Opinion
23-mc-00002 (APM)
07-24-2023
SECURITIES AND EXCHANGE COMMISSION, Applicant, v. COVINGTON & BURLING, LLP, Respondent.
MEMORANDUM OPINION
AMIT P. MEHTA UNITED STATES DISTRICT JUDGE.
I. INTRODUCTION
This case concerns the intersection of a federal law enforcement agency's interest in rooting out possible law violations and a law firm's ethical obligations to its clients. On March 21, 2022, the Securities and Exchange Commission (“SEC” or “the Commission”) served a subpoena on Covington & Burling, LLP (“Covington”), a multinational law firm headquartered in Washington, D.C. The subpoena sought information relating to a cyberattack on Covington's information technology systems that had occurred a year prior. Covington largely complied with the subpoena. It balked, however, in one key respect. Citing its ethical obligation to protect its clients' identities, Covington refused to disclose the names of its nearly 300 public company clients whose files had been compromised by the attack.
The SEC now moves to compel disclosure of the withheld client names. The Commission says it has a legitimate purpose in seeking that information: it is investigating whether there have been violations of the securities laws arising from the cyberattack on Covington's systems, and the information is necessary to determine (1) whether any illegal trading occurred using material nonpublic information, or (2) whether any publicly traded issuers failed to make disclosures relating to the cyberattack.
Covington cries foul. It asserts that the SEC's demand exceeds its investigative authority, as there is no valid purpose in demanding client information where there is no suspicion of wrongdoing by the firm or any client. It also sounds the alarm that, if the SEC's subpoena is enforced, the Commission will become emboldened to target law firms with greater frequency and serve even more intrusive demands for information.
The court finds some merit to both parties' positions, but ultimately holds that the SEC's demand for the names of affected clients does not exceed its statutory authority or cross any constitutional lines. The SEC is not, however, entitled to all affected client names. Its demand is too broad. The agency concedes that it is only interested in the names of those Covington clients whose material nonpublic information was accessed during the cyberattack, and the firm has reported that only a handful of its clients were potentially so impacted. The court therefore will require Covington to disclose the names of the seven clients as to whom it has not been able to rule out that the threat actor accessed material nonpublic information.
Accordingly, as further explained below, the Commission's application to compel is granted in part and denied in part.
II. BACKGROUND
A. The Hafnium Cyberattack
In November 2020, threat actors exploited vulnerabilities in Microsoft's Exchange Server software “to gain ‘access to email accounts' and to install ‘malware to facilitate long-term access to victim environments.'” Opp'n of Covington & Burling to SEC Mot., ECF No. 14 [hereinafter Covington Opp'n], at 7 (quoting Microsoft Security Blog, Hafnium Targeting Exchange Servers with 0-Day Exploits (Mar. 2, 2021), https://perma.cc/A7EK-6A8Z). Four months later, on March 2, 2021, Microsoft disclosed the cyberattack and “expressed ‘high confidence' that Hafnium, a group of hackers associated with the Chinese government, had perpetrated the attacks.” Id.
Covington & Burling-a large, multinational law firm based in Washington D.C.-uses Microsoft's Exchange Server software. Covington Opp'n, Decl. of David Fagan, ECF No. 14-1 [hereinafter Fagan Decl.], ¶ 5. Covington “launched an investigation to determine whether unauthorized parties had gained access to its network” during the Hafnium Cyberattack and “ultimately determined that a threat actor had been able to compromise Covington's Exchange environment.” Id. ¶¶ 5-6. After learning of the unauthorized access, Covington compiled a list of potentially affected clients and sent them a “very simple message alerting them to that fact and inviting each client to discuss the matter.” SEC's App. for an Order to Show Cause, ECF No. 1 [hereinafter SEC Mot.], Decl. of W. Bradley Ney, ECF No. 1-1 [hereinafter Ney Decl.], at 38. “Within days of discovering the cyberattack, Covington notified, and began cooperating with, the FBI as part of the firm's investigation and remediation of the cyberattack.” Fagan Decl. ¶ 7.
