In an enforcement action involving a DOL subpoena seeking documents from a service provider for ERISA plans, the Seventh Circuit held that the DOL's investigatory authority is not limited to ERISA plan fiduciaries (Walsh v. Alight Solutions, LLC, 44 F.4th 716 (7th Cir. 2022)). Affirming the district court, the Seventh Circuit also concluded that the subpoena was not too indefinite or unduly burdensome.

This litigation involves the DOL's investigation of a third-party service provider that provides administrative services to numerous plan sponsors of ERISA-governed health and retirement plans (and some non-ERISA arrangements). The DOL began its investigation after discovering that the service provider had processed unauthorized distributions of plan benefits resulting from cybersecurity breaches in the accounts of its ERISA plan clients. According to the DOL, the service provider did not report, disclose, or restore the unauthorized distributions. The service provider asserted that it was unaware of any breaches resulting in unauthorized distributions.

As part of its investigation, the DOL issued an administrative subpoena to the service provider, seeking—among other documents in a set of 32 inquiries—contracts, agreements, fee schedules, and "[a]ll documents and communications relating to services offered to ERISA plan clients". Although the service provider produced some of the requested documents, it redacted client identities in most of the documents and objected to the other requests.

The DOL sought to enforce the subpoena in federal district court, and the court obliged. However, the district court declined the service provider's request for a protective order, reasoning that any confidential information was protected under the Freedom of Information Act (FOIA). On appeal to the Seventh Circuit, the service provider argued that:

Affirming the district court, the Seventh Circuit rejected all of the service provider's arguments.

First, the Seventh Circuit rejected the service provider's argument that the disputed subpoena fell outside the DOL's authority because the DOL was not permitted to investigate:

Citing ERISA, the Seventh Circuit confirmed that the DOL is authorized to investigate whether any person has violated (or is about to violate) ERISA itself or any of its implementing regulations (ERISA § 504(a) (29 U.S.C. § 1134(a))). As part of this authority, the Seventh Circuit noted, the DOL may require the submission of reports, books, records, and certain other information (see Practice Note, Guide to Dealing with Department of Labor Investigations of Retirement Plans: Subpoenas).

The service provider argued that:

Rejecting this argument, the Seventh Circuit concluded that the DOL's investigatory authority under ERISA is not limited to fiduciaries. The court emphasized that ERISA authorizes the DOL to investigate whether any person has violated any provision of ERISA. Accordingly, the DOL's authority depends on the information being requested and its relevance to the alleged ERISA violation—and not whether the subject of investigation is (or is not) an ERISA fiduciary. The opposite rule, the Seventh Court observed, would allow ERISA fiduciaries to escape liability by simply outsourcing recordkeeping and administrative functions to non-fiduciary third parties.

The Seventh Circuit also rejected the service provider's argument that the DOL lacked authority to investigate cybersecurity incidents. The court held that the service provider forfeited this argument by raising it for the first time on appeal, rather than at the district court level. But even if the service provider had not forfeited its cybersecurity argument, the Seventh Circuit would have rejected it. Noting ERISA's duties of loyalty and prudence, the court reasoned that the reasonableness of the service provider's cybersecurity services and the scope of any breaches that occurred were relevant to the DOL's investigation of whether ERISA had been violated by:

(See Practice Note, ERISA Fiduciary Duties: Overview: Duty of Loyalty and Duty of Prudence.)

The service provider also challenged the DOL's subpoena as too indefinite and burdensome to enforce. Regarding indefiniteness, the Seventh Circuit concluded that the service provider failed to argue that the subpoena was unclear. Regarding the burden of complying with the subpoena, the Seventh Circuit observed that:

The Seventh Circuit reasoned that although the service provider asserted that complying with the subpoena might be difficult, it did not show that compliance would threaten its normal business operations. The Seventh Circuit also held that the service provider failed to show that the subpoena was unduly burdensome. In reaching this conclusion, the court reasoned that the service provider:

Citing rulings from other circuits, the Seventh Circuit concluded that large production requests are not necessarily unduly burdensome.

The Seventh Circuit held that the district court was not wrong in denying the service provider's request for a protective order for information required to be submitted by the subpoenas. The service provider had argued that a protective order should have been issued for:

As an initial matter, the Seventh Circuit noted that the service provider failed to formally ask for a protective order regarding the materials (that is, using the Federal Rules of Civil Procedure (FRCP)). In addition, the court reasoned that:

The service provider's only attempt to show good cause for a protective order, the Seventh Circuit observed, was to assert that the DOL had experienced data breaches and cyberattacks in the past. The Seventh Circuit dismissed this generalized concern noting that it:

Finally, the court concluded that allowing the service provider to redact client and plan information would prevent the DOL from being able to determine if one of the service provider's employer/clients had violated ERISA.

As the service provider in this case has discovered, the DOL has fairly broad subpoena authority in the enforcement context—assuming that its requests are reasonably relevant to the investigation and not too indefinite. However, the DOL did agree to clarify or narrow several of its original subpoena requests. Also, although the service provider's ERISA fiduciary status ended up being irrelevant (in the Seventh Circuit's view) to the DOL's investigatory authority, it may be noteworthy—particularly to the service provider's clients—that the service provider does not view itself as an ERISA fiduciary regarding any of its plan sponsor/clients' ERISA plans. (The Seventh Circuit did not need to rule on the ERISA fiduciary status question in this decision.) The Seventh Circuit's decision does not offer great detail regarding the nature of the ERISA violations being investigated by the DOL. However, the decision does note that those violations may have occurred due to the actions of either the service provider or its many clients (whose unredacted identifying information will now be available to the DOL).