Walsh v. Alight Solutions, LLC, No. 21-3290 (7th Cir. 2022)

Annotate this Case
Justia Opinion Summary

Alight provides recordkeeping services for employee healthcare and retirement benefit plans, some of which are governed by ERISA, 29 U.S.C. 1001–1461 The Department of Labor investigated Alight, following a discovery that Alight processed unauthorized distributions of plan benefits due to cybersecurity breaches, and sent Alight an administrative subpoena duces tecum, seeking documents in response to 32 inquiries, including broad demands, such as “[a]ll documents and communications relating to services offered to ERISA plan clients.” Alight produced some documents but objected to several inquiries, citing its duty to keep certain information confidential. The Department petitioned for enforcement of the subpoena. Alight produced additional materials but redacted most of the documents to remove client identifying information, preventing the Department from discerning potential ERISA violations. Alight asked the court to quash or limit the subpoena and permit redactions. Alight’s legal consultant projected full compliance would require “thousands of hours of work.” The Department clarified or narrowed its requests.

The Seventh Circuit affirmed an order granting the Department’s petition to enforce the subpoena with some modifications. The court rejected Alight’s arguments that the subpoena is unenforceable because the Department lacks authority to investigate the company because it is not a fiduciary under ERISA, or cybersecurity incidents generally; that the subpoena’s demands are too indefinite and unduly burdensome, and that the district court abused its discretion by denying Alight’s request for a protective order to limit production of certain sensitive information.

Download PDF
In the United States Court of Appeals For the Seventh Circuit ____________________ No. 21-3290 MARTIN J. WALSH, Secretary of Labor, Petitioner-Appellee, v. ALIGHT SOLUTIONS LLC, Respondent-Appellant. ____________________ Appeal from the United States District Court for the Northern District of Illinois, Eastern Division. No. 1:20-cv-2138 — John F. Kness, Judge. ____________________ ARGUED APRIL 21, 2022 — DECIDED AUGUST 12, 2022 ____________________ Before EASTERBROOK, ROVNER, and BRENNAN, Circuit Judges. BRENNAN, Circuit Judge. The U.S. Department of Labor is investigating alleged cybersecurity breaches at Alight Solutions LLC, a company that provides administrative services for employers who sponsor healthcare and retirement plans. As part of its investigation the Department issued an administrative subpoena. Alight produced some documents but 2 No. 21-3290 objected to many of the subpoena’s requests. The district court granted the Department’s petition to enforce the subpoena with some modi cations. On appeal, Alight argues the subpoena is unenforceable because the Department lacks authority to investigate the company, or cybersecurity incidents generally. The company also contends the subpoena’s demands are too inde nite and unduly burdensome, and that the district court abused its discretion by denying Alight’s request for a protective order to limit production of certain sensitive information. Alight’s arguments are not persuasive, so we a rm. I Alight provides recordkeeping services for employers who sponsor healthcare and retirement bene t plans for their employees, some of which are governed by the Employee Retirement Income Security Act, 29 U.S.C. §§ 1001–1461 (“ERISA”). As of November 2020, Alight served over 750 clients supporting more than 20.3 million plan participants. These clients entrust Alight with highly sensitive information about their companies, employee bene ts plans, and plan participants. Alight provides cybersecurity services to protect this con dential information. The Department opened an investigation of Alight in July 2019 prompted by a discovery that Alight processed unauthorized distributions of plan bene ts due to cybersecurity breaches in its ERISA plan clients’ accounts. The Department says Alight failed to report, disclose, and restore those unauthorized distributions. Alight denies any knowledge of breaches resulting in unauthorized distributions. No. 21-3290 3 As part of the investigation the Department sent Alight an administrative subpoena duces tecum. The subpoena calls for documents in response to 32 inquiries and covers the period from January 1, 2015 through the date of production. The information requested ranges from speci c inquiries, like Alight’s articles of incorporation and bylaws, to broad demands, including “[a]ll