As it turned out, over the course of approximately four months, the hackers undertook “a series of malicious activities” against Covington's computer network, “including stealing credentials and engaging in search, reconnaissance, and export activity.” Id. ¶ 8. Specifically, “[t]he threat actor collected email from certain Outlook accounts and accessed folders on dedicated network drives for a small group of lawyers and advisors whose work or experience related to matters of particular policy interest to the People's Republic of China.” Id. ¶ 9. “Through its own investigation and its cooperation with the FBI, Covington determined that the threat actor was most likely sponsored by the Chinese government and was very likely engaged in an espionage campaign to gather information from Covington's lawyers about the incoming Biden Administration and policy issues of interest to China.” Id. ¶ 10.
B. The SEC's Investigation
On March 6, 2021, roughly a year after Microsoft's disclosure, the Commission “opened an investigation into possible violations of the federal securities laws” connected to the Hafnium Cyberattack. Ney Decl. ¶ 3. Principally, the SEC sought to determine whether threat actors “accessed and traded on the basis of material, non-public information,” and whether public companies “made materially false or misleading statements, or omitted to state material facts, concerning the impact of the Cyberattack in violation of federal securities laws.” Id. ¶ 5. In early 2022, the SEC learned that “the threat actors were able to gain access to certain client files, including the files of various public companies regulated by the Commission who were either represented by Covington, or about whom Covington possessed information.” Id. ¶ 6.
On March 21, 2022, the Commission issued a subpoena to Covington for records relating to the Cyberattack. Id. ¶ 7. Generally speaking, the subpoena “called for the production of certain documents concerning the threat actors' access to Covington's systems, including the identity of any public companies whose files may have been accessed in connection with the Cyberattack.” Id. The subpoena sought ten categories of records. Id., Ex. A at 17-19. Covington produced records or provided narrative responses to nine of the ten requests. Covington Opp'n, Decl. of Gerald Hodgkins, ECF No. 14-2 [hereinafter Hodgkins Decl.], ¶ 16. It objected, however, to Request No. 3. Id. ¶ 18. That demand sought documents and communications sufficient to identify (1) Covington's impacted clients, (2) the “nature of the suspected unauthorized activity Concerning the client or other impacted party, including when the activity took place and the amount of information that was viewed, copied, modified, or exfiltrated,” and (3) “[a]ny Communications provided to the client or other impacted party Concerning the suspected unauthorized activity.” Ney Decl., Ex. A at 17-18.
Covington determined that Request No. 3 applied to 298 public company and other SEC regulated clients (“public company clients”). Hodgkins Decl. ¶ 19. Covington objected to Request No. 3 on the grounds that it “could not identify its affected clients or produce the requested communications consistent with the attorney-client privilege and the firm's fiduciary duties, duty of loyalty, and duty of confidentiality it owes its clients, including under D.C. Rule of Professional Conduct 1.6.” Id. ¶ 20. Rule 1.6(a) states that “a lawyer shall not knowingly . . . reveal a confidence or secret of the lawyer's client.” D.C. Bar R. 1.6(a)(1). The D.C. Bar has interpreted the term “secrets” to include “the mere fact that a client is being represented by an attorney.” D.C. Bar Op. No. 124, at 207.
C. Subpoena Negotiation
Following Covington's objection, the parties entered into protracted negotiations regarding the scope of Request No. 3. Hodgkins Decl. ¶¶ 21-23. The SEC responded by narrowing its request slightly, in response to which one Covington client agreed to produce the requested information. Id. ¶ 24.
Eventually, on August 3, 2022, the SEC offered another compromise: that Covington produce “only the names of [Covington's] impacted public company clients in the first instance.” Covington Opp'n, Decl. of Katherine Meeks, ECF No. 14-3, at 4 (emphasis in original). Another client agreed to disclosure of “only its name.” Hodgkins Decl. ¶ 26. Otherwise, “[n]o other Covington client has consented to the release of its name or any communications concerning the cyberattack to the SEC.” Id. ¶ 27.
