by Michael Borgia and Tyler Bourke
The court’s decision may embolden the SEC and other regulators to subpoena law firms, response vendors, and software providers in cybersecurity investigations
The U.S. District Court for the District of Columbia recently issued its highly anticipated ruling in the subpoena fight between the U.S. Securities and Exchange Commission (“SEC” or “Commission”) and the law firm Covington & Burling LLP (“Covington”). On July 24, 2023, the court in SEC v. Covington[1] ordered the firm to comply in part with an SEC administrative subpoena that had been served on the firm in March of 2022 by providing the names of seven firm clients, the material nonpublic information of which had been compromised in a cyberattack on Covington’s information technology systems in November 2020.
The SEC’s dispute with Covington has been closely watched by many in the legal industry, largely out of concern that enforcement of the SEC’s subpoena could greatly hinder lawyers’ ability to protect the confidentiality of client information following a cyberattack and more broadly allow regulators to subpoena privileged information from law firms. Yet the ultimate effect of the court’s decision on client confidentiality and legal privilege may be quite limited. The SEC ultimately agreed to limit its outstanding request only to the names of the firm’s public company clients affected by the cyberattack, and courts consistently have ruled that client names alone are not privileged. Moreover, while disclosure of the clients’ names here clearly reveals further information about those clients—specifically, that they were affected by the breach and spoke with their law firm about it—an unusual fact limits the precedential value of the SEC v. Covington decision for attorney-client privilege. Covington was both counsel for the affected clients and the victim of the breach, so the fact that the law firm and client communicated about the breach does not necessarily mean that the client sought or that the firm provided legal advice about the impact of the cyberattack or the client’s resulting obligations. A different and more troubling case would have been if the SEC subpoenaed a law firm for the names of clients it had advised on a particular cyberattack unrelated to the law firm (for example, for the names of all clients that sought counsel on the recent MOVEit compromise). Such a request would require the firm to disclose not only the client’s name but also the nature of legal advice sought or received and reveal a confidential communication as a result of the client’s name being disclosed.
A lesser publicized but perhaps more significant aspect of SEC v. Covington is its implications for the cybersecurity industry and cyber incident response. The outcome of the case could embolden the SEC and other regulators to subpoena a variety of third parties to investigate whether certain companies were victims of a cyberattack and how they responded if so. Attractive subpoena targets could include not only outside counsel, but also cyber incident response vendors, including digital forensics firms, cyber extortion negotiators, managed services security providers (MSSPs) and others, as well as third-party cloud services providers and software vendors. The threat alone of those subpoenas could discourage companies from being candid with outside security experts, thereby hobbling effective incident response, and may dissuade companies from engaging outside experts altogether.
Standing on its own, the SEC v. Covington decision appears largely unremarkable. The court applied established case law in ruling that the client names were not privileged and that SEC’s subpoena was sufficiently definite in scope and relevant to a lawful investigative purpose. The case’s legacy may well lie not in the court’s decision but in its aftermath—particularly if the SEC and other agencies seek to regularly subpoena law firms, consultants, and other third parties following a cyberattack.
CASE BACKGROUND
In November 2020, Covington became one of many victims of a cyber attack by Hafnium, a hacking group believed to be associated with the Chinese government. After becoming aware of the attack, Covington conducted an internal investigation and determined that the attackers had accessed and exfiltrated the files of numerous firm clients. Covington notified each of the affected clients of the attack and invited them to discuss the matter further. The “great majority” of the notified clients had further substantive discussions with the firm about the implications of the attack.
On March 6, 2021, the SEC began investigating possible violations of securities laws connected to Hafnium cyber-attacks, principally whether the attackers had made securities trades based on material nonpublic information and whether public companies made material misstatements about the impact of the cyber attack on their businesses. On March 21, 2022, the SEC subpoenaed Covington to disclose ten categories of information about the attack. Covington responded to each request except for one, Request No. 3, which sought: (1) the names of the firm’s public company clients impacted by the attack; (2) the nature and timing of the attackers’ activity with respect to each impacted client; and (3) any communications that Covington provided to each client regarding the attack. Covington objected to Request No. 3, citing attorney-client privilege and its attorneys’ duty to maintain client confidences under the D.C. Bar’s Rules of Professional Conduct. Covington determined that 298 of its clients affected by the cyber attack were public companies.
