Skip to content
LPBN-Icon-v1 (1)
Legal Profession Blog
A Member of the Law Professor Blogs Network

Half A Loaf

By Michael Frisch

A decision of the United States District Court for the District of Columbia (Judge Mehta) grants access to some but not all client names sought by the SEC from Covington & Burling

This case concerns the intersection of a federal law enforcement agency’s interest in rooting out possible law violations  and a law firm’s ethical obligations to its clients. On March 21, 2022, the Securities and Exchange Commission (“SEC” or “the Commission”) served a subpoena on Covington & Burling, LLP (“Covington”), a multinational law firm headquartered in Washington, D.C. The subpoena sought information relating to a cyberattack on Covington’s information technology systems that had occurred a year prior. Covington largely complied with the subpoena. It balked, however, in one key respect. Citing its ethical obligation to protect its clients’ identities, Covington refused to disclose the names of its nearly 300 public company clients whose files had been compromised by the attack.

The SEC now moves to compel disclosure of the withheld client names. The Commission says it has a legitimate purpose in seeking that information: it is investigating whether there have been violations of the securities laws arising from the cyberattack on Covington’s systems, and the information is necessary to determine (1) whether any illegal trading occurred using material nonpublic information, or (2) whether any publicly traded issuers failed to make disclosures relating to the cyberattack.

Covington cries foul. It asserts that the SEC’s demand exceeds its investigative authority, as there is no valid purpose in demanding client information where there is no suspicion of wrongdoing by the firm or any client. It also sounds the alarm that, if the SEC’s subpoena is enforced, the Commission will become emboldened to target law firms with greater frequency and serve even more intrusive demands for information.

The court finds some merit to both parties’ positions, but ultimately holds that the SEC’s demand for the names of affected clients does not exceed its statutory authority or cross any constitutional lines. The SEC is not, however, entitled to all affected client names. Its demand is too broad. The agency concedes that it is only interested in the names of those Covington clients whose material nonpublic information was accessed during the cyberattack, and the firm has reported that only a handful of its clients were potentially so impacted. The court therefore will require Covington to disclose the names of the seven clients as to whom it has not been able to rule out that the threat actor accessed material nonpublic information.

The cyberattack was against Microsoft’s Exchange Server software, which the law firm used

“Through its own investigation and its cooperation with the FBI, Covington determined that the threat actor was most likely sponsored by the Chinese government and was very likely engaged in an espionage campaign to gather information from Covington’s lawyers about the incoming Biden Administration and policy issues of interest to China.”

The court

The court understands and appreciates the policy concerns raised by Covington and amici. They are not unfounded. The SEC’s approach here could cause companies who experience cyberattacks to think twice before seeking legal advice from outside counsel. See Chamber of Commerce Br. at 9–10. Law firms, too, very well might hesitate to report cyberattacks to avoid scrutiny of their clients. See Law Firms Br. at 9–12. The court’s role, however, is limited. Its task is only to assess whether the subpoena exceeds the SEC’s statutory authority or fails to meet minimum constitutional requirements. It is not to pass on the wisdom of the SEC’s investigative approach.

Some not all

In the court’s estimation, the SEC has not made the case that it needs the names of the 291 clients whose material nonpublic information Covington has determined was not accessed. Those clients, by the SEC’s own admission, are not relevant to its investigation. Therefore, the court is not prepared to grant the SEC access to a client list of nearly 300 names when only seven are actually needed to satisfy the agency’s stated law enforcement interests.

The SEC says that the receipt of only those seven client names would be unsatisfactory. It asserts that, because Covington has conveyed its investigative findings at such a “high level,” the agency cannot “independently verify [Covington’s] conclusions.” Hr’g Tr. at 9. But any law enforcement agency that issues a subpoena necessarily has to rely on the recipient’s good faith in producing the information requested. This case is no different. If the SEC contests the accuracy or completeness of Covington’s conclusions, the proper course is to ask the court for an independent evaluation. It is not to grant access to hundreds of client names that are not relevant to the investigation.

Covington, for its part, believes it could be “worse” to provide the seven client names because “it would be revealing more information, not just the [client’s] identity, not just that . . . their data was subjected . . . to this cyberattack, but also that it may have revealed or at least they may have accessed material nonpublic information.” Hr’g Tr. at 40. Fair enough. But Covington has not contested that the demand for its affected clients’ names is limited in scope and relevant in purpose, and the court has found that the demand, as modified, is not unduly burdensome. That is where the inquiry ends. See Arthur Young, 584 F.2d at 1024. Furthermore, identifying the seven client names would not divulge any protected communications about the data breach. If Covington believes that the SEC’s regulations are not adequate to safeguard its clients’ identities from public disclosure, see, e.g., 15 U.S.C. § 78x(b); 17 C.F.R. §§ 200.735-3 (2010), 230.122 (2011), 240.24c-1 (1993), Covington can seek a protective order.

(Mike Frisch)