DOL Seeks Information From Alight Solutions About Cybersecurity Incidents

Alight has been sued by retirement plan participants whose accounts were hacked, and the Department of Labor is investigating the provider's practices.

Judge John F. Kness of the U.S. District Court for the Northern District of Illinois has ruled that Alight Solutions must comply immediately with a Department of Labor (DOL) administrative subpoena seeking documents for an investigation of unauthorized distributions from employee benefit accounts.

In July 2019, the DOL’s Employee Benefits Security Administration (EBSA) began investigating Alight Solutions to determine whether any violations of Title I of the Employee Retirement Income Security Act (ERISA) had occurred. According to the court order, the agency’s investigation was prompted, at least in part, by its discovery that Alight had processed unauthorized distributions as a result of cybersecurity breaches relating to its ERISA plan clients’ accounts. In addition, the investigation found that, in violation of its service provider agreements, Alight failed to immediately report cybersecurity breaches and the related unauthorized distributions to ERISA plan clients after its discoveries. Alight also repeatedly failed to restore the unauthorized distribution amounts to its ERISA plan clients’ accounts, the court order says.

In April 2020, when Alight had not supplied all the information the DOL requested, the agency sued Alight.

Alight has been named as a defendant in two lawsuits filed by retirement plan participants who claim the company and their employers breached ERISA’s fiduciary duties when unauthorized distributions were taken from the participants’ accounts.

In a lawsuit filed by a participant in the Abbott Laboratories Stock Retirement Plan, a judge dismissed Abbott from the lawsuit, but the company was brought in as a defendant again in an amended complaint. Earlier this year, the judge again dismissed Abbott from the suit, leaving Alight as a defendant.

A separate suit filed by a participant in the Estee Lauder 401(k) plan, in which Alight Solutions was also named as a defendant was dismissed after the parties announced they had agreed to a settlement of the charges.

As part of EBSA’s investigation into Alight’s practices, Secretary of Labor Martin Walsh issued an administrative subpoena to Alight calling for “all documents in [its] possession, custody [or] control” in response to 32 inquiries. The subpoena also specifies that, unless otherwise noted, “the time period covered by the subpoena is from January 1, 2015, to the date of production.”

In his court order, Kness said the subpoena power is broad. It permits the secretary to “investigate merely on suspicion that the law is being violated, or even just because it wants assurance that it is not.” He rejected Alight’s argument that the subpoena power only extends to entities classified as “fiduciaries” under ERISA, saying it is not supported by the text of the statute or by controlling case law addressing the scope of administrative subpoenas.

Kness also considered whether the burden on Alight weighs against enforcement of the subpoena. Alight argued that compliance “would require thousands of hours of work just to identify potentially responsive documents” in addition to the “time and expenses outside counsel would incur reviewing, de-identifying, and producing those materials.” It said there was a continued burden even after Walsh modified the subpoena requests. Alight argued that “the requests would still require [it] to pull, review and produce thousands, if not tens of thousands, of documents related to its ERISA business.”

“Weighing the relevance of the requests against the burden on the respondent, which the court does not take lightly, the court finds that the balance favors the secretary,” Kness ruled. “As explained above, the requests, as modified, are relevant to the department’s investigation and fall within the secretary’s broad investigatory authority. Moreover, although the burden of compliance is potentially significant, that burden does not outweigh the potential relevance of the requests.”