By John Filar Atwood
The SEC has brought an action in the D.C. District Court seeking to compel multinational law firm Covington & Burling LLP to divulge the names of clients impacted by a November 2020 Microsoft Hafnium cyberattack. The Commission is investigating whether any persons involved in or impacted by the attack have been engaging in violations of federal securities laws through access to material, non-public information about Covington’s clients (SEC v. Covington & Burling LLP, January 10, 2023).
The facts, which are outlined in a declaration by an SEC enforcement attorney, indicate that cyber attackers gained unauthorized access to Covington’s IT network including access to non-public information of 298 of its clients that are regulated by the SEC. Covington admitted that a foreign actor intentionally and maliciously accessed its clients’ files.
As a result, the Commission, through its Enforcement Division, is investigating whether the attackers, or any other person, may have accessed and traded on the basis of material, non-public information concerning the cyberattack. The staff also is investigating whether any person may otherwise have made materially false or misleading statements, or omitted to state material facts, concerning the impact of the cyberattack in violation of federal securities laws.
Subpoena. As part of its investigation, the SEC issued a subpoena to Covington in March 2022 that called for the production of certain documents related to the attack. Covington complied with all elements of the subpoena except for the request (Request No. 3) for the name of any public companies that were impacted by the unauthorized activity, the nature of the suspected unauthorized activity concerning the companies, and any communications provided to the companies concerning the suspected unauthorized activity. The law firm refused Request No. 3 citing its confidentiality obligations under the D.C. Rules of Professional Conduct.
After lengthy negotiations on the matter, the SEC agreed to reduce Request No. 3 simply to the names of the 298 public companies impacted by the attack. However, the parties were still unable to reach an agreement, so the Commission is now seeking an order to compel compliance with the subpoena or an order to show cause why the first order should not be issued.
In support of its request, the SEC argued that neither Covington’s position as a victim of a cyberattack, nor the fact that it is a law firm, insulate it from the Commission’s investigative responsibilities. Further, the SEC claimed that the subpoena, including Request No. 3, satisfies all requirements for subpoena enforcement, does not infringe on any privilege, is not unduly burdensome, and would not cause Covington to violate the D.C. Rules of Professional Conduct.
Citing U.S. v. Powell, the Commission claimed that an administrative agency’s investigative subpoenas should be judicially enforced if the following criteria are met: 1) its investigation will be conducted pursuant to a legitimate purpose, 2) the subpoena seeks information that may be relevant to the purpose, 3) the information sought is not already within the SEC’s possession, and 4) all administrative steps required have been followed.
Legitimate purpose. The SEC reasoned that its inquiry has a legitimate purpose because it is being conducted pursuant to authority vested in the Commission by Congress. Congress gave the SEC broad authority to conduct investigations into whether any person has violated federal securities laws, the SEC notes, and in this case it is concerned that the cyber attackers viewed or extracted material non-public information.
The SEC needs access to the names of the 298 impacted clients, it claims, because it then can use its investigatory tools to identify any suspicious trading in those companies’ securities, and investigate whether such trading was part of an illegal trading scheme based on material non-public information obtained in the attack. The subpoena is within the scope of the Commission’s Congressionally-authorized law enforcement powers, it stated, and therefore has a legitimate purpose.
On the matter of whether the information sought by Request No. 3 is relevant to the investigation, the SEC noted that the Commission is investigating whether there have been violations of the federal securities laws in connection with the attack. The Commission added that the kinds of violation being investigated—possible insider trading and/or improper disclosure—are violations for which the agency has brought enforcement actions many times in the past.
The Commission confirmed that the information sought is not in its possession because Covington has refused to produce it and the SEC has no other way to obtain it. The SEC acknowledged that it can use its proprietary tools to survey the market for potential illicit trading in the shares of all publicly traded companies, but without knowing which companies are Covington’s clients, the staff would be unable to do that for companies involved in the attack.
Privileged and protected information. The SEC believes that Request No. 3 does not infringe on any privilege or the D.C. Rules of Professional Conduct. In its opinion, the subpoena does not call for protected information, and the Commission is not seeking privileged communications between Covington and its clients. Moreover, in agreeing to limit Covington’s response to Request No. 3 to only the names of impacted regulated clients, the SEC argued that it has eliminated the risk that any attorney-client communications would be responsive to the subpoena.
The SEC urged the court to agree with its view that the identity of clients impacted by the cyberattack is not privileged. The Commission noted that the list of 298 impacted clients is not protected work product prepared in anticipation of litigation. Rather, Covington prepared the list with the business intention of reaching out to inform clients that their information had been accessed.
The SEC further argued that even if the identity of impacted clients could be considered work product, the information would be factual work product over which the privilege doctrine is not absolute. The work product privilege is overcome, in the SEC’s view, because the Commission has a substantial need for the client list and cannot, without undue hardship, obtain its substantial equivalent by other means.
D.C. rules of conduct. The Commission believes that the D.C. Rules of Professional Conduct specifically permit law firms to produce client confidential information in response to a valid subpoena. It noted that D.C. Rule of Professional Conduct 1.6(a)(1) generally prevents an attorney from “knowingly... reveal[ing] a confidence or secret of the lawyer’s client.” However, Rule 1.6(e)(2)(a) provides an exception to the general rule and permits the lawyer to “reveal client confidences or secrets” when “required by law or court order.”
The SEC noted that the D.C. District Court has previously held that a subpoena is a court order subject to exception under Rule 1.6(e). Specifically, in a case relating to Cooke Legal Group, the court held that Rule 1.6 did “not bar [the law firm] from complying with the instant subpoena, but instead specifically permits the firm to do so” because of the application of the Rule 1.6(e) exception.
The Commission further noted that multiple other courts have interpreted similar provisions in state ethics rules to allow the production of documents in response to subpoenas from executive agencies, including subpoenas issued by the SEC. In cases such as Selevan v. SEC, FTC v. Trudeau and SEC v. Sassano, the courts held that a validly issued subpoena from an executive agency was sufficient to overcome the party’s objection under the Rule 1.6(e) exception. Accordingly, the SEC argued that its subpoena’s requested information falls squarely within the Rule 1.6(e) exception and requires Covington to produce responsive information.
The case is No. 1:23-mc-00002.