"Alight's arguments are not persuasive," the judges wrote. "Alight argues the subpoena is unenforceable because the Department lacks authority to investigate the company, or cybersecurity incidents generally," and that the information requested in the subpoena is "too indefinite and unduly burdensome."
The DOL began investigating Alight in July 2019 for processing unauthorized distributions for participants' accounts in clients' retirement plans, wrote the judges, adding that cybersecurity breaches caused these distributions.
"The Department says Alight failed to report, disclose and restore those unauthorized distributions," the judges wrote. "Alight denies any knowledge of breaches resulting from unauthorized distributions."
As part of its investigation, the DOL issued an administrative subpoena asking for responses to 32 questions.
"Alight produced a limited number of documents in response to about half of the subpoena's requests, but the company also objected to many of the inquiries," the judges wrote. "Specifically, the company challenged the Department's investigatory authority and purposes, criticized the subpoena's scope and burden, and emphasized its duty to keep certain information confidential."
The DOL filed suit in the Chicago district seeking enforcement of the subpoena. Although the DOL and Alight continued discussions and although the company provided some additional information, "Alight redacted most of the documents it produced to remove client identifying information, which prevented the Department from discerning potential ERISA violations," the appeals court judges wrote.
Alight asked the District Court to quash the subpoena, arguing the DOL "lacked the authority to investigate the company because Alight is not a fiduciary under ERISA" and that the subpoena "was too indefinite to enforce and sought documents unrelated to ERISA plans," according to the appeals court.
The District Court ruled the DOL's investigatory authority wasn't restricted to fiduciaries and that the requested information was relevant to the ERISA investigation.
The court also rejected Alight's claim that the subpoena was indefinite.
Alight made essentially the same arguments to the appeals court — and received the same answer. "Whether or not Alight is a fiduciary does not affect the Department's investigatory authority," the appeals court judges wrote.
Alight also contended that the Department lacks the authority to conduct cybersecurity investigations, the judges wrote, adding that this assertion was first discussed on appeal. The judges rejected this claim.