documents and communications relating to services o ered to ERISA plan clients.” Alight produced a limited number of documents in response to about half of the subpoena’s requests, but the company also objected to many of the inquiries. Speci cally, the company challenged the Department’s investigatory authority and purposes, criticized the subpoena’s scope and burden, and emphasized its duty to keep certain information con dential. After unsuccessful attempts by the parties to resolve Alight’s objections, the Department petitioned the district court to enforce the subpoena. Meanwhile, the company continued to interact with the Department and produced additional materials. But Alight redacted most of the documents it produced to remove client identifying information, which prevented the Department from discerning potential ERISA violations. In response to the petition, Alight led a memorandum opposing enforcement of the subpoena. The company argued that the Department lacked the authority to investigate the company because Alight is not a duciary under ERISA, the subpoena was too inde nite to enforce and sought documents unrelated to ERISA plans, and enforcement would jeopardize con dential information Alight was contractually obligated to protect. The company also noted that although the 4 No. 21-3290 subpoena requested documents back to January 1, 2015, Alight was not formed until May 2017. Alight asked the district court to quash the subpoena, or at a minimum to limit the subpoena and enter a protective order permitting redactions. Alight’s response also highlighted a production sample its legal consultant prepared, which covered two months of responsive documents. The consultant spent over 40 hours preparing the sample, and she estimated that the employees who assisted her collectively spent the same amount of time on the project. Based on this sample, Alight’s legal consultant projected full compliance with the subpoena would require “thousands of hours of work.” The Department led a reply memorandum defending the subpoena. It stated that additional documentation was not required for 9 of the original 32 production requests. For the remaining 23 inquiries, the Department clari ed or narrowed each request. Ultimately, the district court granted the Department’s petition to enforce the subpoena as modi ed by the Department’s reply memorandum. The court found that the Department’s investigatory authority was not limited to duciaries, and that the requested information was reasonably relevant to the ERISA investigation. It also ruled that the subpoena was not too inde nite, and that Alight’s challenge to the inde niteness of the subpoena related more to the burden of production than the clarity of the production requests. As to Alight’s burden of compliance, the court applied the presumption that subpoenas should be enforced and decided that the balance between the relevance of the requested information and the cost of production favored enforcement. No. 21-3290 5 The district court also declined to enter a protective order. Not only had Alight failed to formally move for such an order under Federal Rule of Civil Procedure 26(c), but the court found that the Freedom of Information Act and 18 U.S.C. § 1905 prohibited the Department from publicizing Alight’s con dential information. So, the court concluded that Alight had not shown good cause for redacting the requested documents. Last, the court addressed the date range covered by the subpoena. Reasoning that Alight “cannot produce what it does not have,” the court directed Alight to produce those documents in its possession. And “if [Alight] does not have anything within its possession, custody, or control to produce from the period before it had its current legal existence, it should respond to the Subpoena accordingly.” II “We review the district court’s decision to enforce an agency subpoena for abuse of discretion, and we review any factual determinations on which the ruling is based for clear error. Questions of law are reviewed de novo.” EEOC v. Aerotek, Inc., 815 F.3d 328, 333 (7th Cir. 2016) (citations omitted); see McLane Co., Inc. v. EEOC, 137 S. Ct. 1159, 1170 (2017). “A decision is an abuse of discretion only if no reasonable person would agree with the decision made by the trial court.” Lange v. City of Oconto, 28 F.4th 825, 842 (7th Cir. 2022) (quoting Smith v. Hunt, 707 F.3d 803, 808 (7th Cir. 2013)). Under clearerror review, we will overturn a decision “only if the entire record leaves us ‘with the de nite and rm conviction that a mistake has been committed.’” Wilborn v. Ealey, 881 F.3d 