Martin J. Walsh v. Alight Solutions, LLC ( 2022 )

                              In the
United States Court of Appeals
For the Seventh Circuit
____________________
No. 21-3290
MARTIN J. WALSH, Secretary of Labor,
Petitioner-Appellee,
v.
ALIGHT SOLUTIONS LLC,
Respondent-Appellant.
____________________
Appeal from the United States District Court for the
Northern District of Illinois, Eastern Division.
No. 1:20-cv-2138 — John F. Kness, Judge.
____________________
ARGUED APRIL 21, 2022 — DECIDED AUGUST 12, 2022
____________________
Before EASTERBROOK, ROVNER, and BRENNAN, Circuit
Judges.
BRENNAN, Circuit Judge. The U.S. Department of Labor is
investigating alleged cybersecurity breaches at Alight Solu-
tions LLC, a company that provides administrative services
for employers who sponsor healthcare and retirement plans.
As part of its investigation the Department issued an admin-
istrative subpoena. Alight produced some documents but
2                                                 No. 21-3290
objected to many of the subpoena’s requests. The district
court granted the Department’s petition to enforce the sub-
poena with some modifications.
On appeal, Alight argues the subpoena is unenforceable
because the Department lacks authority to investigate the
company, or cybersecurity incidents generally. The company
also contends the subpoena’s demands are too indefinite and
unduly burdensome, and that the district court abused its dis-
cretion by denying Alight’s request for a protective order to
limit production of certain sensitive information. Alight’s ar-
guments are not persuasive, so we affirm.
I
Alight provides recordkeeping services for employers
who sponsor healthcare and retirement benefit plans for their
employees, some of which are governed by the Employee Re-
tirement Income Security Act, 

–1461
(“ERISA”). As of November 2020, Alight served over 750 cli-
ents supporting more than 20.3 million plan participants.
These clients entrust Alight with highly sensitive information
about their companies, employee benefits plans, and plan par-
ticipants. Alight provides cybersecurity services to protect
this confidential information.
The Department opened an investigation of Alight in July
2019 prompted by a discovery that Alight processed unau-
thorized distributions of plan benefits due to cybersecurity
breaches in its ERISA plan clients’ accounts. The Department
says Alight failed to report, disclose, and restore those unau-
thorized distributions. Alight denies any knowledge of
breaches resulting in unauthorized distributions.
No. 21-3290                                                 3
As part of the investigation the Department sent Alight an
administrative subpoena duces tecum. The subpoena calls for
documents in response to 32 inquiries and covers the period
from January 1, 2015 through the date of production. The in-
formation requested ranges from specific inquiries, like
Alight’s articles of incorporation and bylaws, to broad de-
mands, including “[a]ll documents and communications re-
lating to services offered to ERISA plan clients.”
Alight produced a limited number of documents in re-
sponse to about half of the subpoena’s requests, but the com-
pany also objected to many of the inquiries. Specifically, the
company challenged the Department’s investigatory author-
ity and purposes, criticized the subpoena’s scope and burden,
and emphasized its duty to keep certain information confi-
dential.
After unsuccessful attempts by the parties to resolve
Alight’s objections, the Department petitioned the district
court to enforce the subpoena. Meanwhile, the company con-
tinued to interact with the Department and produced addi-
tional materials. But Alight redacted most of the documents it
produced to remove client identifying information, which
prevented the Department from discerning potential ERISA
violations.
In response to the petition, Alight filed a memorandum
opposing enforcement of the subpoena. The company argued
that the Department lacked the authority to investigate the
company because Alight is not a fiduciary under ERISA, the
subpoena was too indefinite to enforce and sought documents
unrelated to ERISA plans, and enforcement would jeopardize
confidential information Alight was contractually obligated
to protect. The company also noted that although the
4                                                 No. 21-3290
subpoena requested documents back to January 1, 2015,
Alight was not formed until May 2017. Alight asked the dis-
trict court to quash the subpoena, or at a minimum to limit
the subpoena and enter a protective order permitting redac-
tions.
Alight’s response also highlighted a production sample its
legal consultant prepared, which covered two months of re-
sponsive documents. The consultant spent over 40 hours pre-
paring the sample, and she estimated that the employees who
assisted her collectively spent the same amount of time on the
project. Based on this sample, Alight’s legal consultant pro-
jected full compliance with the subpoena would require
“thousands of hours of work.”
The Department filed a reply memorandum defending
the subpoena. It stated that additional documentation was not
required for 9 of the original 32 production requests. For the
remaining 23 inquiries, the Department clarified or narrowed
each request.
Ultimately, the district court granted the Department’s pe-
tition to enforce the subpoena as modified by the Depart-
ment’s reply memorandum. The court found that the Depart-
ment’s investigatory authority was not limited to fiduciaries,
and that the requested information was reasonably relevant
to the ERISA investigation. It also ruled that the subpoena was
not too indefinite, and that Alight’s challenge to the indefi-
niteness of the subpoena related more to the burden of pro-
duction than the clarity of the production requests. As to
Alight’s burden of compliance, the court applied the pre-
sumption that subpoenas should be enforced and decided
that the balance between the relevance of the requested infor-
mation and the cost of production favored enforcement.
No. 21-3290                                                    5
The district court also declined to enter a protective order.
Not only had Alight failed to formally move for such an order
under Federal Rule of Civil Procedure 26(c), but the court
found that the Freedom of Information Act and 

