Martin J. Walsh v. Alight Solutions, LLC ( 2022 )


Menu:
  •                               In the
    United States Court of Appeals
    For the Seventh Circuit
    ____________________
    No. 21-3290
    MARTIN J. WALSH, Secretary of Labor,
    Petitioner-Appellee,
    v.
    ALIGHT SOLUTIONS LLC,
    Respondent-Appellant.
    ____________________
    Appeal from the United States District Court for the
    Northern District of Illinois, Eastern Division.
    No. 1:20-cv-2138 — John F. Kness, Judge.
    ____________________
    ARGUED APRIL 21, 2022 — DECIDED AUGUST 12, 2022
    ____________________
    Before EASTERBROOK, ROVNER, and BRENNAN, Circuit
    Judges.
    BRENNAN, Circuit Judge. The U.S. Department of Labor is
    investigating alleged cybersecurity breaches at Alight Solu-
    tions LLC, a company that provides administrative services
    for employers who sponsor healthcare and retirement plans.
    As part of its investigation the Department issued an admin-
    istrative subpoena. Alight produced some documents but
    2                                                 No. 21-3290
    objected to many of the subpoena’s requests. The district
    court granted the Department’s petition to enforce the sub-
    poena with some modifications.
    On appeal, Alight argues the subpoena is unenforceable
    because the Department lacks authority to investigate the
    company, or cybersecurity incidents generally. The company
    also contends the subpoena’s demands are too indefinite and
    unduly burdensome, and that the district court abused its dis-
    cretion by denying Alight’s request for a protective order to
    limit production of certain sensitive information. Alight’s ar-
    guments are not persuasive, so we affirm.
    I
    Alight provides recordkeeping services for employers
    who sponsor healthcare and retirement benefit plans for their
    employees, some of which are governed by the Employee Re-
    tirement Income Security Act, 
    29 U.S.C. §§ 1001
    –1461
    (“ERISA”). As of November 2020, Alight served over 750 cli-
    ents supporting more than 20.3 million plan participants.
    These clients entrust Alight with highly sensitive information
    about their companies, employee benefits plans, and plan par-
    ticipants. Alight provides cybersecurity services to protect
    this confidential information.
    The Department opened an investigation of Alight in July
    2019 prompted by a discovery that Alight processed unau-
    thorized distributions of plan benefits due to cybersecurity
    breaches in its ERISA plan clients’ accounts. The Department
    says Alight failed to report, disclose, and restore those unau-
    thorized distributions. Alight denies any knowledge of
    breaches resulting in unauthorized distributions.
    No. 21-3290                                                 3
    As part of the investigation the Department sent Alight an
    administrative subpoena duces tecum. The subpoena calls for
    documents in response to 32 inquiries and covers the period
    from January 1, 2015 through the date of production. The in-
    formation requested ranges from specific inquiries, like
    Alight’s articles of incorporation and bylaws, to broad de-
    mands, including “[a]ll documents and communications re-
    lating to services offered to ERISA plan clients.”
    Alight produced a limited number of documents in re-
    sponse to about half of the subpoena’s requests, but the com-
    pany also objected to many of the inquiries. Specifically, the
    company challenged the Department’s investigatory author-
    ity and purposes, criticized the subpoena’s scope and burden,
    and emphasized its duty to keep certain information confi-
    dential.
    After unsuccessful attempts by the parties to resolve
    Alight’s objections, the Department petitioned the district
    court to enforce the subpoena. Meanwhile, the company con-
    tinued to interact with the Department and produced addi-
    tional materials. But Alight redacted most of the documents it
    produced to remove client identifying information, which
    prevented the Department from discerning potential ERISA
    violations.
    In response to the petition, Alight filed a memorandum
    opposing enforcement of the subpoena. The company argued
    that the Department lacked the authority to investigate the
    company because Alight is not a fiduciary under ERISA, the
    subpoena was too indefinite to enforce and sought documents
    unrelated to ERISA plans, and enforcement would jeopardize
    confidential information Alight was contractually obligated
    to protect. The company also noted that although the
    4                                                 No. 21-3290
    subpoena requested documents back to January 1, 2015,
    Alight was not formed until May 2017. Alight asked the dis-
    trict court to quash the subpoena, or at a minimum to limit
    the subpoena and enter a protective order permitting redac-
    tions.
