UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA _________________________________________ ) SECURITIES AND EXCHANGE ) COMMISSION, ) ) Applicant, ) ) v. ) Case No. 23-mc-00002 (APM) ) COVINGTON & BURLING, LLP, ) ) Respondent. ) _________________________________________ )
MEMORANDUM OPINION
I. INTRODUCTION
This case concerns the intersection of a federal law enforcement agency’s interest in
rooting out possible law violations and a law firm’s ethical obligations to its clients. On March
21, 2022, the Securities and Exchange Commission (“SEC” or “the Commission”) served a
subpoena on Covington & Burling, LLP (“Covington”), a multinational law firm headquartered in
Washington, D.C. The subpoena sought information relating to a cyberattack on Covington’s
information technology systems that had occurred a year prior. Covington largely complied with
the subpoena. It balked, however, in one key respect. Citing its ethical obligation to protect its
clients’ identities, Covington refused to disclose the names of its nearly 300 public company clients
whose files had been compromised by the attack.
The SEC now moves to compel disclosure of the withheld client names. The Commission
says it has a legitimate purpose in seeking that information: it is investigating whether there have
been violations of the securities laws arising from the cyberattack on Covington’s systems, and
the information is necessary to determine (1) whether any illegal trading occurred using material nonpublic information, or (2) whether any publicly traded issuers failed to make disclosures
relating to the cyberattack.
Covington cries foul. It asserts that the SEC’s demand exceeds its investigative authority,
as there is no valid purpose in demanding client information where there is no suspicion of
wrongdoing by the firm or any client. It also sounds the alarm that, if the SEC’s subpoena is
enforced, the Commission will become emboldened to target law firms with greater frequency and
serve even more intrusive demands for information.
The court finds some merit to both parties’ positions, but ultimately holds that the SEC’s
demand for the names of affected clients does not exceed its statutory authority or cross any
constitutional lines. The SEC is not, however, entitled to all affected client names. Its demand is
too broad. The agency concedes that it is only interested in the names of those Covington clients
whose material nonpublic information was accessed during the cyberattack, and the firm has
reported that only a handful of its clients were potentially so impacted. The court therefore will
require Covington to disclose the names of the seven clients as to whom it has not been able to
rule out that the threat actor accessed material nonpublic information.
Accordingly, as further explained below, the Commission’s application to compel is
granted in part and denied in part.
II. BACKGROUND
A. The Hafnium Cyberattack
In November 2020, threat actors exploited vulnerabilities in Microsoft’s Exchange Server
software “to gain ‘access to email accounts’ and to install ‘malware to facilitate long-term access
to victim environments.’” Opp’n of Covington & Burling to SEC Mot., ECF No. 14 [hereinafter
Covington Opp’n], at 7 (quoting Microsoft Security Blog, Hafnium Targeting Exchange Servers
2 with 0-Day Exploits (Mar. 2, 2021), https://perma.cc/A7EK-6A8Z). Four months later, on March
2, 2021, Microsoft disclosed the cyberattack and “expressed ‘high confidence’ that Hafnium, a
group of hackers associated with the Chinese government, had perpetrated the attacks.” Id.
Covington & Burling—a large, multinational law firm based in Washington D.C.—uses
Microsoft’s Exchange Server software. Covington Opp’n, Decl. of David Fagan, ECF No. 14-1
[hereinafter Fagan Decl.], ¶ 5. Covington “launched an investigation to determine whether
unauthorized parties had gained access to its network” during the Hafnium Cyberattack and
“ultimately determined that a threat actor had been able to compromise Covington’s Exchange
environment.” Id. ¶¶ 5–6. After learning of the unauthorized access, Covington compiled a list
of potentially affected clients and sent them a “very simple message alerting them to that fact and
inviting each client to discuss the matter.” SEC’s App. for an Order to Show Cause, ECF No. 1
[hereinafter SEC Mot.], Decl. of W. Bradley Ney, ECF No. 1-1 [hereinafter Ney Decl.], at 38.
“Within days of discovering the cyberattack, Covington notified, and began cooperating with, the
FBI as part of the firm’s investigation and remediation of the cyberattack.” Fagan Decl. ¶ 7.
As it turned out, over the course of approximately four months, the hackers undertook “a
series of malicious activities” against Covington’s computer network, “including stealing
credentials and engaging in search, reconnaissance, and export activity.” Id. ¶ 8. Specifically,
“[t]he threat actor collected email from certain Outlook accounts and accessed folders on dedicated
network drives for a small group of lawyers and advisors whose work or experience related to
matters of particular policy interest to the People’s Republic of China.” Id. ¶ 9. “Through its own
investigation and its cooperation with the FBI, Covington determined that the threat actor was
most likely sponsored by the Chinese government and was very likely engaged in an espionage
3 campaign to gather information from Covington’s lawyers about the incoming Biden
Administration and policy issues of interest to China.” Id. ¶ 10.
