SEC v Covington & Burling LLP, USDC, District of Columbia, Case No. 1:23-mc-00002-APM
D.C. Cir. Docket No. #23-5212
“This case concerns the intersection of a federal law enforcement agency’s interest in rooting out possible law violations and a law firm’s ethical obligations to its clients.” Memorandum Opinion, p.1.
In November 2020, Covington & Burling, LLP (C&B) was the subject of a cyberattack by a “threat actor” that investigations determined was most likely sponsored by the Chinese government. After learning of the unauthorized access, C&B notified potentially affected clients and notified the FBI as part of the firm’s investigation and remediation. In March 2021, the Securities and Exchange Commission (SEC) opened an investigation into possible violations of securities law arising out of the cyberattack. In early 2022, the SEC learned that the perpetrators of the cyberattack had been able to access the files of a number of SEC-regulated publicly traded companies that C&B represented or about whom C&B otherwise possessed information. The SEC issued an administrative subpoena to C&B for a number of categories of records, one of which included documentation and communications sufficient to identify C&B’s impacted clients. C&B objected on the grounds that it could not identify clients consistent with Model Rule of Professional Conduct 1.6 (Confidentiality of Information) and other duties. Negotiations and further investigation resulted in C&B concluding that of 298 companies affected by the SEC’s subpoena, the “threat actor” had not accessed any material nonpublic information of 291 companies. It was possible that this information was accessed for the remaining seven. Nonetheless, the SEC wanted the names of all 298 companies. C&B did not agree, and in January 2023, the SEC filed an enforcement action. C&B contended that it could not be compelled to release the client names based primarily on (a) attorney-client privilege, and (b) the argument that the SEC’s subpoena violated the Fourth Amendment.