Through subsequent negotiation between the parties, the SEC offered to limit Request No. 3 (at least in the first instance) to only the names of the firm’s impacted public company clients. Covington continued to object on attorney-client privilege and client confidentiality grounds. For its part, Covington conducted an internal review of the files of the 298 affected public companies and determined that only seven such clients may have had material nonpublic information that may have been “viewed, copied, modified, or exfiltrated” by the hackers and that the hackers had not accessed material nonpublic information of the other 291. Unsatisfied with Covington’s internal review, the SEC continued to press for the names of all 298 clients. With the parties having reached an impasse, on January 10, 2023, the SEC filed an action in federal district court in Washington, D.C. to compel Covington to comply with the subpoena and name all 298 clients (the SEC did not seek Covington’s compliance with the other portions of Request No. 3). Following briefing from both parties, the court held oral argument on May 10, 2023. On July 24, 2023, the court issued its ruling.
DECISION
The court ordered Covington to comply with the SEC’s modified Request No. 3 seeking only the names of the impacted clients, but only for the seven clients whom Covington determined may have had material nonpublic information compromised in the cyberattack. The court rejected Covington’s arguments that these client names were protected by the attorney-client privilege and client confidentiality requirements, but also ruled that the SEC had failed to show a sufficient need for client names beyond the seven.
Attorney-Client Privilege
It is a well-established general rule that client names, standing alone, are not protected by the attorney-client privilege. However, an exception exists “if disclosure would in essence reveal a confidential communication,”[2] for example, where disclosure of a client’s name effectively would reveal that the client sought legal advice on a particular issue. Covington argued that this exception applied because the firm engaged in substantive discussions about the cyber attack and its implications with the “great majority” of affected clients, including by providing “specific information and advice” about the attack, and that clients may have relied on those discussions in determining their legal obligations. As a result, argued Covington, disclosure of the names of clients affected by the cyberattack would effectively disclose the names of clients that “received specific information and advice from Covington in connection with the cyberattack.”[3]
Holding fast to the general rule that client names are not privileged, the court rejected Covington’s argument. The court stated that the firm’s disclosure of client names would provide the SEC with no information about the substance of any legal advice sought with respect to the cyberattack, and that “[o]nly through guesswork and speculation could the SEC discern from the name of the client alone any communication’s contents,”[4] Although not stated explicitly, the court seems to have understood that the communications between Covington and the clients about the cyberattack may not necessarily have included legal advice about the attack or any other legal matters, but rather may only have been to inform clients about the attack and any of their data compromised.
Investigative Authority and Client Confidentiality
After quickly dispatching Covington’s arguments about attorney-client privilege, the court dedicated most of its analysis to the issue of whether the SEC’s demand for client names was a valid exercise of its investigative authority. Covington argued that the SEC’s demand was unduly burdensome because it sought information that the firm is obligated to keep confidential under legal ethics rules and the disclosure of which could “rupture the trust between attorney and client.” An amicus brief filed by 83 law firms in support of Covington similarly argued that compelled disclosure of client names could discourage clients from seeking legal advice and turn lawyers into witnesses against their own clients in a government investigation.”[5]
Relying primarily on SEC v. Arthur Young & Co.,[6] which interpreted the Supreme Court’s decision in United States v. Morton Salt Co.,[7] the court ruled that the subpoena was a valid exercise of the SEC’s investigative authority. Essentially rejecting Covington’s argument that legal ethics rules projected client names from disclosure even if the attorney-client privilege did not, the court stated that “Covington could not promise any of its clients that their identities, which generally are not protected by privilege, would remain secret in the face of a lawfully issued administrative subpoena.”
The court also rejected Covington’s argument that the SEC’s inquiry amounted to an improper fishing expedition. Quoting the Supreme Court in Morton Salt, the court stated that even a mere “official curiosity” into whether companies are complying with legal requirements may be sufficient legal grounds for an administrative subpoena.[8] The court acknowledged concerns raised by Covington and amici (both the 83 law firms and the U.S. Chamber of Commerce) that compelled disclosure of the client names could discourage clients from seeking legal advice following a cyberattack and could discourage victims from reporting attacks to federal law enforcement. The court, however, ruled that such considerations were beyond its purview, which was limited to determine whether the SEC subpoena was lawful.