B. The SEC’s Investigation
On March 6, 2021, roughly a year after Microsoft’s disclosure, the Commission “opened
an investigation into possible violations of the federal securities laws” connected to the Hafnium
Cyberattack. Ney Decl. ¶ 3. Principally, the SEC sought to determine whether threat actors
“accessed and traded on the basis of material, non-public information,” and whether public
companies “made materially false or misleading statements, or omitted to state material facts,
concerning the impact of the Cyberattack in violation of federal securities laws.” Id. ¶ 5. In early
2022, the SEC learned that “the threat actors were able to gain access to certain client files,
including the files of various public companies regulated by the Commission who were either
represented by Covington, or about whom Covington possessed information.” Id. ¶ 6.
On March 21, 2022, the Commission issued a subpoena to Covington for records relating
to the Cyberattack. Id. ¶ 7. Generally speaking, the subpoena “called for the production of certain
documents concerning the threat actors’ access to Covington’s systems, including the identity of
any public companies whose files may have been accessed in connection with the Cyberattack.”
Id. The subpoena sought ten categories of records. Id., Ex. A at 17–19. Covington produced
records or provided narrative responses to nine of the ten requests. Covington Opp’n, Decl. of
Gerald Hodgkins, ECF No. 14-2 [hereinafter Hodgkins Decl.], ¶ 16. It objected, however, to
Request No. 3. Id. ¶ 18. That demand sought documents and communications sufficient to
identify (1) Covington’s impacted clients, (2) the “nature of the suspected unauthorized activity
Concerning the client or other impacted party, including when the activity took place and the
amount of information that was viewed, copied, modified, or exfiltrated,” and (3) “[a]ny
4 Communications provided to the client or other impacted party Concerning the suspected
unauthorized activity.” Ney Decl., Ex. A at 17–18.
Covington determined that Request No. 3 applied to 298 public company and other SEC-
regulated clients (“public company clients”). Hodgkins Decl. ¶ 19. Covington objected to
Request No. 3 on the grounds that it “could not identify its affected clients or produce the requested
communications consistent with the attorney-client privilege and the firm’s fiduciary duties, duty
of loyalty, and duty of confidentiality it owes its clients, including under D.C. Rule of Professional
Conduct 1.6.” Id. ¶ 20. Rule 1.6(a) states that “a lawyer shall not knowingly . . . reveal a
confidence or secret of the lawyer’s client.” D.C. Bar R. 1.6(a)(1). The D.C. Bar has interpreted
the term “secrets” to include “the mere fact that a client is being represented by an attorney.”
D.C. Bar Op. No. 124, at 207.
C. Subpoena Negotiation
Following Covington’s objection, the parties entered into protracted negotiations regarding
the scope of Request No. 3. Hodgkins Decl. ¶¶ 21–23. The SEC responded by narrowing its
request slightly, in response to which one Covington client agreed to produce the requested
information. Id. ¶ 24.
Eventually, on August 3, 2022, the SEC offered another compromise: that Covington
produce “only the names of [Covington’s] impacted public company clients in the first
instance.” Covington Opp’n, Decl. of Katherine Meeks, ECF No. 14-3, at 4 (emphasis in original).
Another client agreed to disclosure of “only its name.” Hodgkins Decl. ¶ 26. Otherwise, “[n]o
other Covington client has consented to the release of its name or any communications concerning
the cyberattack to the SEC.” Id. ¶ 27.
5 Following a meeting with the SEC on August 24, 2022, Covington undertook an internal
review of its affected files to “identify how many, if any, of the 298 clients it believed had material,
non-public information that may have been viewed, copied, modified, or exfiltrated by the threat
actors.” Ney Decl. ¶ 13; Hodgkins Decl. ¶¶ 28, 30. Covington “concluded that the threat actor
had not accessed [material nonpublic information] for 291 of the 298 public companies affected
by the SEC’s subpoena,” and “could not rule out that the threat actor accessed [material nonpublic
information] for the remaining seven.” Hodgkins Decl. ¶¶ 35–36. It communicated this
information to the agency. Id. ¶ 37.
Covington’s internal review did not satisfy the SEC. “The Commission has been unable
to verify the information provided by Covington and disagrees with Covington’s methodology for
determining what constitutes material, non-public information.” Ney Decl. ¶ 13. Having reached
an impasse, the SEC insisted that Covington disclose the names of the nearly 300 affected clients.
Hodgkins Decl. ¶ 39.
On January 10, 2023, the SEC filed the instant application to enforce the subpoena.
See SEC Mot. The court then issued an Order to Show Cause, which directed Covington “to show
cause why the court should not enter an order compelling its compliance with the [SEC’s]
subpoena.” Order to Show Cause, ECF No. 9. The parties’ briefing, as well as those of amicus
curiae, 1 followed. Covington Opp’n; Reply Mem. of L. in Further Supp. of SEC Mot., ECF No.