    Alight’s response also highlighted a production sample its
    legal consultant prepared, which covered two months of re-
    sponsive documents. The consultant spent over 40 hours pre-
    paring the sample, and she estimated that the employees who
    assisted her collectively spent the same amount of time on the
    project. Based on this sample, Alight’s legal consultant pro-
    jected full compliance with the subpoena would require
    “thousands of hours of work.”
    The Department filed a reply memorandum defending
    the subpoena. It stated that additional documentation was not
    required for 9 of the original 32 production requests. For the
    remaining 23 inquiries, the Department clarified or narrowed
    each request.
    Ultimately, the district court granted the Department’s pe-
    tition to enforce the subpoena as modified by the Depart-
    ment’s reply memorandum. The court found that the Depart-
    ment’s investigatory authority was not limited to fiduciaries,
    and that the requested information was reasonably relevant
    to the ERISA investigation. It also ruled that the subpoena was
    not too indefinite, and that Alight’s challenge to the indefi-
    niteness of the subpoena related more to the burden of pro-
    duction than the clarity of the production requests. As to
    Alight’s burden of compliance, the court applied the pre-
    sumption that subpoenas should be enforced and decided
    that the balance between the relevance of the requested infor-
    mation and the cost of production favored enforcement.
    No. 21-3290                                                    5
    The district court also declined to enter a protective order.
    Not only had Alight failed to formally move for such an order
    under Federal Rule of Civil Procedure 26(c), but the court
    found that the Freedom of Information Act and 
    18 U.S.C. § 1905
     prohibited the Department from publicizing Alight’s
    confidential information. So, the court concluded that Alight
    had not shown good cause for redacting the requested docu-
    ments.
    Last, the court addressed the date range covered by the
    subpoena. Reasoning that Alight “cannot produce what it
    does not have,” the court directed Alight to produce those
    documents in its possession. And “if [Alight] does not have
    anything within its possession, custody, or control to produce
    from the period before it had its current legal existence, it
    should respond to the Subpoena accordingly.”
    II
    “We review the district court’s decision to enforce an
    agency subpoena for abuse of discretion, and we review any
    factual determinations on which the ruling is based for clear
    error. Questions of law are reviewed de novo.” EEOC v. Aero-
    tek, Inc., 
    815 F.3d 328
    , 333 (7th Cir. 2016) (citations omitted);
    see McLane Co., Inc. v. EEOC, 
    137 S. Ct. 1159
    , 1170 (2017). “A
    decision is an abuse of discretion only if no reasonable person
    would agree with the decision made by the trial court.” Lange
    v. City of Oconto, 
    28 F.4th 825
    , 842 (7th Cir. 2022) (quoting
    Smith v. Hunt, 
    707 F.3d 803
    , 808 (7th Cir. 2013)). Under clear-
    error review, we will overturn a decision “only if the entire
    record leaves us ‘with the definite and firm conviction that a
    mistake has been committed.’” Wilborn v. Ealey, 
    881 F.3d 998
    ,
    6                                                    No. 21-3290
    1006 (7th Cir. 2018) (quoting Anderson v. City of Bessemer City,
    
    470 U.S. 564
    , 573 (1985)).
    A subpoena enforcement proceeding is “designed to be
    summary in nature.” EEOC v. United Air Lines, Inc., 
    287 F.3d 643
    , 649 (7th Cir. 2002) (quoting EEOC v. Tempel Steel Co., 
    814 F.2d 482
    , 485 (7th Cir. 1987)). In the context of administrative
    subpoenas, “a district court’s subpoena enforcement function
    is narrowly limited: in deciding whether to enforce, ‘it is suf-
    ficient if the inquiry is within the authority of the agency, the
    demand is not too indefinite and the information sought is
    reasonably relevant.’” Aerotek, 815 F.3d at 333 (quoting Dow
    Chem. Co. v. Allen, 
    672 F.2d 1262
    , 1267 (7th Cir. 1982)). “[I]t is
    also clearly recognized that disclosure may be restricted
    where it would impose an unreasonable or undue burden on
    the party from whom production is sought,” Dow Chem., 
    672 F.2d at 1267
    , and a subpoena may not be issued for an illegit-
    imate purpose. McLane, 137 S. Ct. at 1165. “In the mine run of
    cases, the district court’s decision whether to enforce a sub-
    poena will turn either on whether the evidence sought is rel-
    evant to the specific charge before it or whether the subpoena
    is unduly burdensome in light of the circumstances.” Id. at
    1167. These inquiries “are ‘generally not amenable to broad
    per se rules’; rather, they are the kind of ‘fact-intensive, close
    calls’ better suited to resolution by the district court than the
    court of appeals.” Id. at 1168 (citations omitted).