 prohibited the Department from publicizing Alight’s
confidential information. So, the court concluded that Alight
had not shown good cause for redacting the requested docu-
ments.
Last, the court addressed the date range covered by the
subpoena. Reasoning that Alight “cannot produce what it
does not have,” the court directed Alight to produce those
documents in its possession. And “if [Alight] does not have
anything within its possession, custody, or control to produce
from the period before it had its current legal existence, it
should respond to the Subpoena accordingly.”
II
“We review the district court’s decision to enforce an
agency subpoena for abuse of discretion, and we review any
factual determinations on which the ruling is based for clear
error. Questions of law are reviewed de novo.” EEOC v. Aero-
tek, Inc., 

, 333 (7th Cir. 2016) (citations omitted);
see McLane Co., Inc. v. EEOC, 

, 1170 (2017). “A
decision is an abuse of discretion only if no reasonable person
would agree with the decision made by the trial court.” Lange
v. City of Oconto, 

, 842 (7th Cir. 2022) (quoting
Smith v. Hunt, 

, 808 (7th Cir. 2013)). Under clear-
error review, we will overturn a decision “only if the entire
record leaves us ‘with the definite and firm conviction that a
mistake has been committed.’” Wilborn v. Ealey, 

,
6                                                    No. 21-3290
1006 (7th Cir. 2018) (quoting Anderson v. City of Bessemer City,

, 573 (1985)).
A subpoena enforcement proceeding is “designed to be
summary in nature.” EEOC v. United Air Lines, Inc., 

, 649 (7th Cir. 2002) (quoting EEOC v. Tempel Steel Co., 

, 485 (7th Cir. 1987)). In the context of administrative
subpoenas, “a district court’s subpoena enforcement function
is narrowly limited: in deciding whether to enforce, ‘it is suf-
ficient if the inquiry is within the authority of the agency, the
demand is not too indefinite and the information sought is
reasonably relevant.’” Aerotek, 815 F.3d at 333 (quoting Dow
Chem. Co. v. Allen, 

, 1267 (7th Cir. 1982)). “[I]t is
also clearly recognized that disclosure may be restricted
where it would impose an unreasonable or undue burden on
the party from whom production is sought,” Dow Chem., 

, and a subpoena may not be issued for an illegit-
imate purpose. McLane, 137 S. Ct. at 1165. “In the mine run of
cases, the district court’s decision whether to enforce a sub-
poena will turn either on whether the evidence sought is rel-
evant to the specific charge before it or whether the subpoena
is unduly burdensome in light of the circumstances.” Id. at
1167. These inquiries “are ‘generally not amenable to broad
per se rules’; rather, they are the kind of ‘fact-intensive, close
calls’ better suited to resolution by the district court than the
court of appeals.” Id. at 1168 (citations omitted).
On appeal, Alight offers similar arguments as in the
district court: the Department lacks authority to issue the sub-
poena, the subpoena is too indefinite and burdensome to en-
force, and a protective order is needed to prevent disclosure
of certain confidential information.
No. 21-3290                                                    7
A
Alight contends that the subpoena falls outside the
Department’s authority because it cannot investigate non-fi-
duciaries, and ERISA does not authorize investigations into
cybersecurity issues. Each challenge raises a question of law,
which we review de novo. Aerotek, 815 F.3d at 333.
The Department’s authority to issue subpoenas under
ERISA is codified at 