35 [hereinafter SEC Reply]. The court held oral argument on May 10, 2023. Hr’g Tr.,
ECF No. 36.
1 The court received and reviewed amicus briefs from (1) 83 law firms, (2) the Reporters Committee for Freedom of the Press, (3) the Chamber of Commerce, and (4) the Association of Corporate Counsel. See Br. of 83 Law Firms as Amici Curiae in Supp. of Covington & Burling, ECF No. 17; Br. of the Reporters Comm. for Freedom of the Press as Amicus Curiae in Supp. of Resp., ECF No. 18; Amicus Curiae Br. of the Chamber of Commerce of the U.S. in Supp. of Resp., ECF No. 19; Amicus Curiae Br. of Ass. of Corp. Counsel in Supp. of Resp., ECF No. 26.
6 III. DISCUSSION
Covington maintains that it cannot be compelled to disclose the affected client names on
two primary grounds. First, it contends that the client names are protected by the attorney-client
privilege. Covington Opp’n at 19–20. Second, it says that the SEC’s demand is “an unreasonable
fishing expedition that violates the Fourth Amendment.” Id. at 20. 2
A. Attorney-Client Privilege
The court starts with the privilege assertion. “Federal courts have found that, absent special
circumstances, client-identity is not protected by the attorney-client privilege.” United States v.
Hunton & Williams, 952 F. Supp. 843, 856 (D.D.C. 1997) (citing Clarke v. Am. Com. Nat’l Bank,
974 F.2d 127, 129–30 (9th Cir. 1992)); see also Cause of Action Inst. v. United States Dep’t of
Just., 330 F. Supp. 3d 336, 350 (D.D.C. 2018) (“Under the general rule, the attorney-client
privilege does not protect from disclosure the identity of the client and the general purpose of the
work performed.”) (cleaned up); United States v. Leventhal, 961 F.2d 936, 940 (11th Cir. 1992);
United States v. Goldberger & Dubin, P.C., 935 F.2d 501, 505 (2d Cir. 1991)); In re Grand Jury
Subpoena, 204 F.3d 516, 520 (4th Cir. 2000). “These courts have found that client identity does
not constitute a privileged communication because it does not reveal a ‘fundamental
communication in the attorney-client relationship.’” Hunton & Williams, 952 F. Supp. at 856.
There is a limited exception to that general rule. “[A] client’s identity is privileged if
disclosure would in essence reveal a confidential communication.” In re Grand Jury Subpoena,
2 Covington devotes the first part of its brief to arguing that it could not comply with “Request No. 3 when served” because it had a fiduciary duty under D.C. Bar Rule 1.6 to resist divulging its clients’ names. Covington Opp’n at 13–19 (emphasis added). That argument is largely an academic one. Rule 1.6(e)(2)(A) authorizes a lawyer to disclose a client’s confidences and secrets when “required by law or court order.” D.C. Bar R. 1.6(e). The parties debate whether an SEC subpoena qualifies as a “court order,” such that Covington could have made the requested disclosure without judicial compulsion. See SEC Mot. at 13–14; Covington Opp’n at 15–18. But the court has no occasion to reach this issue, as an order from this court mandating disclosure would permit Covington to comply with Request No. 3, as narrowed, without running afoul of Rule 1.6.
7 204 F.3d at 520; see also In re Shargel, 742 F.2d 61, 64 (2d Cir. 1984) (recognizing that “there
may be circumstances under which the identification of a client may amount to prejudicial
disclosure of a confidential communication”) (internal quotation marks and citation omitted).
Covington argues that the exception applies here for two reasons.
It first maintains that “the SEC’s demand for client names is only the first step toward an
inevitable demand for privileged information and work product” because the Commission seeks
the client list in part to investigate insider trading; thus it “will need to probe for details about the
content of the files accessed by the threat actor” to determine whether they contained material
nonpublic information that “could be exploited for insider trading.” Covington Opp’n at 19;
Hr’g Tr. at 41 (arguing that the Commission “would need more information, they’d need to know
what information was accessed, they’d need more details in order to conduct this investigation”).
But the mere prospect that the SEC might demand actual confidential matter cannot transform a
present request for nonprivileged client identities into a privileged one. If the SEC eventually does
demand client confidences, that request will rise or fall on its own merits.
Covington’s second argument fares no better. Covington contends that “the SEC’s demand
for client names will effectively reveal the content of privileged client communications.”
Covington Opp’n at 19. “Covington already informed the SEC that, upon discovering the
cyberattack, it sent its affected clients ‘a very simple message alerting them’ to the unauthorized
activity and ‘inviting each client to discuss the matter.’” Id. at 20 (quoting Ney Decl. at 38). “The
‘great majority’ of those clients then had ‘further substantive communications with Covington’
concerning the implications of the cyberattack.” Id. Because “those communications in turn may
have informed the clients’ judgment about whether they were required to disclose the cyberattack
to investors,” Covington continues, “[t]he demand for client names thus would . . . apprise the SEC
8 which clients received specific information and advice from Covington in connection with the
cyberattack.” Id.