Following a meeting with the SEC on August 24, 2022, Covington undertook an internal review of its affected files to “identify how many, if any, of the 298 clients it believed had material, non-public information that may have been viewed, copied, modified, or exfiltrated by the threat actors.” Ney Decl. ¶ 13; Hodgkins Decl. ¶¶ 28, 30. Covington “concluded that the threat actor had not accessed [material nonpublic information] for 291 of the 298 public companies affected by the SEC's subpoena,” and “could not rule out that the threat actor accessed [material nonpublic information] for the remaining seven.” Hodgkins Decl. ¶¶ 35-36. It communicated this information to the agency. Id. ¶ 37.
Covington's internal review did not satisfy the SEC. “The Commission has been unable to verify the information provided by Covington and disagrees with Covington's methodology for determining what constitutes material, non-public information.” Ney Decl. ¶ 13. Having reached an impasse, the SEC insisted that Covington disclose the names of the nearly 300 affected clients. Hodgkins Decl. ¶ 39.
On January 10, 2023, the SEC filed the instant application to enforce the subpoena. See SEC Mot. The court then issued an Order to Show Cause, which directed Covington “to show cause why the court should not enter an order compelling its compliance with the [SEC's] subpoena.” Order to Show Cause, ECF No. 9. The parties' briefing, as well as those of amicus curiae, followed. Covington Opp'n; Reply Mem. of L. in Further Supp. of SEC Mot., ECF No. 35 [hereinafter SEC Reply]. The court held oral argument on May 10, 2023. Hr'g Tr., ECF No. 36.
The court received and reviewed amicus briefs from (1) 83 law firms, (2) the Reporters Committee for Freedom of the Press, (3) the Chamber of Commerce, and (4) the Association of Corporate Counsel. See Br. of 83 Law Firms as Amici Curiae in Supp. of Covington & Burling, ECF No. 17; Br. of the Reporters Comm. for Freedom of the Press as Amicus Curiae in Supp. of Resp., ECF No. 18; Amicus Curiae Br. of the Chamber of Commerce of the U.S. in Supp. of Resp., ECF No. 19; Amicus Curiae Br. of Ass. of Corp. Counsel in Supp. of Resp., ECF No. 26.
III. DISCUSSION
Covington maintains that it cannot be compelled to disclose the affected client names on two primary grounds. First, it contends that the client names are protected by the attorney-client privilege. Covington Opp'n at 19-20. Second, it says that the SEC's demand is “an unreasonable fishing expedition that violates the Fourth Amendment.” Id. at 20.
Covington devotes the first part of its brief to arguing that it could not comply with “Request No. 3 when served” because it had a fiduciary duty under D.C. Bar Rule 1.6 to resist divulging its clients' names. Covington Opp'n at 13-19 (emphasis added). That argument is largely an academic one. Rule 1.6(e)(2)(A) authorizes a lawyer to disclose a client's confidences and secrets when “required by law or court order.” D.C. Bar R. 1.6(e). The parties debate whether an SEC subpoena qualifies as a “court order,” such that Covington could have made the requested disclosure without judicial compulsion. See SEC Mot. at 13-14; Covington Opp'n at 15-18. But the court has no occasion to reach this issue, as an order from this court mandating disclosure would permit Covington to comply with Request No. 3, as narrowed, without running afoul of Rule 1.6.