998, 6 No. 21-3290 1006 (7th Cir. 2018) (quoting Anderson v. City of Bessemer City, 470 U.S. 564, 573 (1985)). A subpoena enforcement proceeding is “designed to be summary in nature.” EEOC v. United Air Lines, Inc., 287 F.3d 643, 649 (7th Cir. 2002) (quoting EEOC v. Tempel Steel Co., 814 F.2d 482, 485 (7th Cir. 1987)). In the context of administrative subpoenas, “a district court’s subpoena enforcement function is narrowly limited: in deciding whether to enforce, ‘it is suf cient if the inquiry is within the authority of the agency, the demand is not too inde nite and the information sought is reasonably relevant.’” Aerotek, 815 F.3d at 333 (quoting Dow Chem. Co. v. Allen, 672 F.2d 1262, 1267 (7th Cir. 1982)). “[I]t is also clearly recognized that disclosure may be restricted where it would impose an unreasonable or undue burden on the party from whom production is sought,” Dow Chem., 672 F.2d at 1267, and a subpoena may not be issued for an illegitimate purpose. McLane, 137 S. Ct. at 1165. “In the mine run of cases, the district court’s decision whether to enforce a subpoena will turn either on whether the evidence sought is relevant to the speci c charge before it or whether the subpoena is unduly burdensome in light of the circumstances.” Id. at 1167. These inquiries “are ‘generally not amenable to broad per se rules’; rather, they are the kind of ‘fact-intensive, close calls’ better suited to resolution by the district court than the court of appeals.” Id. at 1168 (citations omitted). On appeal, Alight o ers similar arguments as in the district court: the Department lacks authority to issue the subpoena, the subpoena is too inde nite and burdensome to enforce, and a protective order is needed to prevent disclosure of certain con dential information. No. 21-3290 7 A Alight contends that the subpoena falls outside the Department’s authority because it cannot investigate non- duciaries, and ERISA does not authorize investigations into cybersecurity issues. Each challenge raises a question of law, which we review de novo. Aerotek, 815 F.3d at 333. The Department’s authority to issue subpoenas under ERISA is codi ed at 29 U.S.C. § 1134(a)(1): The Secretary shall have the power, in order to determine whether any person has violated or is about to violate any provision of this subchapter or any regulation or order thereunder-(1) to make an investigation, and in connection therewith to require the submission of reports, books, and records, and the ling of data in support of any information required to be led with the Secretary under this subchapter[.] As the statute states, and as both parties agree, the Department need not determine whether a violation has occurred before issuing a subpoena. Indeed, “[a]n administrative agency’s subpoena power is intended to permit the agency to ‘investigate merely on suspicion that the law is being violated, or even just because it wants assurance that it is not.’” Chao v. Loc. 743, Int'l Brotherhood of Teamsters, AFL-CIO, 467 F.3d 1014, 1017 (7th Cir. 2006) (quoting United States v. Morton Salt Co., 338 U.S. 632, 642–43 (1950)). Alight maintains that the Department is not authorized to investigate non- duciaries. This precludes the Department from issuing a subpoena to Alight, the company claims, because Alight only services ERISA plans in an administrative 8 No. 21-3290 capacity. Thus, Alight insists, it is not a duciary for any client’s ERISA plan. Whether or not Alight is a fiduciary does not affect the Department’s investigatory authority. Under 29 U.S.C. § 1134(a)(1), the Department has the power to launch investigations “in order to determine whether any person has violated or is about to violate any provision of this subchapter or any regulation or order thereunder.” (Emphasis added). The statute does not limit the Department’s investigatory authority to fiduciaries, or by who receives a subpoena. Instead, as the Department argued, its authority hinges on the information requested and its relation to an actual or potential ERISA violation. Even if Alight only has information about another entity’s ERISA violation, the statute grants the Department authority to compel its production from Alight. A contrary rule would allow ERISA fiduciaries to avoid liability altogether by outsourcing recordkeeping and administrative functions to non-fiduciary third parties, evading regulatory oversight. Congress did not confine the Department’s investigatory power in this manner. For the rst time on appeal, Alight also argues that the Department lacks authority to conduct cybersecurity investigations. This argument is forfeited. While “waiver is the ‘intentional relinquishment or abandonment of a known right,’ forfeiture is the mere failure to raise a timely argument, due to either inadvertence, neglect, or oversight.” Henry v. Hulett, 969 F.3d 769, 786 (7th Cir. 2020) (en banc) (quoting United States v. Olano, 507 U.S. 725, 733 (1993)). Alight did not challenge the Department’s authority to investigate cybersecurity incidents in the district court. The company disagrees and points to multiple citations in the district court record. But No. 21-3290 9 each is a challenge by Alight of the Department’s authority to investigate non- duciaries, not an objection to cybersecurity investigations generally. Because this is a civil case, “‘our ability to review for plain error … is severely constricted,’ as ‘a civil litigant should be bound by his counsel’s actions.’” Id. (quoting SEC v. Yang, 795 F.3d 674, 679 (7th Cir. 2015)). Consequently, we will review for plain error only “in the rare situation where a party can demonstrate that: ‘(1) exceptional circumstances exist; (2) substantial rights are a ected; and (3) a miscarriage of justice will occur if plain error review is not applied.’” Id. (quoting Thorncreek Apartments III, LLC v. Mick, 886 F.3d 626, 636 (7th Cir. 2018)). Alight makes no e ort to satisfy this demanding standard. Even if not forfeited, Alight’s merits argument is unconvincing. As the Supreme Court has long recognized, Congress incorporated into ERISA “a standard of loyalty and a standard of care.” Cent. States, Se. & Sw. Areas Pension Fund v. Cent. Transp., Inc., 472 U.S. 559, 570 (1985). The reasonableness of Alight’s cybersecurity services, and the extent of any breaches, is therefore relevant to determining whether ERISA has been violated—either by Alight itself, or by the employers that outsourced management of their ERISA plans to Alight. B Alight also argues that the Department’s administrative subpoena is too inde nite and too burdensome to enforce. Inde niteness. To Alight, the subpoena’s requests are “too inde nite and unreasonably broad to be enforced in its entirety, without modi cation.” At the outset, whether a subpoena is too broad is a question of inde niteness for Alight. Alight disputes the district court’s framework for addressing 10 No. 21-3290 the subpoena’s breadth, contending that the district court erred by addressing this issue as a question of undue burden. We disagree. The cases Alight identi es do not state that a subpoena’s breadth and de niteness are the same inquiry, and many expressly distinguish these questions. See, e.g., Okla. Press Pub. Co. v. Walling, 327 U.S. 186, 208 (1946) (noting that the Fourth Amendment guards against “too much indefiniteness or breadth” in a subpoena); Peters v. United States, 853 F.2d 692, 699 (9th Cir. 1988) (noting a “subpoena will not be enforced if it is too inde nite or broad”). A subpoena can be too inde nite if its demands are overly vague or amorphous, but the breadth of the production demanded is a topic better suited for an inquiry of relevancy or undue burden. See, e.g., Aerotek, 815 F.3d at 332, 334 (treating the appellant’s objection that an administrative subpoena’s requests amounted to “a shing expedition totally unrelated to the matter under investigation” as a relevancy challenge, while also noting that the appellant made “no claim that the request is too inde nite”). Alight has not argued that the subpoena is unclear, and the district court was correct to nd that its terms are not too inde nite. Burdensomeness. Alight o ers a scattershot of contentions about the burden of compliance with the Department’s administrative subpoena. The company challenges the legal standard the district court employed. Alight is less than clear as to which subpoena requests it actually protests. The company also disagrees with the district court’s evaluation of the subpoena’s burden. When examining the burden of complying with a subpoena, “[t]he presumption is that compliance should be enforced to further the agency’s legitimate inquiry into matters No. 21-3290 11 of public interest.” United Air Lines, 287 F.3d at 653 (quoting FTC v. Sha ner, 626 F.2d 32, 38 (7th Cir. 1980)). “Often we have phrased this ‘di cult burden’ as requiring a showing that ‘compliance would threaten the normal operation of a respondent’s business.’” Id. (quoting EEOC v. Bay Shipbuilding Corp., 668 F.2d 304, 313 (7th Cir. 1981)). This is a fact-intensive inquiry, and “[c]onclusory allegations of burdensomeness are insu cient.” Id. To determine whether a subpoena is unduly burdensome, the district court must “weigh the likely relevance of