But Covington’s argument conflates the fact of a communication with the content of the
communication itself. The latter is privileged; the former is not. See Matter of Walsh, 623 F.2d
489, 494 (7th Cir. 1980) (“[T]he fact of communication between a known client and his attorney
is not a privileged communication.”); United States v. Kendrick, 331 F.2d 110, 113 (4th Cir. 1964)
(“It is the substance of the communications which is protected, however, not the fact that there
have been communications.”); United States v. Jackson, No. 07-cr-35 (RWR-AK), 2007 WL
4225403, at *2 (D.D.C. Nov. 30, 2007) (“The existence of a communication between a client and
her attorney is not privileged, even if the content of that communication would otherwise be
protected.”). Covington’s disclosure of a client name would tell the SEC nothing about what, if
any, legal advice the client sought, or how the firm responded, with respect to the cyberattack.
Only through guesswork and speculation could the SEC discern from the name of the client alone
any communication’s contents.
B. Judicial Enforcement of Administrative Subpoenas
1. Appropriate Standard
The court now turns to the heart of the matter: whether the SEC’s demand for the names
of Covington’s clients is a valid exercise of its investigative authority.
The SEC’s power to investigate is “broad.” SEC v. Arthur Young & Co., 584 F.2d 1018,
1023 (D.C. Cir. 1978). The Commission is statutorily authorized to “make such investigations as
it deems necessary to determine whether any person has violated, is violating, or is about to
violate” the federal securities laws or the “rules or regulations thereunder.” 15 U.S.C. § 78u(a)(1).
To that end, the SEC “is empowered to . . . require the production of any books, papers,
9 correspondence, memoranda, or other records which the Commission deems relevant or material
to the inquiry.” Id. § 78u(b).
The SEC’s powers are not limitless, of course. The D.C. Circuit identified the constraints
in Arthur Young, based on the Supreme Court’s decision in United States v. Morton Salt Co.,
338 U.S. 632 (1950). “[T]o begin with, ‘a governmental investigation into corporate matters may
be of such a sweeping nature and so unrelated to the matter properly under inquiry as to exceed
the investigatory power.’” Arthur Young, 584 F.2d at 1023 (quoting Morton Salt, 338 U.S. at 652).
Further, although “the statutory powers of federal regulatory agencies to investigate have
traditionally been extensive,” the Fourth Amendment also provides a guardrail. Id. at 1023–24.
It “requires that the subpoena be sufficiently limited in scope, relevant in purpose, and specific in
directive so that compliance will not be unreasonably burdensome.” Id. at 1024 (quoting See v.
City of Seattle, 387 U.S. 541, 544 (1967)); see also Morton Salt, 338 U.S. at 652 (“[I]t is sufficient
if the inquiry is within the authority of the agency, the demand is not too indefinite and the
information sought is reasonably relevant.”). “The gist of the protection is in the requirement,
expressed in terms, that the disclosure sought shall not be unreasonable.” Arthur Young, 584 F.2d
at 1024 (quoting Morton Salt, 338 U.S. at 652).
Covington asks the court to deviate from these long-standing principles. Relying on the
Supreme Court’s decision in Carpenter v. United States, 138 S. Ct. 2206 (2018), Covington insists
that the deferential Morton Salt standard is inapplicable when, as here, the subpoena target has a
“reasonable expectation of privacy” in the requested information. Covington Opp’n at 21 (quoting
Carpenter, 138 S. Ct. at 2221). In Carpenter, the Court held that individuals have a “reasonable
expectation of privacy in the whole of [their] physical movements,” and thus “the Government
must generally obtain a [search] warrant supported by probable cause before acquiring” cell-site
10 location data because it captures an individual’s physical movements. Carpenter, 138 S. Ct.
at 2219, 2221. In Covington’s view, Carpenter also “held” that “the government-friendly [Morton
Salt] test the SEC advocates applies only to ‘garden-variety request[s] for information from a third-
party witness,’ not to administrative subpoenas that invade recognized privacy interests.”
Covington Opp’n at 20–21 (quoting Carpenter, 138 S. Ct. at 2219), id. at 4 (“Where, as here, a
federal agency seeks to penetrate a confidential attorney-client relationship, without any evidence
of wrongdoing by Covington or its clients, the Fourth Amendment requires the agency to show an
investigative need that is sufficiently compelling to overcome legitimate expectations of
privacy.”). “Because both Covington and its clients have a legitimate expectation of privacy in
their attorney-client relationship,” Covington says, “the Fourth Amendment requires that the Court
balance the SEC’s purported ‘need to search’ against ‘the invasion which the search entails.’”