(a)(1):
The Secretary shall have the power, in order to
determine whether any person has violated or
is about to violate any provision of this sub-
chapter or any regulation or order thereunder--
(1) to make an investigation, and in connection
therewith to require the submission of reports,
books, and records, and the filing of data in sup-
port of any information required to be filed with
the Secretary under this subchapter[.]
As the statute states, and as both parties agree, the Depart-
ment need not determine whether a violation has occurred
before issuing a subpoena. Indeed, “[a]n administrative
agency’s subpoena power is intended to permit the agency to
‘investigate merely on suspicion that the law is being violated,
or even just because it wants assurance that it is not.’” Chao v.
Loc. 743, Int'l Brotherhood of Teamsters, AFL-CIO, 

,
1017 (7th Cir. 2006) (quoting United States v. Morton Salt Co.,

, 642–43 (1950)).
Alight maintains that the Department is not authorized to
investigate non-fiduciaries. This precludes the Department
from issuing a subpoena to Alight, the company claims, be-
cause Alight only services ERISA plans in an administrative
8                                                   No. 21-3290
capacity. Thus, Alight insists, it is not a fiduciary for any cli-
ent’s ERISA plan.
Whether or not Alight is a fiduciary does not affect the De-
partment’s investigatory authority. Under 

(a)(1), the Department has the power to launch investi-
gations “in order to determine whether any person has vio-
lated or is about to violate any provision of this subchapter or
any regulation or order thereunder.” (Emphasis added). The
statute does not limit the Department’s investigatory author-
ity to fiduciaries, or by who receives a subpoena. Instead, as
the Department argued, its authority hinges on the infor-
mation requested and its relation to an actual or potential
ERISA violation. Even if Alight only has information about
another entity’s ERISA violation, the statute grants the De-
partment authority to compel its production from Alight. A
contrary rule would allow ERISA fiduciaries to avoid liability
altogether by outsourcing recordkeeping and administrative
functions to non-fiduciary third parties, evading regulatory
oversight. Congress did not confine the Department’s inves-
tigatory power in this manner.
For the first time on appeal, Alight also argues that the
Department lacks authority to conduct cybersecurity investi-
gations. This argument is forfeited. While “waiver is the ‘in-
tentional relinquishment or abandonment of a known right,’
forfeiture is the mere failure to raise a timely argument, due
to either inadvertence, neglect, or oversight.” Henry v. Hulett,

, 786 (7th Cir. 2020) (en banc) (quoting United
States v. Olano, 

, 733 (1993)). Alight did not chal-
lenge the Department’s authority to investigate cybersecurity
incidents in the district court. The company disagrees and
points to multiple citations in the district court record. But
No. 21-3290                                                      9
each is a challenge by Alight of the Department’s authority to
investigate non-fiduciaries, not an objection to cybersecurity
investigations generally. Because this is a civil case, “‘our abil-
ity to review for plain error … is severely constricted,’ as ‘a
civil litigant should be bound by his counsel’s actions.’” 

(quoting SEC v. Yang, 

, 679 (7th Cir. 2015)). Con-
sequently, we will review for plain error only “in the rare sit-
uation where a party can demonstrate that: ‘(1) exceptional
circumstances exist; (2) substantial rights are affected; and
(3) a miscarriage of justice will occur if plain error review is
not applied.’” 

 (quoting Thorncreek Apartments III, LLC v.
Mick, 

, 636 (7th Cir. 2018)). Alight makes no effort
to satisfy this demanding standard.
Even if not forfeited, Alight’s merits argument is uncon-
vincing. As the Supreme Court has long recognized, Congress
incorporated into ERISA “a standard of loyalty and a stand-
ard of care.” Cent. States, Se. & Sw. Areas Pension Fund v. Cent.
Transp., Inc., 

, 570 (1985). The reasonableness of
Alight’s cybersecurity services, and the extent of any
breaches, is therefore relevant to determining whether ERISA
has been violated—either by Alight itself, or by the employers
that outsourced management of their ERISA plans to Alight.
B
Alight also argues that the Department’s administrative
subpoena is too indefinite and too burdensome to enforce.
Indefiniteness. To Alight, the subpoena’s requests are “too
indefinite and unreasonably broad to be enforced in its en-
tirety, without modification.” At the outset, whether a sub-
poena is too broad is a question of indefiniteness for Alight.
Alight disputes the district court’s framework for addressing
10                                                  No. 21-3290
the subpoena’s breadth, contending that the district court
erred by addressing this issue as a question of undue burden.
We disagree. The cases Alight identifies do not state that a
subpoena’s breadth and definiteness are the same inquiry,
and many expressly distinguish these questions. See, e.g.,
Okla. Press Pub. Co. v. Walling, 

