Court Rejects Recordkeeper’s Attempt to Dodge DOL Cybersecurity Subpoena

“Not persuasive” is how the United States Court of Appeals for the Seventh Circuit, in an August 12th decision, characterized all of Alight’s attempts to avoid complying with a DOL investigatory subpoena seeking information about its alleged cybersecurity breaches in connection with unauthorized distributions of benefits from ERISA plan client accounts. Rejecting all of Alight’s arguments, the Court affirmed, on Alight’s appeal, the earlier decision of a United States District Court granting the DOL’s petition to enforce the subpoena.


Alight had argued to the District Court that the DOL subpoena was unenforceable because the DOL had no authority, under ERISA or otherwise, to investigate “non-fiduciaries”, (which Alight claimed to be.) The District Court held that the DOL’s investigatory authority was not limited to fiduciaries and the Court of Appeals, in affirming that holding, pointedly announced that holding otherwise “would allow ERISA fiduciaries to avoid liability altogether by outsourcing recordkeeping and administrative functions to non-fiduciary third parties, evading regulatory oversight.”


Alight also argued, for the first time on appeal, that the DOL lacked authority to investigate cybersecurity breaches generally.


Finding that because Alight hadn’t made that argument to the District Court, the argument was forfeited, the Court nonetheless made very clear that the “merits” of Alight’s argument were “unconvincing” since the “reasonableness of Alight’s cybersecurity services, and the extent of any breaches, is therefore relevant to determining whether ERISA had been violated -- either by Alight itself or by the employers who had outsourced services to Alight.”