Id. at 21 (quoting Camara v. Mun. Ct. of City & Cnty. of San Francisco, 387 U.S. 523, 537 (1967)).
There are a host of difficulties with Covington’s proposed approach.
First, Covington overreads Carpenter. Carpenter was a criminal case in which the question
presented was “whether the Government conducts a search under the Fourth Amendment when it
accesses historical cell phone records that provide a comprehensive chronicle of the user’s past
movements.” Carpenter, 138 S. Ct. at 2211. The Court held that such an intrusion constituted a
search, and therefore required a warrant, because “it invaded Carpenter’s reasonable expectation
of privacy in the whole of his physical movements.” Id. at 2219. The portion of the opinion on
which Covington relies came in the context of the majority’s explanation for why it disagreed with
Justice Alito’s view that a warrant was not required. The majority observed that “Justice ALITO
contends that the warrant requirement simply does not apply when the Government acquires
records using compulsory process.” Id. at 2221. It was in that context the majority wrote, “[b]ut
11 this Court has never held that the Government may subpoena third parties for records in which the
suspect has a reasonable expectation of privacy.” Id. Covington grasps onto that language as
requiring more stringent review in this case because the firm and its clients have a “reasonable
expectation of privacy” in their attorney-client relationship. Covington Opp’n at 21–23.
But Carpenter does not go that far. The Court used the term “reasonable expectation of
privacy” as a legal term of art in the context of the Fourth Amendment’s warrant requirement.
See Carpenter, 138 S. Ct. at 2217 (“When an individual ‘seeks to preserve something as private,’
and his expectation of privacy is ‘one that society is prepared to recognize as reasonable,’ we have
held that official intrusion into that private sphere generally qualifies as a search and requires a
warrant supported by probable cause.”) (quoting Smith v. Maryland, 442 U.S. 735, 740 (1979)).
Covington, on the other hand, uses the term in the colloquial sense. See, e.g., Covington Opp’n at
23 (“Covington’s clients have an expectation of privacy in their retention of Covington that
‘society is prepared to recognize as reasonable.’”) (quoting Carpenter, 138 S. Ct. at 2213). But
Carpenter is specific to the warrant requirement. It says nothing that would support modifying
the Fourth Amendment balance that the Supreme Court struck long ago for administrative
subpoenas. See Carpenter, 138 S. Ct. at 2222 (reaffirming Morton Salt’s endorsement of a request
for corporate information by law enforcement even if only for “official curiosity”).
Second, Covington’s approach runs squarely up against Circuit precedent. As discussed,
the D.C. Circuit in Arthur Young articulated the proper standard to use when evaluating an SEC
subpoena. Arthur Young, 584 F.2d at 1023. That standard does not require a “robust
reasonableness review,” Covington Opp’n at 29, but rather an inquiry into the scope, purpose, and
burden of the agency’s subpoena, Arthur Young, 584 F.2d at 1024. To be sure, Carpenter post-
dates Arthur Young, but this court is “obligated to follow controlling circuit precedent until either
12 [the Circuit], sitting en banc, or the Supreme Court, overrule[s] it.” United States v. Torres, 115
F. 3d 1033, 1036 (D.C. Cir. 1997). And whether a later Supreme Court decision supersedes Circuit
precedent depends on whether the opinion “effectively overrules” or “eviscerates” the Circuit
authority. See Saad v. SEC, 873 F.3d 297, 311 (D.C. Cir. 2017). Carpenter does neither, so the
court remains bound to apply Arthur Young.
Third, never has the D.C. Circuit applied a more stringent standard to an administrative
subpoena because it demands nonprivileged information of persons receiving legal services.
In Linde Thomson Langworthy Kohn & Van Dyke, P.C. v. Resolution Trust Corporation, for
example, the court affirmed the validity of an administrative subpoena to a law firm seeking
information about asset transfers under a standard of “reasonable relevance” and undue burden.
5 F.3d 1508, 1516–17 (D.C. Cir. 1993). Similarly, in Director, Office of Thrift Supervision v.
Vinson & Elkins, LLP, the D.C. Circuit applied Morton Salt to a subpoena seeking from a law firm
attorney notes taken during a client interview by an agency. 124 F.3d 1304, 1307 (D.C. Cir. 1997).
And, in United States v. Legal Services for New York City, the court evaluated and found
appropriate subpoenas to legal services providers after considering the relevance of the
information sought and the burdens of compliance. 249 F.3d 1077, 1083–84 (D.C. Cir. 2001). In
fairness, as Covington points out, these cases involve circumstances in which the federal agency
had reasonable grounds to suspect wrongdoing by the firm or client (Linde Thomson and Vinson
& Elkins), or where the firm was subject to government regulation (Legal Services for New York
City). Covington Opp’n at 37–38. Still, these cases do not so much as hint at a balancing test of
the kind Covington advocates merely because a subpoena demands nonprivileged client-related
information.
