DOL Cybersecurity Investigations: The Trap Door To Endless Document Requests?

• Published date: 29 August 2022
• Subject Matter: Employment and HR, Retirement, Superannuation & Pensions, Employee Benefits & Compensation
• Law Firm: Groom Law Group
• Author: Jacob W. Eigner, Lars Golumbic, Allison Itami, David Levine, Andrew Salek-Raham, George Sepsakos and Kevin Walsh

Parties involved in a Department of Labor ('DOL') Employee Benefits Security Administration ('EBSA') investigation often ask a simple question: how much information am I obligated to provide the DOL in response to an administrative subpoena? A recent decision, in the United States Court of Appeals for the Seventh Circuit, Walsh v. Alight Solutions, LLC, provides some guidance.

I. Background

EBSA served Alight with a subpoena seeking documents related to Alight's cybersecurity practices. Rather than provide the documents requested by EBSA in the subpoena, Alight contested the subpoena in court under several different theories.

Alight argued in the district court that EBSA could not enforce subpoenas issued to nonfiduciaries and that, even if it could, the subpoena in question was vague and overly burdensome. The district court rejected both arguments, holding that ERISA authorizes EBSA to subpoena information that 'might assist in determining whether any person' may be violating ERISA.

In concluding that the subpoena was enforceable, the district court applied a four-step test: First, it asked whether the subpoena is within the agency's authority. Second, it asked if the subpoena is too indefinite. Third, it asked whether 'the information sought might assist in determining whether any person is violating or has violated any provision of Title I [of ERISA].' After concluding that these three factors were satisfied, it weighed the relevance of the request against the burden on the respondent using the starting presumption that the subpoena should be enforced unless it is not only burdensome but 'unduly burdensome.'

II. Alight's Appeal and the Seventh Circuit Decision

Alight advanced four arguments on appeal: (i) that EBSA cannot enforce subpoenas against non-fiduciaries, (ii) that EBSA does not have the authority to investigate cybersecurity practices, (iii) that the subpoena was too indefinite and too burdensome to enforce, and (iv) that the district court wrongly denied its request for a protective order to shield certain confidential information from disclosure. The Court rejected each one but, in doing so, provided helpful guidance for recipients of administrative subpoenas seeking to challenge burdensome requests.

As to Alight's first argument'that section 504(a) of ERISA does not authorize EBSA to issue subpoenas to non-fiduciaries'the Court began with the plain language of the statute, which gives the DOL the authority to launch investigations 'to...