    On appeal, Alight offers similar arguments as in the
    district court: the Department lacks authority to issue the sub-
    poena, the subpoena is too indefinite and burdensome to en-
    force, and a protective order is needed to prevent disclosure
    of certain confidential information.
    No. 21-3290                                                    7
    A
    Alight contends that the subpoena falls outside the
    Department’s authority because it cannot investigate non-fi-
    duciaries, and ERISA does not authorize investigations into
    cybersecurity issues. Each challenge raises a question of law,
    which we review de novo. Aerotek, 815 F.3d at 333.
    The Department’s authority to issue subpoenas under
    ERISA is codified at 
    29 U.S.C. § 1134
    (a)(1):
    The Secretary shall have the power, in order to
    determine whether any person has violated or
    is about to violate any provision of this sub-
    chapter or any regulation or order thereunder--
    (1) to make an investigation, and in connection
    therewith to require the submission of reports,
    books, and records, and the filing of data in sup-
    port of any information required to be filed with
    the Secretary under this subchapter[.]
    As the statute states, and as both parties agree, the Depart-
    ment need not determine whether a violation has occurred
    before issuing a subpoena. Indeed, “[a]n administrative
    agency’s subpoena power is intended to permit the agency to
    ‘investigate merely on suspicion that the law is being violated,
    or even just because it wants assurance that it is not.’” Chao v.
    Loc. 743, Int'l Brotherhood of Teamsters, AFL-CIO, 
    467 F.3d 1014
    ,
    1017 (7th Cir. 2006) (quoting United States v. Morton Salt Co.,
    
    338 U.S. 632
    , 642–43 (1950)).
    Alight maintains that the Department is not authorized to
    investigate non-fiduciaries. This precludes the Department
    from issuing a subpoena to Alight, the company claims, be-
    cause Alight only services ERISA plans in an administrative
    8                                                   No. 21-3290
    capacity. Thus, Alight insists, it is not a fiduciary for any cli-
    ent’s ERISA plan.
    Whether or not Alight is a fiduciary does not affect the De-
    partment’s investigatory authority. Under 
    29 U.S.C. § 1134
    (a)(1), the Department has the power to launch investi-
    gations “in order to determine whether any person has vio-
    lated or is about to violate any provision of this subchapter or
    any regulation or order thereunder.” (Emphasis added). The
    statute does not limit the Department’s investigatory author-
    ity to fiduciaries, or by who receives a subpoena. Instead, as
    the Department argued, its authority hinges on the infor-
    mation requested and its relation to an actual or potential
    ERISA violation. Even if Alight only has information about
    another entity’s ERISA violation, the statute grants the De-
    partment authority to compel its production from Alight. A
    contrary rule would allow ERISA fiduciaries to avoid liability
    altogether by outsourcing recordkeeping and administrative
    functions to non-fiduciary third parties, evading regulatory
    oversight. Congress did not confine the Department’s inves-
    tigatory power in this manner.
    For the first time on appeal, Alight also argues that the
    Department lacks authority to conduct cybersecurity investi-
    gations. This argument is forfeited. While “waiver is the ‘in-
    tentional relinquishment or abandonment of a known right,’
    forfeiture is the mere failure to raise a timely argument, due
    to either inadvertence, neglect, or oversight.” Henry v. Hulett,
    
    969 F.3d 769
    , 786 (7th Cir. 2020) (en banc) (quoting United
    States v. Olano, 
    507 U.S. 725
    , 733 (1993)). Alight did not chal-
    lenge the Department’s authority to investigate cybersecurity
    incidents in the district court. The company disagrees and
    points to multiple citations in the district court record. But
    No. 21-3290                                                      9
    each is a challenge by Alight of the Department’s authority to
    investigate non-fiduciaries, not an objection to cybersecurity
    investigations generally. Because this is a civil case, “‘our abil-
    ity to review for plain error … is severely constricted,’ as ‘a
    civil litigant should be bound by his counsel’s actions.’” 