13 Finally, Covington’s call for a “robust reasonableness review” in this case founders at its
premise: the mere fact of an attorney-client relationship involves extraordinary privacy interests.
Administrative subpoenas routinely seek private information, whether it be financial documents,
corporate books and records, or similar materials regularly kept out of the public eye. Yet,
Covington does not explain why subpoenas demanding such closely held information should
receive less protection than the identities of law firm clients. If anything, the fact of an attorney-
client relationship is often in the public domain. Law firms enter appearances in court and
administrative proceedings; identify who they represent before government agencies; and divulge
their client affiliation in business transactions. Sure, the client consents to these disclosures, but
this reality highlights that clients often have a diminished expectation of privacy in the mere fact
of their attorney-client relationship. And, that is before one takes account of the Supreme Court’s
observation in Morton Salt that public companies—the very clients whose identity Covington
seeks to shield—“can claim no equality with individuals in the enjoyment of a right to privacy.”
Morton Salt, 338 U.S. at 368. The privacy rationale underlying Covington’s demand for greater
scrutiny of the SEC’s subpoena thus rests on a shaky foundation.
2. Arthur Young Factors
Recall, under Arthur Young, a subpoena from the SEC satisfies the Fourth Amendment if
it is “sufficiently limited in scope, relevant in purpose, and specific in directive so that compliance
will not be unreasonably burdensome.” 584 F.2d at 1024. Covington does not question the scope
of the SEC’s investigation into the Hafnium Cyberattack or the relevancy of the client names to
the investigation. Covington Opp’n at 41–44. Its argument focuses on burden. Id. (arguing that
even under the Morton Salt standard, compliance would be “unreasonable and otherwise ‘unduly
burdensome’”).
14 “The burden of proving undue hardship ‘is not easily met where . . . the agency inquiry,’”
as here, “is pursuant to a lawful purpose and the requested documents are relevant to that purpose.”
Linde Thomson, 5 F.3d at 1517 (quoting FTC v. Texaco, Inc., 555 F.2d 862, 882 (D.C. Cir. 1977)
(en banc)); Arthur Young, 584 F.2d at 1031 (stating that where the material sought was relevant to
the SEC’s authorized inquiry, “a demonstration of excessive burden would be hard to come by”).
In assessing whether the burden is undue, “courts often examine its tailoring to the purpose for
which the information is requested—that is, its relevance.” Legal Servs. for N.Y.C., 249 F.3d at
1084. Courts also may consider if “compliance threatens to unduly disrupt or seriously hinder
normal operations.” Texaco, 555 F.2d at 882.
Again, Covington does not challenge that the client names are relevant to the SEC’s
investigation. After all, knowing which clients had material nonpublic information compromised
would enable the agency to focus its investigation on suspicious trading activity with respect to
specific issuers, as well as their public statements about the cyberattack.
Covington instead asserts that the SEC’s demand is unduly burdensome for two primary
reasons. First, it contends that “[f]ew actions could rupture the trust between attorney and client
more than a subpoena that forces lawyers to serve up those clients for federal scrutiny.” Covington
Opp’n at 32. Second, Covington identifies the “substantial cost[s]” it has incurred “as a result of
its obligations under the D.C. Bar Rules of Professional Conduct ‘to resist disclosure’ of client
names and confidences in response to the subpoena until it has ‘exhaust[ed] available appeals.’”
Id. at 42 (citing D.C. Bar Op. No. 124, at 208 and D.C. Bar R. 1.6(a)). 3 The court finds neither
argument persuasive.
3 Covington says that it undertook “an extensive pre-litigation effort to explain its ethical obligations to the SEC and provide information to satisfy the agency’s investigative demands without divulging client names or communications,” “repeated rounds of communication with its nearly 300 affected clients” which “alone were a formidable task given the sheer number of clients covered by the vastly overbroad subpoena,” and “an exhaustive
15 The legal services provider in Legal Services for New York City made a burden argument
similar to the one Covington makes here: the subpoena was unduly burdensome because of “the
harm that disclosure of client secrets will do to [an attorney’s] ability to assure clients of the
secrecy of their communications.” 249 F.3d at 1084. The D.C. Circuit rejected that “novel
theory.” Id. It reasoned that a request for client identities was “wholly consistent with the rules
governing client secrets and generally consistent with the attorney-client privilege, so it in no way
alters the degree of secrecy appellant can justifiably promise its clients.” Id. The same is true
here. Covington could not promise any of its clients that their identities, which generally are not
protected by privilege, would remain secret in the face of a lawfully issued administrative
subpoena. 4
The costs Covington has incurred likewise do not justify excusing compliance. The court
does not doubt that Covington has expended considerable time and resources to stave off and
narrow the SEC’s demands. But “[e]very subpoena imposes a burden on its recipient.”