A. Attorney-Client Privilege
The court starts with the privilege assertion. “Federal courts have found that, absent special circumstances, client-identity is not protected by the attorney-client privilege.” United States v. Hunton & Williams, 952 F.Supp. 843, 856 (D.D.C. 1997) (citing Clarke v. Am. Com. Nat'l Bank, 974 F.2d 127, 129-30 (9th Cir. 1992)); see also Cause of Action Inst. v. United States Dep't of Just., 330 F.Supp.3d 336, 350 (D.D.C. 2018) (“Under the general rule, the attorney-client privilege does not protect from disclosure the identity of the client and the general purpose of the work performed.”) (cleaned up); United States v. Leventhal, 961 F.2d 936, 940 (11th Cir. 1992); United States v. Goldberger & Dubin, P.C., 935 F.2d 501, 505 (2d Cir. 1991)); In re Grand Jury Subpoena, 204 F.3d 516, 520 (4th Cir. 2000). “These courts have found that client identity does not constitute a privileged communication because it does not reveal a ‘fundamental communication in the attorney-client relationship.'” Hunton & Williams, 952 F.Supp. at 856.
There is a limited exception to that general rule. “[A] client's identity is privileged if disclosure would in essence reveal a confidential communication.” In re Grand Jury Subpoena, 204 F.3d at 520; see also In re Shargel, 742 F.2d 61, 64 (2d Cir. 1984) (recognizing that “there may be circumstances under which the identification of a client may amount to prejudicial disclosure of a confidential communication”) (internal quotation marks and citation omitted). Covington argues that the exception applies here for two reasons.
It first maintains that “the SEC's demand for client names is only the first step toward an inevitable demand for privileged information and work product” because the Commission seeks the client list in part to investigate insider trading; thus it “will need to probe for details about the content of the files accessed by the threat actor” to determine whether they contained material nonpublic information that “could be exploited for insider trading.” Covington Opp'n at 19; Hr'g Tr. at 41 (arguing that the Commission “would need more information, they'd need to know what information was accessed, they'd need more details in order to conduct this investigation”). But the mere prospect that the SEC might demand actual confidential matter cannot transform a present request for nonprivileged client identities into a privileged one. If the SEC eventually does demand client confidences, that request will rise or fall on its own merits.
Covington's second argument fares no better. Covington contends that “the SEC's demand for client names will effectively reveal the content of privileged client communications.” Covington Opp'n at 19. “Covington already informed the SEC that, upon discovering the cyberattack, it sent its affected clients ‘a very simple message alerting them' to the unauthorized activity and ‘inviting each client to discuss the matter.'” Id. at 20 (quoting Ney Decl. at 38). “The ‘great majority' of those clients then had ‘further substantive communications with Covington' concerning the implications of the cyberattack.” Id. Because “those communications in turn may have informed the clients' judgment about whether they were required to disclose the cyberattack to investors,” Covington continues, “[t]he demand for client names thus would . . . apprise the SEC which clients received specific information and advice from Covington in connection with the cyberattack.” Id.
But Covington's argument conflates the fact of a communication with the content of the communication itself. The latter is privileged; the former is not. See Matter of Walsh, 623 F.2d 489, 494 (7th Cir. 1980) (“[T]he fact of communication between a known client and his attorney is not a privileged communication.”); United States v. Kendrick, 331 F.2d 110, 113 (4th Cir. 1964) (“It is the substance of the communications which is protected, however, not the fact that there have been communications.”); United States v. Jackson, No. 07-cr-35 (RWR-AK), 2007 WL 4225403, at *2 (D.D.C. Nov. 30, 2007) (“The existence of a communication between a client and her attorney is not privileged, even if the content of that communication would otherwise be protected.”). Covington's disclosure of a client name would tell the SEC nothing about what, if any, legal advice the client sought, or how the firm responded, with respect to the cyberattack. Only through guesswork and speculation could the SEC discern from the name of the client alone any communication's contents.
B. Judicial Enforcement of Administrative Subpoenas
1. Appropriate Standard
The court now turns to the heart of the matter: whether the SEC's demand for the names of Covington's clients is a valid exercise of its investigative authority.
The SEC's power to investigate is “broad.” SEC v. Arthur Young & Co., 584 F.2d 1018, 1023 (D.C. Cir. 1978). The Commission is statutorily authorized to “make such investigations as it deems necessary to determine whether any person has violated, is violating, or is about to violate” the federal securities laws or the “rules or regulations thereunder.” 15 U.S.C. § 78u(a)(1). To that end, the SEC “is empowered to . . . require the production of any books, papers, correspondence, memoranda, or other records which the Commission deems relevant or material to the inquiry.” Id. § 78u(b).
