Cybercrime is a scourge that is estimated to have cost the United States nearly $7 billion in 2021, according to the Federal Bureau of Investigation. The damages from cybercrime increase yearly as thieves become more sophisticated in their schemes to steal whenever they see a vulnerability they can exploit.
A growing area of cybercrime involves theft of retirement benefits. The 7th U.S. Circuit Court of Appeals recently addressed this issue in Walsh v. Alight Solutions, LLC, 2022 WL 3334450 (Aug. 12, 2022).
This case was brought by the U.S. Labor Department secretary, who was investigating cybersecurity breaches at Alight Solutions, a company that handles recordkeeping and other administrative services for employers that provide retirement benefits to their employees.
According to the ruling, Alight serves more than 750 clients and more than 20 million plan participants. As part of its investigation, an administrative subpoena was issued by Labor Secretary Martin J. Walsh to Alight.
While some documents responsive to the subpoena were produced, Alight objected to other requests. The basis of Alight’s objections were twofold: First, Alight asserted the subpoena was unenforceable on the ground the Department of Labor lacked the authority to investigate it or cybersecurity in general. Alight also objected on the ground the requests were unduly burdensome. The court rejected both arguments.
In its recordkeeping and administrative services role, Alight maintains highly sensitive information about retirement plan participants and utilizes cybersecurity measures to protect confidential information.
However, the Department of Labor opened an investigation into Alight’s cybersecurity practices in 2019 after learning of cybersecurity breaches that Alight failed to report or disclose. Alight also failed to restore the benefits stolen from plan participants. As part of its investigation, the administrative subpoena was issued, and after Alight refused to comply, the Labor Department brought a compliance proceeding in federal district court.
The district court ordered Alight to comply with the subpoena, and the court of appeals affirmed.
Alight argued the Department of Labor lacked the authority to enforce the subpoena because it asserted that it was non-fiduciary and because the Employee Retirement Income Security Act does not authorize investigations into cybersecurity issues. The court overruled both objections.
The authority granted to the Department of Labor to issue subpoenas is contained in 29 U.S.C. §1134(a)(1), which states:
“The Secretary shall have the power, in order to determine whether any person has violated or is about to violate any provision of this sub-chapter or any regulation or order thereunder — (1) to make an investigation, and in connection therewith to require the submission of reports, books, and records, and the filing of data in support of any information required to be filed with the Secretary under this subchapter[.]”
The court further observed that a violation does not have to be found prior to the issuance of a subpoena; the agency has the “authority to ‘investigate merely on suspicion that the law is being violated, or even just because it wants assurance that it is not.’” Chao v. Loc. 743, Int’l Brotherhood of Teamsters, AFL-CIO, 467 F.3d 1014, 1017 (7th Cir. 2006) (quoting United States v. Morton Salt Co., 338 U.S. 632, 642–43 (1950)).
The court ruled that whether Alight is a fiduciary under ERISA is immaterial because the secretary’s power to investigate applies to “any person.” The court further pointed out that if the Labor Department could not pursue its investigation, ERISA fiduciaries could “avoid liability altogether by outsourcing recordkeeping and administrative functions to non-fiduciary third parties, evading regulatory oversight.”
On the issue of whether the Department of Labor had the authority to investigate cybersecurity breaches, the court found the issue was raised for the first time on appeal and therefore forfeited. Regardless, the court cited a Supreme Court ruling finding that “Congress incorporated into ERISA ‘a standard of loyalty and a standard of care.’” (citing Cent. States, Se. & Sw. Areas Pension Fund v. Cent. Transp., Inc., 472 U.S. 559, 570 (1985)).
Those standards made Alight’s cybersecurity practices an appropriate subject of investigation since breaches had been reported.
Alight’s argument that compliance with the subpoena was too burdensome was also rejected. The court found the requests were all “reasonably relevant” to the Department of Labor’s investigation into whether Alight’s practices were in compliance with ERISA.
Alight asserted that responding to the administrative subpoena would require “thousands of hours” of work to compile the requested information. The court deemed that estimate inflated and concluded that compliance with the subpoena was not unduly burdensome. But the court noted that its ruling should not be read to grant carte blanche to agencies to issue administrative subpoenas that do impose unduly burdensome production requirements or which are not reasonably relevant to the issue under investigation.
Finally, Alight asserted that compliance with the subpoena would force it to disclose plan participant personal identifying information, confidential settlements, and other client identifying information.
The court was unimpressed with that argument, though, because it presumed the Department of Labor would protect the confidentiality either with or without a protective order. Nor would the Department of Labor be able to investigate cybersecurity breaches adequately without possessing such information.
Cybersecurity experts warn that it is not a matter of “if” but “when” breaches will occur. However, the use of sound measures to protect data such as multi-factor authentication and challenge questions are now the norm for highly sensitive financial data.
Since the Department of Labor was aware that breaches had already occurred, it was justifiably concerned about whether Alight’s cybersecurity protocols were sufficiently adequate to protect participants’ retirement savings.
As the court pointed out, the data of more than 20 million plan participants was at stake, and if vulnerabilities exist, steps need to be taken to promptly remedy the problem.
Mark D. DeBofsky is a shareholder at DeBofsky Law.
This article was first published by the Chicago Daily Law Bulletin on August 30, 3022