the requested material to the investigation against the burden to [the respondent] of producing the material.” Id. at 654 (alteration in original) (quoting EEOC v. Ford Motor Credit Co., 26 F.3d 44, 47 (6th Cir. 1994)); see Chao, 467 F.3d at 1017 (requiring requested information to be “reasonably relevant”). Alight insists the district court applied the wrong legal standard. The company points to a portion of the court’s order which determined that Alight’s burden was not outweighed by the “potential relevance” of the requests. This was error, Alight insists, because the court should have ensured the production requests were “reasonably relevant” or “likely relevant.” But Alight ignores a di erent portion of the court’s order in which it expressly found that the subpoena’s modi ed requests “are reasonably relevant to an investigation of compliance with ERISA.” That the court also described the requested documents as “potentially relevant” does not undermine this express nding. Alight also has not argued why the court’s “reasonably relevant” determination is incorrect, so we are not left with a “de nite and rm conviction” that a mistake 12 No. 21-3290 has been made. Wilborn, 881 F.3d at 1006 (quoting Anderson, 470 U.S. at 573). Alight further suggests that the district court improperly relied on this court’s decision in EEOC v. Quad/Graphics, Inc., 63 F.3d 642 (7th Cir. 1995). There, the subpoenaed party estimated that compliance would require more than 200,000 hours of work. Id. at 648. This court ruled that the time projections for compliance were “in ated” and upheld the subpoena. Id. at 649. Alight argues the district court wrongly construed the 200,000-hour estimate in Quad/Graphics as a threshold for assessing burdensomeness while ignoring the fact that this estimate was found to be exaggerated. But here, the district court raised the estimate only to show that a subpoena has been upheld when “the responding party estimated that compliance would require more than 200,000 hours”—a true statement. Elsewhere in its order, the district court acknowledged that burdensomeness is a “case-speci c” inquiry, not a universal standard. So an erroneous 200,000 threshold requirement was not applied, as Alight contends. Next, we note that Alight is not clear as to which subpoena requests it disputes. Its opening appellate brief directly challenged only 5 of the 23 production requests that remain in dispute out of the original 32. What is more, at least some of Alight’s objections are based on the production requests “as originally drafted,” not the inquiries the district court upheld as modi ed. 1 1 For example, Alight objects to the breadth of Request 8, which seeks “[a]ll documents relating to any litigation, arbitration, or legal proceedings in which Alight is a party.” But the modified subpoena states that the Department is not seeking any additional documentation for that inquiry. Alight also challenges Request 9, which sought “[a]ll documents relating No. 21-3290 13 The only unmodified requests that Alight challenges by name are Request 11 (“[a]ll contracts, agreements, arrangements, and fee schedules used by Alight to provide services to ERISA plan clients”) and Request 12 (“[a]ll documents and communications relating to services offered to ERISA plan clients, including the Alight Protection Program”). These requests would require production of “virtually every document concerning its ERISA business,” the company submits. Yet Alight does not argue that these documents lack reasonable relevancy to the Department’s investigation, nor does it show how compliance with Requests 11 and 12 would be unduly burdensome. Alight does not estimate how many documents these two requests encompass, or the time or cost associated with compliance. If Alight believes specific requests in the modified subpoena are unrelated to the investigation or unduly burdensome, it should have briefed those concerns before us, which it did not do. Alight also disagrees with the district court’s evaluation of the burden the company faces to comply with the administrative subpoena. Alight points to its two-month production sample, noting that its legal consultant took “over forty hours” to identify responsive materials. “Replicating this process for all the incidents in the seven-year period covered by the Subpoena,” the company claims, “would require thousands of hours of work.” These estimates also do not include to any regulatory investigations, examinations, or inquiries in which Alight is a party,” on the basis that it is not limited to ERISA plans, but the modified subpoena added language specifying that precise limitation. Alight opposes Request 3 on similar grounds, but the Department also limited its scope. 