The SEC's powers are not limitless, of course. The D.C. Circuit identified the constraints in Arthur Young, based on the Supreme Court's decision in United States v. Morton Salt Co., 338 U.S. 632 (1950). “[T]o begin with, ‘a governmental investigation into corporate matters may be of such a sweeping nature and so unrelated to the matter properly under inquiry as to exceed the investigatory power.'” Arthur Young, 584 F.2d at 1023 (quoting Morton Salt, 338 U.S. at 652). Further, although “the statutory powers of federal regulatory agencies to investigate have traditionally been extensive,” the Fourth Amendment also provides a guardrail. Id. at 1023-24. It “requires that the subpoena be sufficiently limited in scope, relevant in purpose, and specific in directive so that compliance will not be unreasonably burdensome.” Id. at 1024 (quoting See v. City of Seattle, 387 U.S. 541, 544 (1967)); see also Morton Salt, 338 U.S. at 652 (“[I]t is sufficient if the inquiry is within the authority of the agency, the demand is not too indefinite and the information sought is reasonably relevant.”). “The gist of the protection is in the requirement, expressed in terms, that the disclosure sought shall not be unreasonable.” Arthur Young, 584 F.2d at 1024 (quoting Morton Salt, 338 U.S. at 652).
Covington asks the court to deviate from these long-standing principles. Relying on the Supreme Court's decision in Carpenter v. United States, 138 S.Ct. 2206 (2018), Covington insists that the deferential Morton Salt standard is inapplicable when, as here, the subpoena target has a “reasonable expectation of privacy” in the requested information. Covington Opp'n at 21 (quoting Carpenter, 138 S.Ct. at 2221). In Carpenter, the Court held that individuals have a “reasonable expectation of privacy in the whole of [their] physical movements,” and thus “the Government must generally obtain a [search] warrant supported by probable cause before acquiring” cell-site location data because it captures an individual's physical movements. Carpenter, 138 S.Ct. at 2219, 2221. In Covington's view, Carpenter also “held” that “the government-friendly [Morton Salt] test the SEC advocates applies only to ‘garden-variety request[s] for information from a third-party witness,' not to administrative subpoenas that invade recognized privacy interests.” Covington Opp'n at 20-21 (quoting Carpenter, 138 S.Ct. at 2219), id. at 4 (“Where, as here, a federal agency seeks to penetrate a confidential attorney-client relationship, without any evidence of wrongdoing by Covington or its clients, the Fourth Amendment requires the agency to show an investigative need that is sufficiently compelling to overcome legitimate expectations of privacy.”). “Because both Covington and its clients have a legitimate expectation of privacy in their attorney-client relationship,” Covington says, “the Fourth Amendment requires that the Court balance the SEC's purported ‘need to search' against ‘the invasion which the search entails.'” Id. at 21 (quoting Camara v. Mun. Ct. of City & Cnty. of San Francisco, 387 U.S. 523, 537 (1967)). There are a host of difficulties with Covington's proposed approach.
First, Covington overreads Carpenter. Carpenter was a criminal case in which the question presented was “whether the Government conducts a search under the Fourth Amendment when it accesses historical cell phone records that provide a comprehensive chronicle of the user's past movements.” Carpenter, 138 S.Ct. at 2211. The Court held that such an intrusion constituted a search, and therefore required a warrant, because “it invaded Carpenter's reasonable expectation of privacy in the whole of his physical movements.” Id. at 2219. The portion of the opinion on which Covington relies came in the context of the majority's explanation for why it disagreed with Justice Alito's view that a warrant was not required. The majority observed that “Justice ALITO contends that the warrant requirement simply does not apply when the Government acquires records using compulsory process.” Id. at 2221. It was in that context the majority wrote, “[b]ut this Court has never held that the Government may subpoena third parties for records in which the suspect has a reasonable expectation of privacy.” Id. Covington grasps onto that language as requiring more stringent review in this case because the firm and its clients have a “reasonable expectation of privacy” in their attorney-client relationship. Covington Opp'n at 21-23.
