The U.S. District Court for the District of Columbia recently issued a decision in a hotly contested (and closely watched) dispute between the Securities and Exchange Commission (the “SEC”) and international law firm Covington & Burlington (“Covington”) concerning the SEC’s administrative subpoena for a list of Covington public company clients impacted by a cyberattack that potentially misappropriated material, non-public information (or “MNPI”). Covington refused, arguing, among other things, that revealing client names under these circumstances would not only violate the attorney-client privilege, but would also breach the firm’s duty of confidentiality owed to its clients and violate clients’ privacy rights.

After reviewing briefs submitted by both sides, including dozens of amici from the defense bar, and hearing oral argument, the court ultimately held that Covington must disclose the names of the seven clients as to whom Covington has not been able to rule out that the threat actor accessed MNPI.

The Cyberattack - Background

According to papers filed with the court, threat actors gained unauthorized access to Covington’s computer networks in November 2020, potentially misappropriating MNPI of up to 298 of the firm’s public company clients (the “Cyberattack”). In March 2022, the SEC served Covington with an administrative subpoena seeking, among other things, the names of all clients impacted by the breach. Although Covington complied with every other request, it pushed back on the request for client names. According to Covington, it conducted an internal investigation and determined that the threat actors potentially gained access to the MNPI of only seven clients. Still, the SEC remained steadfast on its request for the list of all 298 clients. On January 10, 2023, the SEC filed an application for an order to show cause in the U.S. District Court for the District of Columbia, seeking a court order directing Covington’s compliance with its subpoena.

The SEC’s Position

The SEC argued that it needed the information to achieve its overarching goal of “protecting investors.” More specifically, the SEC advanced three arguments supporting its request: First, knowing the companies impacted by the Cyberattack would then help the SEC identify suspicious trading in those companies. Second, disclosure would allow the SEC to investigate whether there was any insider trading. Last, the SEC could determine whether companies which had MNPI stolen made required public disclosures to the investing public.

Covington’s Response

In response, Covington refused to provide the list of client names for three main reasons: First, the identity of the firm’s clients is privileged “under the circumstances of th[e] case.” Second, Covington’s ethical and fiduciary duties to its clients–including duties of confidentiality–trumps compliance with an administrative subpoena. And last, any speculative interest the SEC might have is outweighed by the privacy interests of Covington’s clients.

While the Court substantively addressed the judicial enforcement of administrative subpoenas, much of the attention leading up to the decision focused on the privilege prong of the dispute. Although Covington acknowledged that client names are not presumptively privileged, they argued that two exceptions applied that ultimately protected disclosure: (i) “client’s identity is sufficiently intertwined with the client’s confidences,” and (ii) where disclosing the name of the client “would reveal its motive in seeking legal representation.”

Covington first argued that disclosing client identities to the SEC would inevitably lead to the SEC’s demand for the content of privileged client files, as the two are closely intertwined halves of the agency’s inquiry as to whether threat actors accessed MNPI. Additionally, Covington shared with the SEC that certain clients responded to the Firm’s outreach concerning the breach and engaged in further communications with Covington, including substantive advice in connection with the Cyberattack. Covington therefore argued that by revealing client identities, “it would apprise the SEC which clients received specific information and advice from the Firm,” and therefore effectively reveal the content of those privileged client communications.

The District Court’s Decision

Following a May 10, 2023 hearing and unsuccessful attempts at settlement, District Court Judge Amit Mehta issued his decision on July 24, granting in part the SEC’s application and ordering Covington to produce the names of seven clients as to whom Covington has not been able to rule out that the threat actor accessed MNPI. As the basis for his decision, Judge Mehta rejected Covington’s assertion of privilege, noting that the prospect of the SEC demanding confidential materials following disclosure “cannot transform a present request for nonprivileged client identities into a privileged one.” Additionally, Covington’s disclosure of client names would not reveal the existence or nature of any client communications beyond mere speculation. The court did, however, modify the SEC’s subpoena to compel the identities of only the seven of 298 total clients whose MNPI was potentially accessed by threat actors. The court found that the remaining 291 clients are not relevant to the SEC’s investigation and therefore beyond the scope of the agency’s otherwise “broad” investigatory powers.

Conclusion

Law firms–and by association their clients–are certainly not immune to cyberattacks in the current cyber threat landscape. A 2022 American Bar Association survey revealed that more than a quarter of U.S. law firms had experienced a security breach in the prior year. The Court’s recent opinion should instruct how law firms address issues regarding attorney-client privilege, confidentiality, and privacy in responding to similar administrative subpoenas.