Linde Thomson, 5 F.3d at 1517. Covington has not carried its burden of showing the costs it has
borne are “undue.” Id. (finding burden was not undue where the request was limited “to a
reasonable time-frame” and there was no “undue disruption or serious hindrance of the normal
operations of [defendant’s] business”).
Before moving on, the court briefly addresses two additional arguments made by
Covington. First, Covington criticizes the SEC’s demand as “an aimless effort ‘to cast about for
potential wrongdoing.’” Covington Opp’n at 33 (quoting In re Sealed Case (Admin. Supboena),
review of its compromised client files,” all of which “spanned more than ten months and consumed hundreds of attorney hours.” Covington Opp’n at 42–43. 4 Covington looks to cases from the First Circuit—Whitehouse v. U.S. Dist. Ct. for the Dist. of R.I., 53 F.3d 1349, 1354 (1st Cir. 1995), and In re Grand Jury Matters, 751 F.2d 13, 17–18 (1st Cir. 1984)—to underscore the “damage that subpoenas can inflict on the attorney-client relationship.” Covington Opp’n at 31. This court is, of course, obligated to follow the D.C. Circuit’s precedent in Legal Service for New York City.
16 42 F.3d 1412, 1418 (D.C. Cir. 1994)). “Absent reasonable grounds to believe a violation of the
securities laws has occurred,” Covington contends, “the SEC cannot rummage through
Covington’s files or disrupt its attorney-client relationships.” Id. at 34. And it adds that the SEC
has alternative ways to root out market manipulation other than demanding information from
Covington. Id. at 35–36.
The D.C. Circuit long ago said that the type of “illegal fishing expedition” argument that
Covington makes “would have been a potent argument in the early era of administrative law but it
retains scarcely any of its clout today.” Arthur Young, 584 F.2d at 1029–30. After all, the Supreme
Court has said that “law-enforcing agencies have a legitimate right to satisfy themselves that
corporate behavior is consistent with the law and the public interest,” even if prompted by “nothing
more than official curiosity.” Morton Salt, 338 U.S. at 652 (emphasis added). As for other
investigative avenues, Covington cites no case that requires a law enforcement agency to
demonstrate that it attempted but failed to obtain the information sought from an alternative source
before issuing an administrative subpoena.
Second, Covington and amici appeal to public policy. Highlighting the words of FBI
Director Christopher Wray, Covington observes that cooperation from the private sector is critical
to countering cyber threats. Covington Opp’n at 39–40. 5 But “this cooperation between the
federal government and the private sector is imperiled when agencies effectively punish law firms
that come forward with information about possible cyberattacks by reflexively slapping them with
a subpoena to serve up their clients for investigation.” Id. at 40. The amicus brief of 83 Law Firms
similarly contends that “the requested compelled disclosure would harshly penalize blameless
5 “If American businesses don’t report attacks and intrusions, we won’t know about most of them, which means we can’t help you recover, and we don’t know how to stop the next attack, whether that’s another against you or a new attack on one of your partners.” Christopher Wray, FBI Partnering With the Private Sector to Counter the Cyber Threat, Fed. Bureau of Investigation (Mar. 22, 2022), https://perma.cc/GEX6-LNL9.
17 clients, back attorneys into a corner, and discourage law firms like amici from cooperating with
law enforcement in the future.” Br. of 83 Law Firms as Amici Curiae, ECF No. 17 [hereinafter
Law Firm Br.], at 10; see also Amicus Curiae Br. of the Chamber of Commerce, ECF No. 19
[hereinafter Chamber of Commerce Br.], at 11–12 (“The SEC’s public, punitive approach is
incongruous with policy choices by Congress and other agencies to protect victims. The SEC’s
approach may discourage voluntary collaboration with the FBI.”).
The court understands and appreciates the policy concerns raised by Covington and amici.
They are not unfounded. The SEC’s approach here could cause companies who experience
cyberattacks to think twice before seeking legal advice from outside counsel. See Chamber of
Commerce Br. at 9–10. Law firms, too, very well might hesitate to report cyberattacks to avoid
scrutiny of their clients. See Law Firms Br. at 9–12. The court’s role, however, is limited. Its task
is only to assess whether the subpoena exceeds the SEC’s statutory authority or fails to meet
minimum constitutional requirements. It is not to pass on the wisdom of the SEC’s investigative
approach.
IV. SUBPOENA MODIFICATION
Nevertheless, the court believes that a significant narrowing of the SEC’s demand for
affected client names is in order. “[T]he enforcement of a subpoena is an independent judicial
action,” and this court is “free to change the terms of an agency subpoena as it sees fit.”
United States v. Exxon Corp., 628 F.2d 70, 77 (D.C. Cir. 1980). Further, it is “within the discretion
of the court to go beyond the scope of the subpoena in order to provide measures of confidentiality”
if the agency has not provided sufficient safeguards to protect affected parties. See Hunton &
Williams, 952 F. Supp. at 856–57 (citing Exxon, 628 F.2d at 70; FTC v. Owen-Corning Fiberglas
Corp., 626 F.2d 966, 974 (D.C. Cir. 1980)).