, 208 (1946) (noting
that the Fourth Amendment guards against “too much indef-
initeness or breadth” in a subpoena); Peters v. United States,

, 699 (9th Cir. 1988) (noting a “subpoena will not
be enforced if it is too indefinite or broad”). A subpoena can
be too indefinite if its demands are overly vague or amor-
phous, but the breadth of the production demanded is a topic
better suited for an inquiry of relevancy or undue burden. See,
e.g., Aerotek, 815 F.3d at 332, 334 (treating the appellant’s ob-
jection that an administrative subpoena’s requests amounted
to “a fishing expedition totally unrelated to the matter under
investigation” as a relevancy challenge, while also noting that
the appellant made “no claim that the request is too indefi-
nite”). Alight has not argued that the subpoena is unclear, and
the district court was correct to find that its terms are not too
indefinite.
Burdensomeness. Alight offers a scattershot of contentions
about the burden of compliance with the Department’s ad-
ministrative subpoena. The company challenges the legal
standard the district court employed. Alight is less than clear
as to which subpoena requests it actually protests. The com-
pany also disagrees with the district court’s evaluation of the
subpoena’s burden.
When examining the burden of complying with a sub-
poena, “[t]he presumption is that compliance should be en-
forced to further the agency’s legitimate inquiry into matters
No. 21-3290                                                     11
of public interest.” United Air Lines, 

 (quoting
FTC v. Shaffner, 

, 38 (7th Cir. 1980)). “Often we have
phrased this ‘difficult burden’ as requiring a showing that
‘compliance would threaten the normal operation of a re-
spondent’s business.’” 

 (quoting EEOC v. Bay Shipbuilding
Corp., 

, 313 (7th Cir. 1981)). This is a fact-intensive
inquiry, and “[c]onclusory allegations of burdensomeness are
insufficient.” 

 To determine whether a subpoena is unduly
burdensome, the district court must “weigh the likely rele-
vance of the requested material to the investigation against
the burden to [the respondent] of producing the material.” 

 (alteration in original) (quoting EEOC v. Ford Motor
Credit Co., 

, 47 (6th Cir. 1994)); see Chao, 467 F.3d at
1017 (requiring requested information to be “reasonably rele-
vant”).
Alight insists the district court applied the wrong legal
standard. The company points to a portion of the court’s or-
der which determined that Alight’s burden was not out-
weighed by the “potential relevance” of the requests. This was
error, Alight insists, because the court should have ensured
the production requests were “reasonably relevant” or “likely
relevant.”
But Alight ignores a different portion of the court’s order
in which it expressly found that the subpoena’s modified re-
quests “are reasonably relevant to an investigation of compli-
ance with ERISA.” That the court also described the requested
documents as “potentially relevant” does not undermine this
express finding. Alight also has not argued why the court’s
“reasonably relevant” determination is incorrect, so we are
not left with a “definite and firm conviction” that a mistake
12                                                          No. 21-3290
has been made. Wilborn, 881 F.3d at 1006 (quoting Anderson,

).
Alight further suggests that the district court improperly
relied on this court’s decision in EEOC v. Quad/Graphics, Inc.,

 (7th Cir. 1995). There, the subpoenaed party esti-
mated that compliance would require more than 200,000
hours of work. 

. This court ruled that the time
projections for compliance were “inflated” and upheld the
subpoena. 