    Id.
    (quoting SEC v. Yang, 
    795 F.3d 674
    , 679 (7th Cir. 2015)). Con-
    sequently, we will review for plain error only “in the rare sit-
    uation where a party can demonstrate that: ‘(1) exceptional
    circumstances exist; (2) substantial rights are affected; and
    (3) a miscarriage of justice will occur if plain error review is
    not applied.’” 
    Id.
     (quoting Thorncreek Apartments III, LLC v.
    Mick, 
    886 F.3d 626
    , 636 (7th Cir. 2018)). Alight makes no effort
    to satisfy this demanding standard.
    Even if not forfeited, Alight’s merits argument is uncon-
    vincing. As the Supreme Court has long recognized, Congress
    incorporated into ERISA “a standard of loyalty and a stand-
    ard of care.” Cent. States, Se. & Sw. Areas Pension Fund v. Cent.
    Transp., Inc., 
    472 U.S. 559
    , 570 (1985). The reasonableness of
    Alight’s cybersecurity services, and the extent of any
    breaches, is therefore relevant to determining whether ERISA
    has been violated—either by Alight itself, or by the employers
    that outsourced management of their ERISA plans to Alight.
    B
    Alight also argues that the Department’s administrative
    subpoena is too indefinite and too burdensome to enforce.
    Indefiniteness. To Alight, the subpoena’s requests are “too
    indefinite and unreasonably broad to be enforced in its en-
    tirety, without modification.” At the outset, whether a sub-
    poena is too broad is a question of indefiniteness for Alight.
    Alight disputes the district court’s framework for addressing
    10                                                  No. 21-3290
    the subpoena’s breadth, contending that the district court
    erred by addressing this issue as a question of undue burden.
    We disagree. The cases Alight identifies do not state that a
    subpoena’s breadth and definiteness are the same inquiry,
    and many expressly distinguish these questions. See, e.g.,
    Okla. Press Pub. Co. v. Walling, 
    327 U.S. 186
    , 208 (1946) (noting
    that the Fourth Amendment guards against “too much indef-
    initeness or breadth” in a subpoena); Peters v. United States,
    
    853 F.2d 692
    , 699 (9th Cir. 1988) (noting a “subpoena will not
    be enforced if it is too indefinite or broad”). A subpoena can
    be too indefinite if its demands are overly vague or amor-
    phous, but the breadth of the production demanded is a topic
    better suited for an inquiry of relevancy or undue burden. See,
    e.g., Aerotek, 815 F.3d at 332, 334 (treating the appellant’s ob-
    jection that an administrative subpoena’s requests amounted
    to “a fishing expedition totally unrelated to the matter under
    investigation” as a relevancy challenge, while also noting that
    the appellant made “no claim that the request is too indefi-
    nite”). Alight has not argued that the subpoena is unclear, and
    the district court was correct to find that its terms are not too
    indefinite.
    Burdensomeness. Alight offers a scattershot of contentions
    about the burden of compliance with the Department’s ad-
    ministrative subpoena. The company challenges the legal
    standard the district court employed. Alight is less than clear
    as to which subpoena requests it actually protests. The com-
    pany also disagrees with the district court’s evaluation of the
    subpoena’s burden.
    When examining the burden of complying with a sub-
    poena, “[t]he presumption is that compliance should be en-
    forced to further the agency’s legitimate inquiry into matters
    No. 21-3290                                                     11
    of public interest.” United Air Lines, 
    287 F.3d at 653
     (quoting
    FTC v. Shaffner, 
    626 F.2d 32
    , 38 (7th Cir. 1980)). “Often we have
    phrased this ‘difficult burden’ as requiring a showing that
    ‘compliance would threaten the normal operation of a re-
    spondent’s business.’” 
    Id.
     (quoting EEOC v. Bay Shipbuilding
    Corp., 
    668 F.2d 304
    , 313 (7th Cir. 1981)). This is a fact-intensive
    inquiry, and “[c]onclusory allegations of burdensomeness are
    insufficient.” 