14 No. 21-3290 the hours spent by other employees collecting the requested information. But Alight fails to show the district court abused its discretion for two reasons. First, the company’s estimates lack detail. “We often have considered the cost of compliance when evaluating burdensomeness,” United Air Lines, 287 F.3d at 653, along with “the number of les involved” and “the number of estimated work hours required to e ect compliance.” Sha ner, 626 F.2d at 38. Alight has not estimated the number of documents at issue or the cost of producing those documents. As for the two-month sample, Alight has not shown that the documents in this window represent the remaining materials covered by the subpoena’s timeframe. In fact, Alight's legal consultant provided only a single paragraph extrapolating her two-month burden to the investigation at large. Alight’s estimates may be high because it increased its own burden of production by redacting many documents it produced—a practice the district court later disallowed. Such self-imposed measures undermine our con dence that a company’s production estimates are accurate. See Aerotek, 815 F.3d at 334 (“Aerotek increased the burden on itself by creating a coding system to mask the identity of individuals and clients in its earlier non-compliant productions to the EEOC.”). Alight’s estimates also seem to be based on a seven-year period in accord with the subpoena’s request for information back to 2015. But as Alight noted during litigation, the company was not formed until 2017, so it is unclear how many documents, if any, Alight possesses from before 2017 that the subpoena covers. As for Alight’s assertion that its two-month sample does not account for the hours or costs incurred by No. 21-3290 15 other employees, unarticulated cost multipliers—based wholly on an unveri ed and summary estimate by its legal consultant—are the type of conclusory allegations insu cient to establish an undue burden. See United Air Lines, 287 F.3d at 653. Second, even if we credited Alight’s estimates that production would require “thousands of hours of work”—an admittedly cumbersome task—Alight has not shown why that undertaking is unduly burdensome. While Alight has explained that it could be di cult to comply with the subpoena, it has not shown, for example, that “compliance would threaten the normal operation of [its] business.” Id. (quoting Bay Shipbuilding, 668 F.2d at 313). A review of decisions by our fellow circuits con rms that large production requests are not necessarily unduly burdensome. See, e.g., FDIC v. Garner, 126 F.3d 1138, 1145-46 (9th Cir. 1997) (upholding an administrative subpoena that required production of over one million documents); NLRB v. Carolina Food Processors, 81 F.3d 507, 513 (4th Cir. 1996) (“[A] subpoena is not unduly burdensome merely because it requires the production of a large number of documents.”); EEOC v. Citicorp Diners Club, Inc., 985 F.2d 1036, 1040 (10th Cir. 1993) (upholding a subpoena where compliance required “two full-time employees working approximately six months”). Without more, we cannot say that “no reasonable person would agree with the decision made by the trial court.” Lange, 28 F.4th at 842 (quoting Smith, 707 F.3d at 808). In concluding that the administrative subpoena here is not unduly burdensome, we note our holding is narrow. Agencies should not read this result as granting leave to issue administrative subpoenas that are overly cumbersome or that 16 No. 21-3290 seek information not reasonably relevant to the investigation at hand. Indeed, at oral argument before us, the Department was hard pressed to explain why a subpoena was issued seeking all documents responsive to the 32 inquiries, as opposed to requesting a production sample. But Alight has not argued the requested information lacks reasonable relevancy. And the company’s burdensomeness arguments—which target only a handful of the remaining 26 production requests—lack details about the number of documents implicated, the cost to produce those documents, the hours production would require, or how compliance would threaten the normal operation of Alight’s business. C Finally, Alight argues the district court wrongly denied its request for a protective order. The company submits that three categories of documents should have received con dentiality protections: “(1) ERISA plan participant [personally identi able information]; (2) con dential settlement agreements; and (3) client identifying