But Carpenter does not go that far. The Court used the term “reasonable expectation of privacy” as a legal term of art in the context of the Fourth Amendment's warrant requirement. See Carpenter, 138 S.Ct. at 2217 (“When an individual ‘seeks to preserve something as private,' and his expectation of privacy is ‘one that society is prepared to recognize as reasonable,' we have held that official intrusion into that private sphere generally qualifies as a search and requires a warrant supported by probable cause.”) (quoting Smith v. Maryland, 442 U.S. 735, 740 (1979)). Covington, on the other hand, uses the term in the colloquial sense. See, e.g., Covington Opp'n at 23 (“Covington's clients have an expectation of privacy in their retention of Covington that ‘society is prepared to recognize as reasonable.'”) (quoting Carpenter, 138 S.Ct. at 2213). But Carpenter is specific to the warrant requirement. It says nothing that would support modifying the Fourth Amendment balance that the Supreme Court struck long ago for administrative subpoenas. See Carpenter, 138 S.Ct. at 2222 (reaffirming Morton Salt's endorsement of a request for corporate information by law enforcement even if only for “official curiosity”).
Second, Covington's approach runs squarely up against Circuit precedent. As discussed, the D.C. Circuit in Arthur Young articulated the proper standard to use when evaluating an SEC subpoena. Arthur Young, 584 F.2d at 1023. That standard does not require a “robust reasonableness review,” Covington Opp'n at 29, but rather an inquiry into the scope, purpose, and burden of the agency's subpoena, Arthur Young, 584 F.2d at 1024. To be sure, Carpenter postdates Arthur Young, but this court is “obligated to follow controlling circuit precedent until either [the Circuit], sitting en banc, or the Supreme Court, overrule[s] it.” United States v. Torres, 115 F.3d 1033, 1036 (D.C. Cir. 1997). And whether a later Supreme Court decision supersedes Circuit precedent depends on whether the opinion “effectively overrules” or “eviscerates” the Circuit authority. See Saad v. SEC, 873 F.3d 297, 311 (D.C. Cir. 2017). Carpenter does neither, so the court remains bound to apply Arthur Young.
Third, never has the D.C. Circuit applied a more stringent standard to an administrative subpoena because it demands nonprivileged information of persons receiving legal services. In Linde Thomson Langworthy Kohn & Van Dyke, P.C. v. Resolution Trust Corporation, for example, the court affirmed the validity of an administrative subpoena to a law firm seeking information about asset transfers under a standard of “reasonable relevance” and undue burden. 5 F.3d 1508, 1516-17 (D.C. Cir. 1993). Similarly, in Director, Office of Thrift Supervision v. Vinson & Elkins, LLP, the D.C. Circuit applied Morton Salt to a subpoena seeking from a law firm attorney notes taken during a client interview by an agency. 124 F.3d 1304, 1307 (D.C. Cir. 1997). And, in United States v. Legal Services for New York City, the court evaluated and found appropriate subpoenas to legal services providers after considering the relevance of the information sought and the burdens of compliance. 249 F.3d 1077, 1083-84 (D.C. Cir. 2001). In fairness, as Covington points out, these cases involve circumstances in which the federal agency had reasonable grounds to suspect wrongdoing by the firm or client (Linde Thomson and Vinson & Elkins), or where the firm was subject to government regulation (Legal Services for New York City). Covington Opp'n at 37-38. Still, these cases do not so much as hint at a balancing test of the kind Covington advocates merely because a subpoena demands nonprivileged client-related information.
