On January 10, 2023, the U.S. Securities and Exchange Commission (the "SEC") commenced an action in U.S. District Court seeking an order compelling the law firm Covington & Burling LLP ("Covington") to comply with an SEC administrative subpoena concerning an investigation into possible violations of federal securities laws after a cyberattack on the law firm’s database.  Squarely at issue in this dispute is the question of whether Covington must disclose a list of its clients who were impacted by the cyberattack or if, in this context, the identities of Covington's clients is protected by the attorney-client privilege and confidentiality rules?

The Cyberattack

In November 2020, Covington experienced a data breach when hackers accessed its computer network and various individual devices.  The breach allowed the hackers to access non-public information belonging to numerous Covington clients, including 298 companies regulated by the SEC.  After learning of the cyberattack, Covington contacted the potentially affected clients to notify them of the breach and invited them to discuss the matter.

The SEC Investigation

In March 2021, the SEC issued an investigative subpoena to investigate, among other things, whether any persons or entities involved in or impacted by the breach have been or are engaging in violations of federal securities laws.  According to the SEC, it regularly seeks information from companies that were victims of cyberattacks for several reasons such as (i) to understand the nature of the attack, (ii) to access and identify potentially illegal trading based on information gathered during the attack, (iii) to access and identify potential illegal trading based on the fact of the attack itself, and (iv) to determine relevant disclosure obligations of public companies impacted by the attack.

On March 21, 2021, the SEC served a subpoena on Covington seeking information related to the cyberattack.  One of the requests in the subpoena called for “(a) the client or other impacted party name; (b) the nature of the suspected unauthorized activity concerning the client or other impacted party, including when the activity took place and the amount of information that was viewed, copied, modified, or exfiltrated, if known, and (c) any communications provided to the client or other impacted party concerning the suspected unauthorized activity.”  Covington objected to this request based on assertions of privilege and client confidentiality. 

Covington and the SEC then entered into negotiations to narrow the request.  Ultimately, the SEC agreed to limit the request to only the names of any clients regulated by the SEC whose information was viewed, copied, modified, or exfiltrated during the cyberattack.  Covington then sought to review how many of the 298 public companies had their “material non-public information” viewed, copied, modified, or exfiltrated by the attackers.  Covington determined that seven of the 298 clients’ files fit this criterion.  The SEC, however, claims that it has not been able to verify this information and disagrees with Covington’s method of determining what constitutes “material non-public information.”  As a result, the SEC seeks the names of all 298 clients whose information was accessed as part of the attack and thus asked a D.C. federal court to enforce the subpoena. 

The SEC's Arguments

To support its application for an order compelling Covington’s compliance with the investigative subpoena, the SEC made the following arguments:

  • In recent years, hackers have targeted public companies and regulated entities with large-scale attacks.
  • As a large law firm with hundreds of public company clients, Covington regularly possesses material non-public information, the theft of which puts investors at significant risk.
  • Neither Covington’s position as a victim of a cyberattack nor that it is a law firm insulates it from the SEC’s legitimate investigative responsibilities.
  • The SEC’s investigation will be conducted pursuant to a legitimate purpose.
  • The subpoena does not infringe on any privilege and compliance with the Subpoena would not violate the D.C. Rules of Professional Conduct.

Attorney-Client Privilege and Professional Ethics Concerns

Regarding any privilege and professional conduct concerns, the SEC has argued that (i) the request does not call for protected information, and it is not seeking privileged communications between Covington and its clients, and (ii) it has agreed to limit Covington’s response to only the names of impacted regulated clients. 

The SEC further states that the request falls squarely within the exceptions provided under D.C. Rule of Professional Conduct Rule 1.6(e).  Although D.C. Rule 1.6 generally prevents an attorney from “knowingly . . . reveal[ing] a confidence or secret of the lawyer’s client,” Rule 1.6(e)(2)(a) provides an exception to the general rule.  Rule 1.6(e)(2)(a) permits a lawyer to “reveal client confidences or secrets” when “required by law or court order.”

Looking Ahead

Since the case was only recently filed, we are still awaiting Covington's response.  Based on the history of the case so far, it is likely that Covington will argue, among other things, that the information that the SEC seeks is protected by privilege and confidentiality.    Although the SEC may be right that as a general rule a client's identity is not privileged or confidential, the circumstances here may be an exception given that disclosure of client identities could very well lead to further regulatory investigation of those clients.  The outcome of this case may also impact how other regulatory agencies treat issues of privilege and confidentiality in future investigations.  Stay tuned for further posts as this case develops.