    Id.
     To determine whether a subpoena is unduly
    burdensome, the district court must “weigh the likely rele-
    vance of the requested material to the investigation against
    the burden to [the respondent] of producing the material.” 
    Id. at 654
     (alteration in original) (quoting EEOC v. Ford Motor
    Credit Co., 
    26 F.3d 44
    , 47 (6th Cir. 1994)); see Chao, 467 F.3d at
    1017 (requiring requested information to be “reasonably rele-
    vant”).
    Alight insists the district court applied the wrong legal
    standard. The company points to a portion of the court’s or-
    der which determined that Alight’s burden was not out-
    weighed by the “potential relevance” of the requests. This was
    error, Alight insists, because the court should have ensured
    the production requests were “reasonably relevant” or “likely
    relevant.”
    But Alight ignores a different portion of the court’s order
    in which it expressly found that the subpoena’s modified re-
    quests “are reasonably relevant to an investigation of compli-
    ance with ERISA.” That the court also described the requested
    documents as “potentially relevant” does not undermine this
    express finding. Alight also has not argued why the court’s
    “reasonably relevant” determination is incorrect, so we are
    not left with a “definite and firm conviction” that a mistake
    12                                                          No. 21-3290
    has been made. Wilborn, 881 F.3d at 1006 (quoting Anderson,
    
    470 U.S. at 573
    ).
    Alight further suggests that the district court improperly
    relied on this court’s decision in EEOC v. Quad/Graphics, Inc.,
    
    63 F.3d 642
     (7th Cir. 1995). There, the subpoenaed party esti-
    mated that compliance would require more than 200,000
    hours of work. 
    Id. at 648
    . This court ruled that the time
    projections for compliance were “inflated” and upheld the
    subpoena. 
    Id. at 649
    . Alight argues the district court wrongly
    construed the 200,000-hour estimate in Quad/Graphics as a
    threshold for assessing burdensomeness while ignoring the
    fact that this estimate was found to be exaggerated. But here,
    the district court raised the estimate only to show that a sub-
    poena has been upheld when “the responding party esti-
    mated that compliance would require more than 200,000
    hours”—a true statement. Elsewhere in its order, the district
    court acknowledged that burdensomeness is a “case-specific”
    inquiry, not a universal standard. So an erroneous 200,000
    threshold requirement was not applied, as Alight contends.
    Next, we note that Alight is not clear as to which subpoena
    requests it disputes. Its opening appellate brief directly chal-
    lenged only 5 of the 23 production requests that remain in dis-
    pute out of the original 32. What is more, at least some of
    Alight’s objections are based on the production requests “as
    originally drafted,” not the inquiries the district court upheld
    as modified. 1
    1 For example, Alight objects to the breadth of Request 8, which seeks
    “[a]ll documents relating to any litigation, arbitration, or legal proceed-
    ings in which Alight is a party.” But the modified subpoena states that the
    Department is not seeking any additional documentation for that inquiry.
    Alight also challenges Request 9, which sought “[a]ll documents relating
    No. 21-3290                                                                 13
    The only unmodified requests that Alight challenges by
    name are Request 11 (“[a]ll contracts, agreements, arrange-
    ments, and fee schedules used by Alight to provide services
    to ERISA plan clients”) and Request 12 (“[a]ll documents and
    communications relating to services offered to ERISA plan
    clients, including the Alight Protection Program”). These re-
    quests would require production of “virtually every docu-
    ment concerning its ERISA business,” the company submits.
    Yet Alight does not argue that these documents lack reasona-
    ble relevancy to the Department’s investigation, nor does it
    show how compliance with Requests 11 and 12 would be
    unduly burdensome. Alight does not estimate how many
    documents these two requests encompass, or the time or cost
    associated with compliance. If Alight believes specific re-
    quests in the modified subpoena are unrelated to the investi-
    gation or unduly burdensome, it should have briefed those
    concerns before us, which it did not do.