18 The SEC has identified two purposes in investigating the Hafnium Cyberattack: (1) to
determine whether a threat actor or others engaged in illegal trading based upon access to material
nonpublic information; and (2) to evaluate whether any publicly traded issuers failed to disclose
material cybersecurity events in connection with the attack. SEC Mot. at 8. After an extensive
internal investigation involving nearly 500 hours of attorney time, Covington “concluded that the
threat actor had not accessed [material nonpublic information] for 291 of 298 public company
clients affected by the SEC subpoena.” Hodgkins Decl. ¶¶ 34–35. Covington “could not rule out
that the threat actor accessed [material nonpublic information] for the remaining seven out of the
298 affected clients.” Id. ¶ 36. The SEC acknowledges Covington’s efforts. It admits that “the
Commission would likely identify numerous Covington clients who were not impacted by the
breach, making trading in their shares irrelevant to any analysis of potential unlawful trading.”
SEC Reply at 24 (emphasis added); Hr’g Tr. at 7–8. Yet, the SEC insists that it needs all 298
client names in order “to conduct an effective investigation.” Hr’g Tr. at 20.
In the court’s estimation, the SEC has not made the case that it needs the names of the 291
clients whose material nonpublic information Covington has determined was not accessed.
Those clients, by the SEC’s own admission, are not relevant to its investigation. Therefore, the
court is not prepared to grant the SEC access to a client list of nearly 300 names when only seven
are actually needed to satisfy the agency’s stated law enforcement interests.
The SEC says that the receipt of only those seven client names would be unsatisfactory.
It asserts that, because Covington has conveyed its investigative findings at such a “high level,”
the agency cannot “independently verify [Covington’s] conclusions.” Hr’g Tr. at 9. But any law
enforcement agency that issues a subpoena necessarily has to rely on the recipient’s good faith in
producing the information requested. This case is no different. If the SEC contests the accuracy
19 or completeness of Covington’s conclusions, the proper course is to ask the court for an
independent evaluation. It is not to grant access to hundreds of client names that are not relevant
to the investigation.
Covington, for its part, believes it could be “worse” to provide the seven client names
because “it would be revealing more information, not just the [client’s] identity, not just
that . . . their data was subjected . . . to this cyberattack, but also that it may have revealed or at
least they may have accessed material nonpublic information.” Hr’g Tr. at 40. Fair enough. But
Covington has not contested that the demand for its affected clients’ names is limited in scope and
relevant in purpose, and the court has found that the demand, as modified, is not unduly
burdensome. That is where the inquiry ends. See Arthur Young, 584 F.2d at 1024. Furthermore,
identifying the seven client names would not divulge any protected communications about the data
breach. If Covington believes that the SEC’s regulations are not adequate to safeguard its clients’
identities from public disclosure, see, e.g., 15 U.S.C. § 78x(b); 17 C.F.R. §§ 200.735-3 (2010),
230.122 (2011), 240.24c-1 (1993), Covington can seek a protective order. 6
6 In a footnote, Covington suggests that “[t]he names of the seven clients whose files contained potential [material nonpublic information] are protected work product because they reflect the efforts, opinions, and legal conclusions of Covington’s lawyers and were compiled in anticipation of a subpoena enforcement action from the SEC.” Covington Opp’n at 36 n.12 (citing SEC v. Volkswagen Aktiengesellschaft, No. 19-cv-01391 (AGT), 2023 WL 1793870, at *2 (N.D. Cal. Feb. 7, 2023)). Covington said the same at oral argument. See Hr’g Tr. at 40. Neither party has adequately addressed what could be a complicated issue. See In re Sealed Case, 676 F.2d 793, 811 (D.C. Cir. 1982) (noting that there is “qualified protection for ‘fact’ work product and more absolute protection for ‘opinion’ work product”); Volkswagen Aktiengesellschaft, 2023 WL 1793870, at *2 (distinguishing between an interrogatory that “asks for facts” versus one that “asks for an opinion”; only a response to the latter is protected by the work product doctrine). Accordingly, the court does not address the contention. See Armstrong v. Geithner, 608 F.3d 854, 858 n.** (D.C. Cir. 2010) (stating that a court is not required to “address an argument raised only cursorily in a footnote”).
20 V. CONCLUSION
For the stated reasons, the Commission’s Application for an Order to Show Cause
Requiring Compliance with the Subpoena, ECF No. 1, is granted in part. Covington shall produce
to the Commission the names of the seven clients as to whom it has not been able to rule out that
a threat actor accessed material nonpublic information.
A final, appealable order accompanies this Memorandum Opinion.
Dated: July 24, 2023 Amit P. Mehta United States District Judge