Having determined that the client names were not protected by attorney-client privilege and that the subpoena was lawful, the court ordered Covington to produce the names of only the seven clients which it determined may have had material nonpublic information compromised. Covington argued that disclosing only those seven names actually would be worse than revealing all the clients, as disclosure of just the seven names effectively would reveal the client’s identity that their data was compromised in the attack, and that the compromised data may have included material nonpublic information. The court acknowledged that concern but reiterated that its analysis ended with its determination that the subpoena was proper under Arthur Young. The court also rejected the SEC’s argument that it could not rely on Covington’s identification of those seven clients among the firm’s 298 affected public company clients, including because the SEC “could not independently verify Covington’s conclusions,” on the grounds that agencies always must rely on the good faith of the subpoena recipient in producing responsive information. The court stated that if the SEC contested Covington’s findings it could seek independent evaluation by the court.
TAKEAWAYS AND CONSIDERATIONS
The court’s decision in SEC v. Covington raises several important considerations for the legal and cybersecurity industries, as well as for companies victimized by cyberattacks. Notably, while most of the attention paid to this case has focused on its implications for asserting attorney-client privilege following a cyberattack, those implications may be quite limited.
Limited Implications for Attorney-Client Privilege
At first blush, the SEC v. Covington decision may appear to have serious consequences for the scope of the attorney-client privilege. As argued by Covington and the 83 amici law firms, disclosure of the client names necessarily reveals information about those clients and the nature of the discussions they had with Covington—specifically, that the clients’ data had been compromised in the attack and that the clients (or at least “the great majority” of them) discussed the attack and its implications with their law firm. Based on this, the client names would seem to be privileged because their disclosure would reveal not only the fact of an attorney-client relationship, which generally is not privileged, but also the substance of discussions between the clients and their lawyers—even if limited to advising the client that their data had been compromised. And if that is correct, then the SEC v. Covington decision could be seen as a significant weakening of the attorney-client privilege, licensing government agencies to subpoena law firms for the names of clients that have sought their advice on a particular legal issue.
However, what the court’s decision ultimately means for attorney-client privilege is blunted by an unusual fact: Although not expressly recognized by the court, Covington plays two roles in the relevant events, both that of the law firm for the affected clients and of the company victimized by the cyberattack. Disclosure of a client’s name necessarily reveals that Covington communicated about the cyberattack, but not whether Covington actually provided any advice to the client about its resulting legal obligations. Moreover, Covington may have been required by legal ethics rules and client agreements to notify affected clients of the cyberattack, irrespective of any legal advice provided or sought.[9] A different and more troubling case would have been before the court had the SEC subpoenaed Covington to disclose the names of its clients that it had counseled on a cyberattack unrelated to the cyberattack on the law firm. In such a case, disclosure of a client’s name might necessarily have revealed that the client sought or received legal advice on a particular issue. To understand this distinction, compare a ruling by the Third Circuit in United States v. Liebman with one by the Fifth Circuit in Taylor Lohmeyer Law Firm P.L.L.C. v. United States. In Liebman, the Third Circuit declined to enforce an IRS summons seeking the names of clients who paid legal fees in connection with the use of certain tax shelters, holding that disclosure necessarily would reveal the advice the clients had received.[10] In contrast, the Fifth Circuit in Taylor Lohmeyer denied a motion to quash an IRS summons for the names of firm clients that had used the firm to establish or control certain types of legal entities or financial accounts, holding that disclosure of client names would reveal only they participated in the transactions—not the clients’ motives for seeking legal advice or the nature of the advice given.[11]
To be sure, the SEC v. Covington decision will concern lawyers, particularly those who advise clients on cyberattacks. The line between a disclosure that reveals only a client name and one that also reveals substance of communications is blurry and difficult to discern, as evidenced by the subtle differences between the Liebman and Lohmeyer cases. Even so, Covington’s unusual role both as counsel and cyberattack victim—such that communications about the attack may or may not have involved legal advice—weakens the decision’s precedential value for the SEC or another regulator looking to subpoena a law firm. At the very least, a court considering a subpoena to a law firm for names of clients that sought advice on a particular cyberattack would readily be able to distinguish such a case from SEC v. Covington.
Chilling Communications with Outside Counsel, Incident Responders and Software Providers?
Covington and the 83 law firm amici also argued that enforcement of the SEC subpoena could seriously disrupt attorney-client relationships and discourage clients from seeking legal advice following an attack. These concerns are valid (as the court recognized) and apply well beyond law firms.