    Alight also disagrees with the district court’s evaluation of
    the burden the company faces to comply with the administra-
    tive subpoena. Alight points to its two-month production
    sample, noting that its legal consultant took “over forty
    hours” to identify responsive materials. “Replicating this pro-
    cess for all the incidents in the seven-year period covered by
    the Subpoena,” the company claims, “would require thou-
    sands of hours of work.” These estimates also do not include
    to any regulatory investigations, examinations, or inquiries in which
    Alight is a party,” on the basis that it is not limited to ERISA plans, but the
    modified subpoena added language specifying that precise limitation.
    Alight opposes Request 3 on similar grounds, but the Department also
    limited its scope.
    14                                                   No. 21-3290
    the hours spent by other employees collecting the requested
    information.
    But Alight fails to show the district court abused its discre-
    tion for two reasons. First, the company’s estimates lack de-
    tail. “We often have considered the cost of compliance when
    evaluating burdensomeness,” United Air Lines, 
    287 F.3d at 653
    ,
    along with “the number of files involved” and “the number
    of estimated work hours required to effect compliance.”
    Shaffner, 
    626 F.2d at 38
    . Alight has not estimated the number
    of documents at issue or the cost of producing those docu-
    ments. As for the two-month sample, Alight has not shown
    that the documents in this window represent the remaining
    materials covered by the subpoena’s timeframe. In fact,
    Alight's legal consultant provided only a single paragraph ex-
    trapolating her two-month burden to the investigation at
    large.
    Alight’s estimates may be high because it increased its
    own burden of production by redacting many documents it
    produced—a practice the district court later disallowed. Such
    self-imposed measures undermine our confidence that a com-
    pany’s production estimates are accurate. See Aerotek, 815 F.3d
    at 334 (“Aerotek increased the burden on itself by creating a
    coding system to mask the identity of individuals and clients
    in its earlier non-compliant productions to the EEOC.”).
    Alight’s estimates also seem to be based on a seven-year pe-
    riod in accord with the subpoena’s request for information
    back to 2015. But as Alight noted during litigation, the com-
    pany was not formed until 2017, so it is unclear how many
    documents, if any, Alight possesses from before 2017 that the
    subpoena covers. As for Alight’s assertion that its two-month
    sample does not account for the hours or costs incurred by
    No. 21-3290                                                  15
    other employees, unarticulated cost multipliers—based
    wholly on an unverified and summary estimate by its legal
    consultant—are the type of conclusory allegations insufficient
    to establish an undue burden. See United Air Lines, 
    287 F.3d at 653
    .
    Second, even if we credited Alight’s estimates that produc-
    tion would require “thousands of hours of work”—an
    admittedly cumbersome task—Alight has not shown why
    that undertaking is unduly burdensome. While Alight has ex-
    plained that it could be difficult to comply with the subpoena,
    it has not shown, for example, that “compliance would
    threaten the normal operation of [its] business.” 
    Id.
     (quoting
    Bay Shipbuilding, 668 F.2d at 313). A review of decisions by our
    fellow circuits confirms that large production requests are not
    necessarily unduly burdensome. See, e.g., FDIC v. Garner, 
    126 F.3d 1138
    , 1145-46 (9th Cir. 1997) (upholding an administra-
    tive subpoena that required production of over one million
    documents); NLRB v. Carolina Food Processors, 
    81 F.3d 507
    , 513
    (4th Cir. 1996) (“[A] subpoena is not unduly burdensome
    merely because it requires the production of a large number
    of documents.”); EEOC v. Citicorp Diners Club, Inc., 
    985 F.2d 1036
    , 1040 (10th Cir. 1993) (upholding a subpoena where com-
    pliance required “two full-time employees working approxi-
    mately six months”). Without more, we cannot say that “no
    reasonable person would agree with the decision made by the
    trial court.” Lange, 28 F.4th at 842 (quoting Smith, 707 F.3d at
    808).
    In concluding that the administrative subpoena here is not
    unduly burdensome, we note our holding is narrow. Agen-
    cies should not read this result as granting leave to issue ad-
    ministrative subpoenas that are overly cumbersome or that
    16                                                    No. 21-3290
    seek information not reasonably relevant to the investigation
    at hand. Indeed, at oral argument before us, the Department
    was hard pressed to explain why a subpoena was issued seek-
    ing all documents responsive to the 32 inquiries, as opposed
    to requesting a production sample. But Alight has not argued
    the requested information lacks reasonable relevancy. And
    the company’s burdensomeness arguments—which target
    only a handful of the remaining 26 production requests—lack
    details about the number of documents implicated, the cost to
    produce those documents, the hours production would re-
    quire, or how compliance would threaten the normal opera-
    tion of Alight’s business.
