chevron-down Created with Sketch Beta.


Can a Law Firm be Compelled by Administrative Subpoena to Disclose Client Names? Sometimes

Andrew McLure Toft

Can a Law Firm be Compelled by Administrative Subpoena to Disclose Client Names? Sometimes
Andrew Brookes via Getty Images

SEC v Covington & Burling LLP, USDC, District of Columbia, Case No. 1:23-mc-00002-APM

D.C. Cir. Docket No. #23-5212

“This case concerns the intersection of a federal law enforcement agency’s interest in rooting out possible law violations and a law firm’s ethical obligations to its clients.” Memorandum Opinion, p.1.

In November 2020, Covington & Burling, LLP (C&B) was the subject of a cyberattack by a “threat actor” that investigations determined was most likely sponsored by the Chinese government. After learning of the unauthorized access, C&B notified potentially affected clients and notified the FBI as part of the firm’s investigation and remediation. In March 2021, the Securities and Exchange Commission (SEC) opened an investigation into possible violations of securities law arising out of the cyberattack. In early 2022, the SEC learned that the perpetrators of the cyberattack had been able to access the files of a number of SEC-regulated publicly traded companies that C&B represented or about whom C&B otherwise possessed information. The SEC issued an administrative subpoena to C&B for a number of categories of records, one of which included documentation and communications sufficient to identify C&B’s impacted clients. C&B objected on the grounds that it could not identify clients consistent with Model Rule of Professional Conduct 1.6 (Confidentiality of Information) and other duties. Negotiations and further investigation resulted in C&B concluding that of 298 companies affected by the SEC’s subpoena, the “threat actor” had not accessed any material nonpublic information of 291 companies. It was possible that this information was accessed for the remaining seven. Nonetheless, the SEC wanted the names of all 298 companies. C&B did not agree, and in January 2023, the SEC filed an enforcement action. C&B contended that it could not be compelled to release the client names based primarily on (a) attorney-client privilege, and (b) the argument that the SEC’s subpoena violated the Fourth Amendment.

The court gave short shrift to the attorney-client-privilege argument, citing several cases out of the U.S. District Court for the District of Columbia that are clear in their holdings that client identity is not protected by the attorney-client privilege absent special circumstances. Further, client identity does not reveal any protected communications. The limited exception cited by the court is that a “client’s identity is privileged if disclosure would in essence reveal a confidential communication.” C&B was concerned that the subpoena was only the first step in a process that would lead to a request for protected information. In short, the court replied that if the SEC subsequently did so, that request would “rise or fall on its own merits.” The court also pointed out the fact that a communication that exists between a lawyer and her or his client is not itself privileged; only the content of the communication may be protected.

The court next dealt with the issue of whether the SEC’s investigative authority was validly exercised when the SEC demanded the names of nearly 300 of C&B’s clients. The court first pointed out that the Fourth Amendment “requires that the subpoena be sufficiently limited in scope, relevant in purpose, and specific in directive so that compliance will not be unreasonably burdensome.” Under D.C. Circuit precedent, the proper standard to use when evaluating an SEC subpoena is an inquiry into the scope, purpose, and burden of the SEC’s subpoena. C&B argued that the existence of an attorney-client relationship involves extraordinary privacy interests, but the court gave this argument short shrift as well. The court pointed out the mere fact that an attorney-client relationship is in the public domain based on such things as court proceedings, appearances before governmental agencies, and information disclosed in business transactions. Such disclosures, according to the court, highlight that clients often have a diminished expectation of privacy in the mere fact of the attorney-client relationship. C&B made a number of other arguments, all of which the court dismissed.

While C&B largely lost the battles, it largely won the war. The court determined there was no reason for C&B to disclose the names of the 291 clients whose material nonpublic information the perpetrator of the cyberattack had not accessed. The court stated that C&B had “not contested that the demand for its affected clients’ names is limited in scope and relevant in purpose, and the court has found that the demand, as modified, is not unduly burdensome. That is where the inquiry ends.”

This fight is not over. The case is on appeal, D.C. Cir. Docket No. #23-5212, by a “John Doe,” perhaps one of the seven clients whose name was to be revealed.

The case is a reminder of the very real threat of cyberattacks against law firms. It also provides a good discussion of the scope of the attorney-client privilege and Rule 1.6. Finally, for those who do work before administrative agencies, it is a valuable review of enforcement powers and the proper scope of an administrative subpoena.