. Alight argues the district court wrongly
construed the 200,000-hour estimate in Quad/Graphics as a
threshold for assessing burdensomeness while ignoring the
fact that this estimate was found to be exaggerated. But here,
the district court raised the estimate only to show that a sub-
poena has been upheld when “the responding party esti-
mated that compliance would require more than 200,000
hours”—a true statement. Elsewhere in its order, the district
court acknowledged that burdensomeness is a “case-specific”
inquiry, not a universal standard. So an erroneous 200,000
threshold requirement was not applied, as Alight contends.
Next, we note that Alight is not clear as to which subpoena
requests it disputes. Its opening appellate brief directly chal-
lenged only 5 of the 23 production requests that remain in dis-
pute out of the original 32. What is more, at least some of
Alight’s objections are based on the production requests “as
originally drafted,” not the inquiries the district court upheld
as modified. 1
1 For example, Alight objects to the breadth of Request 8, which seeks
“[a]ll documents relating to any litigation, arbitration, or legal proceed-
ings in which Alight is a party.” But the modified subpoena states that the
Department is not seeking any additional documentation for that inquiry.
Alight also challenges Request 9, which sought “[a]ll documents relating
No. 21-3290                                                                 13
The only unmodified requests that Alight challenges by
name are Request 11 (“[a]ll contracts, agreements, arrange-
ments, and fee schedules used by Alight to provide services
to ERISA plan clients”) and Request 12 (“[a]ll documents and
communications relating to services offered to ERISA plan
clients, including the Alight Protection Program”). These re-
quests would require production of “virtually every docu-
ment concerning its ERISA business,” the company submits.
Yet Alight does not argue that these documents lack reasona-
ble relevancy to the Department’s investigation, nor does it
show how compliance with Requests 11 and 12 would be
unduly burdensome. Alight does not estimate how many
documents these two requests encompass, or the time or cost
associated with compliance. If Alight believes specific re-
quests in the modified subpoena are unrelated to the investi-
gation or unduly burdensome, it should have briefed those
concerns before us, which it did not do.
Alight also disagrees with the district court’s evaluation of
the burden the company faces to comply with the administra-
tive subpoena. Alight points to its two-month production
sample, noting that its legal consultant took “over forty
hours” to identify responsive materials. “Replicating this pro-
cess for all the incidents in the seven-year period covered by
the Subpoena,” the company claims, “would require thou-
sands of hours of work.” These estimates also do not include
to any regulatory investigations, examinations, or inquiries in which
Alight is a party,” on the basis that it is not limited to ERISA plans, but the
modified subpoena added language specifying that precise limitation.
Alight opposes Request 3 on similar grounds, but the Department also
limited its scope.
14                                                   No. 21-3290
the hours spent by other employees collecting the requested
information.
But Alight fails to show the district court abused its discre-
tion for two reasons. First, the company’s estimates lack de-
tail. “We often have considered the cost of compliance when
evaluating burdensomeness,” United Air Lines, 

,
along with “the number of files involved” and “the number
of estimated work hours required to effect compliance.”
Shaffner, 

. Alight has not estimated the number
of documents at issue or the cost of producing those docu-
ments. As for the two-month sample, Alight has not shown
that the documents in this window represent the remaining
materials covered by the subpoena’s timeframe. In fact,
Alight's legal consultant provided only a single paragraph ex-
trapolating her two-month burden to the investigation at
large.
Alight’s estimates may be high because it increased its
own burden of production by redacting many documents it
produced—a practice the district court later disallowed. Such
self-imposed measures undermine our confidence that a com-
pany’s production estimates are accurate. See Aerotek, 815 F.3d
at 334 (“Aerotek increased the burden on itself by creating a
coding system to mask the identity of individuals and clients
in its earlier non-compliant productions to the EEOC.”).
Alight’s estimates also seem to be based on a seven-year pe-
riod in accord with the subpoena’s request for information
back to 2015. But as Alight noted during litigation, the com-
pany was not formed until 2017, so it is unclear how many
documents, if any, Alight possesses from before 2017 that the
subpoena covers. As for Alight’s assertion that its two-month
sample does not account for the hours or costs incurred by
No. 21-3290                                                  15
other employees, unarticulated cost multipliers—based
wholly on an unverified and summary estimate by its legal
consultant—are the type of conclusory allegations insufficient
to establish an undue burden. See United Air Lines, 

.
Second, even if we credited Alight’s estimates that produc-
tion would require “thousands of hours of work”—an
admittedly cumbersome task—Alight has not shown why
that undertaking is unduly burdensome. While Alight has ex-
plained that it could be difficult to comply with the subpoena,
it has not shown, for example, that “compliance would
threaten the normal operation of [its] business.” 

 (quoting
Bay Shipbuilding, 668 F.2d at 313). A review of decisions by our
fellow circuits confirms that large production requests are not
necessarily unduly burdensome. See, e.g., FDIC v. Garner, 

, 1145-46 (9th Cir. 1997) (upholding an administra-
tive subpoena that required production of over one million
documents); NLRB v. Carolina Food Processors, 

, 513
(4th Cir. 1996) (“[A] subpoena is not unduly burdensome
merely because it requires the production of a large number
of documents.”); EEOC v. Citicorp Diners Club, Inc., 

