DOL Cybersecurity Investigations: The Trap Door to Endless Document Requests?

Parties involved in a Department of Labor (“DOL”) Employee Benefits Security Administration (“EBSA”) investigation often ask a simple question: how much information am I obligated to provide the DOL in response to an administrative subpoena? A recent decision, in the United States Court of Appeals for the Seventh Circuit, Walsh v. Alight Solutions, LLC, provides some guidance.

I. Background

EBSA served Alight with a subpoena seeking documents related to Alight’s cybersecurity practices.  Rather than provide the documents requested by EBSA in the subpoena, Alight contested the subpoena in court under several different theories.

Alight argued in the district court that EBSA could not enforce subpoenas issued to nonfiduciaries and that, even if it could, the subpoena in question was vague and overly burdensome.  The district court rejected both arguments, holding that ERISA authorizes EBSA to subpoena information that “might assist in determining whether any person” may be violating ERISA.

In concluding that the subpoena was enforceable, the district court applied a four-step test: First, it asked whether the subpoena is within the agency’s authority.  Second, it asked if the subpoena is too indefinite.  Third, it asked whether “the information sought might assist in determining whether any person is violating or has violated any provision of Title I [of ERISA].”  After concluding that these three factors were satisfied, it weighed the relevance of the request against the burden on the respondent using the starting presumption that the subpoena should be enforced unless it is not only burdensome but “unduly burdensome.”

II. Alight’s Appeal and the Seventh Circuit Decision

Alight advanced four arguments on appeal: (i) that EBSA cannot enforce subpoenas against non-fiduciaries, (ii) that EBSA does not have the authority to investigate cybersecurity practices, (iii) that the subpoena was too indefinite and too burdensome to enforce, and (iv) that the district court wrongly denied its request for a protective order to shield certain confidential information from disclosure.  The Court rejected each one but, in doing so, provided helpful guidance for recipients of administrative subpoenas seeking to challenge burdensome requests.

As to Alight’s first argument—that section 504(a) of ERISA does not authorize EBSA to issue subpoenas to non-fiduciaries—the Court began with the plain language of the statute, which gives the DOL the authority to launch investigations “to determine whether any person has violated or is about to violate” ERISA. (Emphasis added). The Seventh Circuit held that this language does not expressly limit the universe of subpoena targets to fiduciaries—a holding that is not only consistent with the statute’s plain text but also accords with the Supreme Court’s ruling in Harris Trust & Savings Bank v. Salomon Smith Barney Inc., 530 U.S. 238 (2000), that nonfiduciaries can be liable under ERISA to the extent they knowingly participated in a prohibited transaction.

The Court next held that Alight failed to raise below the argument that cybersecurity investigations are outside the DOL’s purview, and so rejected it.  The Seventh Circuit went on to briefly explain that, even if Alight had not waived the argument, it was unconvincing, as Alight’s cybersecurity practices could be relevant to the question of whether someone—whether Alight or the plan administrators of each plan—had violated ERISA’s fiduciary obligations of care and loyalty.

The Court next explained its view that indefiniteness (whether requests are “vague or amorphous”) and burden (whether requests impose undue costs and stresses on normal business operations”) are separate inquiries, and that Alight only raised arguments as to the latter.  With respect to burden, the Seventh Circuit began by noting that section 504(a) of ERISA is not a blank check; DOL is not entitled to any document reasonably relevant to an investigation.  Rather, courts must undertake a “fact-intensive inquiry,” which involves balancing “the likely relevance of the requested material . . . against the burden to [the respondent]” to determine whether a particular request is appropriate.

The Court held that, on the facts before it, it did not have a “definite and firm conviction” that the lower court erred when it conducted a balancing inquiry and decided that DOL’s modified requests[1] were not unduly burdensome.  In doing so, the Seventh Circuit noted that Alight had not sufficiently detailed the burden of responding or demonstrated that doing so would “threaten the normal operation of its business.”  The Court, however, emphasized that its ruling was narrowly tailored to the particular facts before it, admonished the DOL for being unable to articulate why it did not first seek a less burdensome sampling of data instead of jumping to 32 “all document” requests, and cautioned agencies not to read the decision as “granting leave to issue administrative subpoenas that are overly cumbersome or that seek information not reasonably relevant to the investigation at hand.”

Finally, the Seventh Circuit denied Alight’s request for a protective order to shield from disclosure certain confidential information that it is contractually required to protect.  The Court started its inquiry from a skeptical posture, as Alight “never formally moved for a protective order” below, and ultimately held that the criminal penalties under the Freedom of Information Act (“FOIA”) that apply to federal employees who disclose such information were sufficient to justify the district court’s decision not to enter a protective order.

III. Takeaways

The first major takeaway from the Seventh Circuit’s opinion relates to the scope of section 504(a) of ERISA.  The Seventh Circuit is the first court of which we are aware to hold that non-fiduciaries fall within the scope of the DOL’s investigatory authority under section 504(a).  It is also the first court to be asked to hold that cybersecurity is a subject matter that is outside the DOL’s purview—again, notable.  While the Court rejected Alight’s argument, targets of administrative subpoenas are likely to continue to challenge the DOL’s enforcement actions, particularly when the DOL’s investigations target fiduciary responsibilities only recently identified by DOL as springing from the general fiduciary duty imposed by ERISA section 404 (such as missing participant and cybersecurity obligations).

The other major takeaway is that courts do not view ERISA section 504(a) as providing the DOL with carte blanche to obtain any and all likely relevant documents it wishes. Rather, the DOL’s subpoena requests are subject to something akin to the normal relevancy-burden balancing test found in Rule 26 of the Federal Rules of Civil Procedure, which courts commonly apply when evaluating burden objections to requests for production or third-party subpoenas in federal litigation.

The Seventh Circuit therefore has provided targets of administrative subpoenas with a clear blueprint for demonstrating that the DOL’s requests are unduly burdensome: they must articulate via affidavit or witness testimony precisely how responding will disrupt their normal business operations. These could include explaining the number of documents they expect to be responsive to the requests they are challenging; the number of man-hours required to collect, review, and produce that material; and the costs, including lost opportunity costs, of shouldering that burden.  In negotiating the scope of a response to an administrative subpoena that broadly seeks “all documents,” subpoena targets may also consider explaining how a sampling of the universe of data could both meet the DOL’s needs and avoid the undue burden associated with full compliance—a solution that the Seventh Circuit seemed to think would be more appropriate than the DOL’s “cumbersome” requests for “all documents,” but not one that it was prepared to impose on the record before it.

Lastly, in denying Alight’s request for a protective order, the Court suggested that FOIA’s criminal protections were sufficient to ensure that DOL employees would not release that information. True, FOIA does contain criminal protections designed to prevent leaks.  But the Court did not address how FOIA’s protections intersect with ERISA section 504(a)’s language—oft-cited by the DOL—that the DOL “may make available to any person actually affected by any matter which is the subject of an investigation under this section, and to any department or agency of the United States, information concerning any matter which may be the subject of such investigation.”


[1] When petitioning a district court to enforce one of its administrative subpoenas, the DOL often will preemptively narrow its actual, broader requests, and did so here.