    C
    Finally, Alight argues the district court wrongly denied its
    request for a protective order. The company submits that
    three categories of documents should have received confiden-
    tiality protections: “(1) ERISA plan participant [personally
    identifiable information]; (2) confidential settlement agree-
    ments; and (3) client identifying information.”
    “The trial court is in the best position to weigh fairly the
    competing needs and interests of parties affected by discov-
    ery.” Heraeus Kulzer, GmbH v. Biomet, Inc., 
    881 F.3d 550
    , 565
    (7th Cir. 2018) (quoting Cnty. Materials Corp. v. Allan Block
    Corp., 
    502 F.3d 730
    , 739 (7th Cir. 2007)). So, we review a dis-
    trict court’s denial of a protective order in a subpoena enforce-
    ment action for abuse of discretion. Id.; Dow Chemical, 
    672 F.2d at 1277
    . “[A] district court is required to ‘independently de-
    termine if good cause exists’ before judicially protecting dis-
    coverable documents from third-party disclosure.” Salmeron
    v. Enter. Recovery Sys., Inc., 
    579 F.3d 787
    , 795 (7th Cir. 2009)
    (quoting Jepson, Inc. v. Makita Elec. Works, Ltd., 
    30 F.3d 854
    , 858
    No. 21-3290                                                             17
    (7th Cir. 1994)); see FED. R. CIV. P. 26(c) (“The court may, for
    good cause, issue an order.”).
    Alight starts from behind on this point, as it never for-
    mally moved for a protective order under Rule 26(c). It does
    argue that the personal identifiable information of its plan-
    participants should have been protected. This information is
    highly confidential, and includes “social security numbers,
    contact information, asset information, and banking infor-
    mation.” Indeed, Alight is contractually obligated to protect
    the confidentiality of this information. 2
    While this information is sensitive, Alight has not shown
    how its disclosure to the Department would result in the in-
    formation being revealed to a third party. As the district court
    observed, this confidential information is protected from dis-
    closure under the Freedom of Information Act, and 
    18 U.S.C. § 1905
     criminalizes the disclosure of confidential information
    by federal employees. Alight’s only attempt to show good
    cause for the protective order is to note that the Department
    has experienced some data breaches and cyberattacks in the
    past. But this generalized concern, which exists for nearly
    every government subpoena, does not persuade us that the
    district court abused its discretion, especially when Alight it-
    self is being investigated for alleged cybersecurity breaches
    that threatened ERISA plan participant information.
    Next, Alight contends that a protective order should have
    been issued for confidential settlement agreements the
    2 Of course, the Department’s investigatory authority is not impinged
    by private agreements. See EEOC v. Severn Trent Servs., Inc., 
    358 F.3d 438
    ,
    442 (7th Cir. 2004) (stating a private contract cannot trump a government
    subpoena).
    18                                                 No. 21-3290
    company entered with clients that concern “potential unau-
    thorized access and disbursement to client accounts.” But
    again, Alight has not articulated how production of this infor-
    mation would result in disclosure to a third party. The De-
    partment correctly argues that the settlement agreements,
    which could clarify the number and extent of any cybersecu-
    rity breaches, are crucial to its investigation of Alight.
    Last, Alight insists a protective order was warranted for
    “broad categories of client information including contracts
    and fee schedules, information related to investigations of al-
    leged cybersecurity and fraud, documents concerning ser-
    vices and security measures applicable to a given plan, and
    other proprietary information about Alight’s client’s benefit
    plans.” Aside from Alight’s continued inability to explain
    how this information could become publicly available, the
    Department’s cybersecurity investigation directly implicates
    this information. If Alight were to redact the names of its cli-
    ents and the corresponding plan names, as the company ad-
    vocates, the Department could not identify which employers
    may have violated ERISA. There is no good-cause basis to
    deny the Department access to this critical information, and
    we cannot say the district court abused its discretion in deny-
    ing Alight’s request for a protective order.
    *      *      *
    For these reasons, we AFFIRM the judgment of the district
    court.