Following discovery of a cyberattack, companies may employ a number of outside experts to assist with the response, investigation, and recovery. Digital forensics experts may be engaged to investigate how the attack occurred and what data was accessed, IT consultants may assist with restoring and recovering affected computers, MSSPs and outsourced security operations centers (SOCs) may help block malicious Internet traffic, remove malware, install software patches and change compromised passwords, cyber extortion experts may lead negotiations with ransomware gangs and other extortionists, and e-discovery and data analytics firms may review and catalogue compromised files and data elements. And, of course, law firms may advise clients on data breach notification and incident reporting requirements, evidence preservation requirements, litigation risks, and other legal matters arising from the attack. These service providers are routinely exposed to extremely sensitive information about the victim company and its operations, so confidentiality is vital to these relationships.
Notably, the communications between victim companies and these other (non-law firm) types of service providers often will not be protected by attorney-client privilege or other discovery protections. While law firms typically will be able to shield the substance of communications with a victim company from disclosure, these other types of providers often will have no such ability. Victim companies may be able to assert privilege for its communications with a vendor where the victim’s law firm hires the vendor to assist its lawyers’ provision of legal advice related to the cyberattack, but several recent federal court decisions make this more difficult.
If it becomes commonplace for the SEC and other agencies to subpoena these types of service providers, companies that are victimized by cyberattacks may be trepid when engaging them. Companies may decline to engage such firms at all, or may be much more selective about the information they provide, perhaps asking them to investigate only very specific issues and providing them only carefully curated evidence. This could result in poorer investigations of and responses to cyberattacks, as companies attempt to handle complex cyberattacks without or with only limited outside expert assistance.
A similar problem may arise where companies are compromised through attacks on their cloud services providers or software supply chain. Successful response to these attacks can require significant coordination between customers and the vendor. The vendor may provide its affected customers with guidance on how to identify and investigate the attack, copies of logs and other forensic evidence customers need to assess their legal obligations, and technical assistance with containment and remediation measures. As with incident response vendors, customers may be loath to identify themselves as compromised to their cloud services provider or other vendor out of fear that the vendor will be served with a government subpoena requiring it to disclose communications with the customer about the attack. The problem may compound with large-scale attacks affecting thousands of companies across the economy, such as the attacks on SolarWinds, Kaseya, and Progress Software’s MOVEit applications. Effective coordination with vendors may be especially crucial here given the size and complexity of these attacks. Yet, companies may reasonably believe that subpoenas on affected vendors are especially likely following these massive attacks, making companies particularly hesitant to engage with the vendor.
Finally, as the SEC v. Covington court recognized, vendors that are victimized by cyberattacks may be less inclined to report the attack to the FBI, making it more difficult for law enforcement to investigate and track cybercriminals. The FBI reiterates that it has no practice of sharing incident reports with the SEC and other civil enforcement agencies. Even so, a vendor may be sufficiently worried that if an FBI report is shared with other government agencies, the vendor will be hit with a subpoena forcing it to identify its affected customers. The vendor may instead leave it to each affected customer to decide whether notification to the FBI is appropriate.
CONCLUSION
Covington still has time to appeal the district court’s decision, so this matter may be far from over. But based on the district court’s decision, it appears that the impact of SEC v. Covington may lie not so much in its rulings on the attorney-client privilege or the enforceability of agency subpoenas, but rather in its implications for law firms, forensic consultants, cloud services providers, and others that advise and coordinate with companies in responding to cyberattacks. Confidentiality is essential to the relationships between these providers and cyberattack victims, and a practice of permitting governmental entities to subpoena incident responders, software providers and others could discourage victims from seeking expert assistance and candid advice.
Footnotes
[1] SEC v. Covington & Burling, LLP, No. 23-MC-00002 (APM), 2023 WL 4706125 (D.D.C. July 24, 2023).
[2] Id. at *7.
[3] Id. at *8-*9.
[4] Id. at *9.
[5] Brief of 83 Law Firms as Amici Curiae Supporting Respondent at 4‑5, SEC v. Covington, No. 23-MC-00002 (APM) (D.D.C. July 24, 2023).
[6] 584 F.2d 1018 (D.C. Cir. 1978).
[7] 338 U.S. 632 (1950).
[8] SEC v. Covington, 2023 WL 4706125 at *17.
[9] See, e.g., ABA Comm. on Pro. Ethics & Grievances, Formal Op. 483 (2018) (stating that “an obligation exists for a lawyer to communicate with current clients about a data breach.”).
[10] 742 F.2d 807, 810 (3d Cir. 1984).
[11] 957 F.3d 505, 512 (5th Cir. 2020).
Michael Borgia is a Partner and Tyler Bourke is an Associate at Davis Wright Tremaine LLP.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).