In SEC v. Covington & Burling, LLP, the U.S. District Court for the District of Columbia recently ordered a large multinational law firm to disclose the names of its clients to the Securities and Exchange Commission, opening the door for regulators and potentially law enforcement agencies to get otherwise protected information from private law firms. Despite vigorous opposition from the law firm, and an Amicus Brief signed by more than 80 other law firms, including Cozen O’Connor, supporting Covington, on July 24, 2023, Judge Amit Mehta ordered the firm to provide the SEC with the names of seven publicly traded corporate clients of the firm whose information was potentially accessed in 2020 when the law firm’s computer files were hacked. The SEC asserted that it needed the information to determine if the hackers had used any stolen information to engage in illicit trading. Initially, the SEC requested the names of almost 300 public company clients of the firm, but Judge Mehta found that request was “too broad”[1] and instead ordered the firm to reveal the names of its seven clients whose material, nonpublic information may have been accessed by the hackers.
Covington used Microsoft’s Exchange Server software, which was the subject of a 2020 cyberattack by Hafnium, a group of attackers alleged to be associated with the Chinese government. Covington “launched an investigation to determine whether unauthorized parties had gained access to its network”[2] during the Hafnium Cyberattack and “ultimately determined that a threat actor had been able to compromise Covington’s Exchange environment.”[3] Covington began cooperating with the FBI as part of the firm’s investigation of the cyberattack.
Roughly a year after Microsoft disclosed the attack, the SEC “opened an investigation into possible violations of the federal securities laws”[4] connected to the Hafnium Cyberattack. The SEC sought to determine whether threat actors “accessed and traded on the basis of material, non-public information,”[5] and whether public companies “made materially false or misleading statements, or omitted to state material facts, concerning the impact of the Cyberattack in violation of federal securities laws.”[6] The SEC then issued a subpoena to Covington asking for, amongst other things, the identity of any public company clients whose files may have been accessed as part of the Cyberattack. Covington raised objections to the request, determining that it applied to 298 of its clients, on the grounds that it “could not identify its affected clients or produce the requested communications consistent with the attorney-client privilege and the firm’s fiduciary duties, duty of loyalty, and duty of confidentiality it owes its clients, including under D.C. Rule of Professional Conduct 1.6.”[7]
While the parties tried to negotiate a narrowing of the subpoena, Covington also further investigated the scope of the hackers’ access to material nonpublic information, and determined that only seven of the 298 clients had been affected. The SEC was not satisfied by Covington’s investigation and pursued enforcement of the Subpoena. Covington objected to producing the names of the seven clients as it could lead to the SEC seeking other work product and privileged information, including information concerning the scope of the client’s privileged communications with the law firm, communications concerning the Cyberattack, disclosures to investors, etc.
The Court, in entering its ruling in favor of the SEC to order to disclose the seven company/client names, noted that “[f]ederal courts have found that, absent special circumstances, client-identity is not protected by the attorney-client privilege.”[8] Judge Mehta held that the fact of a communication is not privileged, although the content of the communication is privileged, stating that “Covington’s disclosure of a client name would tell the SEC nothing about what, if any, legal advice the client sought, or how the firm responded, with respect to the cyberattack. Only through guesswork and speculation could the SEC discern from the name of the client alone any communication’s contents.”[9]
While Covington and 83 other law firms argued in response that “the requested compelled disclosure would harshly penalize blameless clients, back attorneys into a corner, and discourage law firms … from cooperating with law enforcement in the future,”[10] the Court found those policy concerns to be unfounded, and instead narrowed the scope of the SEC’s demand by requiring Covington to only produce the names of the seven clients whom the law firm had not been able to rule out that a threat actor may have accessed their material nonpublic information.
As a practical matter, as the Amici firms argued, a negative impact of the Court’s ruling is that law firms may be more hesitant to disclose the existence of cyberattacks or cooperate with law enforcement agencies, for fear that their clients’ information and privileged communications with the law firm will be compromised and subject to disclosure. Moreover, law firms, especially those who represent publicly traded companies, may now be compelled to double down on their already significant and expensive efforts to beef up their protective measures against cyberattacks as a marketing measure to assure clients that their information is adequately protected. Cybersecurity measures have become a growing factor for companies in selecting service providers at all levels and the arms race to ensure protection from hackers is only further encouraged by the Court’s ruling in this matter. In either event, the SEC/Covington case has law firms and corporate clients paying close attention to these issues.
[1] Memorandum Opinion, SEC v Covington & Burling, LLP, Case No. 23-mc-00002 (APM), at 2.
[2] Id, at 3.
[3] Id, at 4.
[4] Id.
[5] Id.
[6] Id.
[7] Id.at 5.
[8] Id, at 7.
[9] Id, at 9.
[10] Id, at 18.