, 1040 (10th Cir. 1993) (upholding a subpoena where com-
pliance required “two full-time employees working approxi-
mately six months”). Without more, we cannot say that “no
reasonable person would agree with the decision made by the
trial court.” Lange, 28 F.4th at 842 (quoting Smith, 707 F.3d at
808).
In concluding that the administrative subpoena here is not
unduly burdensome, we note our holding is narrow. Agen-
cies should not read this result as granting leave to issue ad-
ministrative subpoenas that are overly cumbersome or that
16                                                    No. 21-3290
seek information not reasonably relevant to the investigation
at hand. Indeed, at oral argument before us, the Department
was hard pressed to explain why a subpoena was issued seek-
ing all documents responsive to the 32 inquiries, as opposed
to requesting a production sample. But Alight has not argued
the requested information lacks reasonable relevancy. And
the company’s burdensomeness arguments—which target
only a handful of the remaining 26 production requests—lack
details about the number of documents implicated, the cost to
produce those documents, the hours production would re-
quire, or how compliance would threaten the normal opera-
tion of Alight’s business.
C
Finally, Alight argues the district court wrongly denied its
request for a protective order. The company submits that
three categories of documents should have received confiden-
tiality protections: “(1) ERISA plan participant [personally
identifiable information]; (2) confidential settlement agree-
ments; and (3) client identifying information.”
“The trial court is in the best position to weigh fairly the
competing needs and interests of parties affected by discov-
ery.” Heraeus Kulzer, GmbH v. Biomet, Inc., 

, 565
(7th Cir. 2018) (quoting Cnty. Materials Corp. v. Allan Block
Corp., 

, 739 (7th Cir. 2007)). So, we review a dis-
trict court’s denial of a protective order in a subpoena enforce-
ment action for abuse of discretion. Id.; Dow Chemical, 

. “[A] district court is required to ‘independently de-
termine if good cause exists’ before judicially protecting dis-
coverable documents from third-party disclosure.” Salmeron
v. Enter. Recovery Sys., Inc., 

, 795 (7th Cir. 2009)
(quoting Jepson, Inc. v. Makita Elec. Works, Ltd., 

, 858
No. 21-3290                                                             17
(7th Cir. 1994)); see FED. R. CIV. P. 26(c) (“The court may, for
good cause, issue an order.”).
Alight starts from behind on this point, as it never for-
mally moved for a protective order under Rule 26(c). It does
argue that the personal identifiable information of its plan-
participants should have been protected. This information is
highly confidential, and includes “social security numbers,
contact information, asset information, and banking infor-
mation.” Indeed, Alight is contractually obligated to protect
the confidentiality of this information. 2
While this information is sensitive, Alight has not shown
how its disclosure to the Department would result in the in-
formation being revealed to a third party. As the district court
observed, this confidential information is protected from dis-
closure under the Freedom of Information Act, and 

 criminalizes the disclosure of confidential information
by federal employees. Alight’s only attempt to show good
cause for the protective order is to note that the Department
has experienced some data breaches and cyberattacks in the
past. But this generalized concern, which exists for nearly
every government subpoena, does not persuade us that the
district court abused its discretion, especially when Alight it-
self is being investigated for alleged cybersecurity breaches
that threatened ERISA plan participant information.
Next, Alight contends that a protective order should have
been issued for confidential settlement agreements the
2 Of course, the Department’s investigatory authority is not impinged
by private agreements. See EEOC v. Severn Trent Servs., Inc., 

,
442 (7th Cir. 2004) (stating a private contract cannot trump a government
subpoena).
18                                                 No. 21-3290
company entered with clients that concern “potential unau-
thorized access and disbursement to client accounts.” But
again, Alight has not articulated how production of this infor-
mation would result in disclosure to a third party. The De-
partment correctly argues that the settlement agreements,
which could clarify the number and extent of any cybersecu-
rity breaches, are crucial to its investigation of Alight.
Last, Alight insists a protective order was warranted for
“broad categories of client information including contracts
and fee schedules, information related to investigations of al-
leged cybersecurity and fraud, documents concerning ser-
vices and security measures applicable to a given plan, and
other proprietary information about Alight’s client’s benefit
plans.” Aside from Alight’s continued inability to explain
how this information could become publicly available, the
Department’s cybersecurity investigation directly implicates
this information. If Alight were to redact the names of its cli-
ents and the corresponding plan names, as the company ad-
vocates, the Department could not identify which employers
may have violated ERISA. There is no good-cause basis to
deny the Department access to this critical information, and
we cannot say the district court abused its discretion in deny-
ing Alight’s request for a protective order.
*      *      *
For these reasons, we AFFIRM the judgment of the district
court.