A recent Seventh Circuit Court of Appeals case reminds plan sponsors and service providers that ERISA grants the DOL broad authority to seek plan-related information reasonably relevant to an investigation from both fiduciaries and non-fiduciaries. Plan cybersecurity practices have been a recent focus of the DOL and resulted in its 2021 issuance of cybersecurity best practices for plan sponsors, fiduciaries, recordkeepers, and plan participants, which are available here.
In this case, the court ruled in favor of the DOL in connection with the DOL's 2019 investigation into the processing of unauthorized distributions of plan benefits due to cybersecurity breaches in the ERISA plan accounts serviced by Alight Solutions LLC ("Alight"). The DOL indicated that Alight failed to report, disclose, and restore the distributions. Alight denied any knowledge of the breaches.
Alight argued that the subpoena fell outside of the DOL's authority because the DOL does not have the authority under ERISA to investigate non-fiduciaries for cybersecurity issues. The court disagreed with Alight's argument, stating that whether or not Alight is a fiduciary does not affect the DOL's investigatory authority, and affirming the district court ruling concluding that the information requested had reasonable relevancy for purposes of the DOL's investigation. Further, while the court acknowledged plan information can contain sensitive information including, in Alight's case, personally identifiable information, confidentiality settlement agreements, and client identifying information, the court found that Alight did not demonstrate how disclosure to the DOL would result in the information being revealed to a third party warranting a protective order, particularly because such disclosure by federal employees is a criminal act.
For plan sponsors, this case reinforces the DOL's broad subpoena authority in connection with plan-related requests, even if such requests are made to a third-party service provider. Plan sponsors should discuss cybersecurity with their plan's service providers at least annually and should ensure that their service provider agreements clearly provide that the service provider will cooperate with DOL requests in accordance with the law.
The opinion in Walsh v. Alight Solutions LLC is available here.