, the court said.
DOL’s 2021 guidance said ERISA requires fiduciaries to take appropriate precautions to reduce cybersecurity risks to retirement plan assets and personally identifiable information. The arguments in this case suggest that the agency might use the subpoenaed information to investigate whether DC plans’ fiduciaries properly evaluated the recordkeeper’s cybersecurity practices. The 7th Circuit’s ruling underscores the importance of plan sponsors and fiduciaries incorporating cybersecurity considerations into a prudent process for selecting and monitoring service providers.