information.” “The trial court is in the best position to weigh fairly the competing needs and interests of parties a ected by discovery.” Heraeus Kulzer, GmbH v. Biomet, Inc., 881 F.3d 550, 565 (7th Cir. 2018) (quoting Cnty. Materials Corp. v. Allan Block Corp., 502 F.3d 730, 739 (7th Cir. 2007)). So, we review a district court’s denial of a protective order in a subpoena enforcement action for abuse of discretion. Id.; Dow Chemical, 672 F.2d at 1277. “[A] district court is required to ‘independently determine if good cause exists’ before judicially protecting discoverable documents from third-party disclosure.” Salmeron v. Enter. Recovery Sys., Inc., 579 F.3d 787, 795 (7th Cir. 2009) (quoting Jepson, Inc. v. Makita Elec. Works, Ltd., 30 F.3d 854, 858 No. 21-3290 17 (7th Cir. 1994)); see FED. R. CIV. P. 26(c) (“The court may, for good cause, issue an order.”). Alight starts from behind on this point, as it never formally moved for a protective order under Rule 26(c). It does argue that the personal identi able information of its planparticipants should have been protected. This information is highly con dential, and includes “social security numbers, contact information, asset information, and banking information.” Indeed, Alight is contractually obligated to protect the con dentiality of this information. 2 While this information is sensitive, Alight has not shown how its disclosure to the Department would result in the information being revealed to a third party. As the district court observed, this con dential information is protected from disclosure under the Freedom of Information Act, and 18 U.S.C. § 1905 criminalizes the disclosure of con dential information by federal employees. Alight’s only attempt to show good cause for the protective order is to note that the Department has experienced some data breaches and cyberattacks in the past. But this generalized concern, which exists for nearly every government subpoena, does not persuade us that the district court abused its discretion, especially when Alight itself is being investigated for alleged cybersecurity breaches that threatened ERISA plan participant information. Next, Alight contends that a protective order should have been issued for confidential settlement agreements the 2 Of course, the Department’s investigatory authority is not impinged by private agreements. See EEOC v. Severn Trent Servs., Inc., 358 F.3d 438, 442 (7th Cir. 2004) (stating a private contract cannot trump a government subpoena). 18 No. 21-3290 company entered with clients that concern “potential unauthorized access and disbursement to client accounts.” But again, Alight has not articulated how production of this information would result in disclosure to a third party. The Department correctly argues that the settlement agreements, which could clarify the number and extent of any cybersecurity breaches, are crucial to its investigation of Alight. Last, Alight insists a protective order was warranted for “broad categories of client information including contracts and fee schedules, information related to investigations of alleged cybersecurity and fraud, documents concerning services and security measures applicable to a given plan, and other proprietary information about Alight’s client’s bene t plans.” Aside from Alight’s continued inability to explain how this information could become publicly available, the Department’s cybersecurity investigation directly implicates this information. If Alight were to redact the names of its clients and the corresponding plan names, as the company advocates, the Department could not identify which employers may have violated ERISA. There is no good-cause basis to deny the Department access to this critical information, and we cannot say the district court abused its discretion in denying Alight’s request for a protective order. * * * For these reasons, we AFFIRM the judgment of the district court.
Primary Holding

Seventh Circuit upholds the enforcement of a subpoena to allow the Department of Labor to investigate cybersecurity breaches that implicate ERISA plan benefits.


Disclaimer: Justia Annotations is a forum for attorneys to summarize, comment on, and analyze case law published on our site. Justia makes no guarantees or warranties that the annotations are accurate or reflect the current state of law, and no annotation is intended to be, nor should it be construed as, legal advice. Contacting Justia or any attorney through this site, via web form, email, or otherwise, does not create an attorney-client relationship.

Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.