SEC Sues Law Firm to Compel Disclosure of Client Information Following Cyberattack
On January 10, 2023, the U.S. Securities and Exchange Commission (“SEC”) sued the law firm Covington & Burling LLP (“Covington”) in U.S. District Court for the District of Columbia. The SEC seeks to compel Covington to comply with an investigative subpoena for documents stemming from the November 2020 Microsoft Hafnium cyberattack. Threat actors obtained unlawful access to non-public files of nearly 300 of Covington’s clients that are regulated by the SEC.
In March 2022, after the SEC learned of the cyberattack against Covington, the SEC issued a document subpoena on Covington, with which Covington partially complied. However, Covington declined to disclose the names of its clients whose files were viewed, copied, modified, or exfiltrated by the threat actors, asserting that it was precluded from doing so by the attorney-client privilege, which led to the SEC’s lawsuit filed on January 10, 2023.
The SEC maintains that knowing the identity of Covington’s SEC-regulated clients is necessary pursuant to its mandate to enforce securities laws, in particular by allowing the SEC to identify suspicious trading activity by the threat actors or others in the securities of those companies whose files were accessed. The SEC asserts that securities laws may have been violated by trading on material, non-public information accessed through the cyberattack. The SEC also wishes to determine whether Covington’s impacted clients made required disclosures to the investing public arising from the cyberattack.
The decision to authorize the Covington lawsuit was the subject of a vote of the SEC’s five commissioners. The SEC advised Law360 that the vote breakdown would be available on the SEC website “sometime soon.” At least one commissioner, Mark Uyeda, told Law360 that he has concerns “about us doing enforcement actions against law firms where you have potential privileges at stake.” Prior to the recent lawsuit, Covington challenged the SEC’s 2022 subpoena, arguing through its lawyers at Gibson Dunn that the SEC’s “attempt to pry client confidences from an innocent law firm to assess whether any securities violations have taken place charts a perilous new course that threatens to chill the relationship between public companies and their counsel.” In its lawsuit, the SEC contends that its effort to the identify the impacted Covington clients does not seek disclosure of attorney-client communication, nor is Covington’s list of impacted clients work product.
Covington is expected in its response to the newly-filed lawsuit to reiterate its prior stated argument that under the D.C. Rules of Professional Conduct, Covington can “no more disclose the identity of its clients than its privileged communications.” The applicable D.C. rule of professional conduct (1.6) contains an exception which calls for certain disclosures when “required by law or court order,” which the SEC contends may be applicable here. Covington previously argued, however, that in the context presented here, “we believe it is unlikely that any federal court or state bar would endorse such a sweeping vitiation of the protections Rule 1.6 affords law firm clients.” Covington’s counsel also previously asserted that the SEC’s tactics will discourage law firms from self-reporting future cyberattacks out of concern that this could lead to meddling by the SEC and other government agencies in its attorney-client communications and relationships. Covington notes that it reported the attack to the Federal Bureau of Investigation (FBI) which, in contrast to the SEC, did not seek the identity of Covington’s clients.
At this time, Covington’s formal response to the SEC’s lawsuit is awaited. We are monitoring this matter closely for its potential impacts on law firms and their publicly traded clients and possibly even non-publicly owned clients, depending on what the court concludes regarding the proper scope of government investigations. We expect that a decision adverse to Covington will put law firms in a situation where they may be forced to choose between complying with the Rules of Professional Conduct and complying with a court ordered subpoena. This could have far-reaching implications on ethical duties owed to clients and could dramatically increase the complexity for lawyers and clients in their desire to protect confidential information.