Finally, Covington's call for a “robust reasonableness review” in this case founders at its premise: the mere fact of an attorney-client relationship involves extraordinary privacy interests. Administrative subpoenas routinely seek private information, whether it be financial documents, corporate books and records, or similar materials regularly kept out of the public eye. Yet, Covington does not explain why subpoenas demanding such closely held information should receive less protection than the identities of law firm clients. If anything, the fact of an attorneyclient relationship is often in the public domain. Law firms enter appearances in court and administrative proceedings; identify who they represent before government agencies; and divulge their client affiliation in business transactions. Sure, the client consents to these disclosures, but this reality highlights that clients often have a diminished expectation of privacy in the mere fact of their attorney-client relationship. And, that is before one takes account of the Supreme Court's observation in Morton Salt that public companies-the very clients whose identity Covington seeks to shield-“can claim no equality with individuals in the enjoyment of a right to privacy.” Morton Salt, 338 U.S. at 368. The privacy rationale underlying Covington's demand for greater scrutiny of the SEC's subpoena thus rests on a shaky foundation.
2. Arthur Young Factors
Recall, under Arthur Young, a subpoena from the SEC satisfies the Fourth Amendment if it is “sufficiently limited in scope, relevant in purpose, and specific in directive so that compliance will not be unreasonably burdensome.” 584 F.2d at 1024. Covington does not question the scope of the SEC's investigation into the Hafnium Cyberattack or the relevancy of the client names to the investigation. Covington Opp'n at 41-44. Its argument focuses on burden. Id. (arguing that even under the Morton Salt standard, compliance would be “unreasonable and otherwise ‘unduly burdensome'”).
“The burden of proving undue hardship ‘is not easily met where . . . the agency inquiry,'” as here, “is pursuant to a lawful purpose and the requested documents are relevant to that purpose.” Linde Thomson, 5 F.3d at 1517 (quoting FTC v. Texaco, Inc., 555 F.2d 862, 882 (D.C. Cir. 1977) (en banc)); Arthur Young, 584 F.2d at 1031 (stating that where the material sought was relevant to the SEC's authorized inquiry, “a demonstration of excessive burden would be hard to come by”). In assessing whether the burden is undue, “courts often examine its tailoring to the purpose for which the information is requested-that is, its relevance.” Legal Servs. for N.Y.C., 249 F.3d at 1084. Courts also may consider if “compliance threatens to unduly disrupt or seriously hinder normal operations.” Texaco, 555 F.2d at 882.
Again, Covington does not challenge that the client names are relevant to the SEC's investigation. After all, knowing which clients had material nonpublic information compromised would enable the agency to focus its investigation on suspicious trading activity with respect to specific issuers, as well as their public statements about the cyberattack.
Covington instead asserts that the SEC's demand is unduly burdensome for two primary reasons. First, it contends that “[f]ew actions could rupture the trust between attorney and client more than a subpoena that forces lawyers to serve up those clients for federal scrutiny.” Covington Opp'n at 32. Second, Covington identifies the “substantial cost[s]” it has incurred “as a result of its obligations under the D.C. Bar Rules of Professional Conduct ‘to resist disclosure' of client names and confidences in response to the subpoena until it has ‘exhaust[ed] available appeals.'” Id. at 42 (citing D.C. Bar Op. No. 124, at 208 and D.C. Bar R. 1.6(a)). The court finds neither argument persuasive.
Covington says that it undertook “an extensive pre-litigation effort to explain its ethical obligations to the SEC and provide information to satisfy the agency's investigative demands without divulging client names or communications,” “repeated rounds of communication with its nearly 300 affected clients” which “alone were a formidable task given the sheer number of clients covered by the vastly overbroad subpoena,” and “an exhaustive review of its compromised client files,” all of which “spanned more than ten months and consumed hundreds of attorney hours.” Covington Opp'n at 42-43.
The legal services provider in Legal Services for New York City made a burden argument similar to the one Covington makes here: the subpoena was unduly burdensome because of “the harm that disclosure of client secrets will do to [an attorney's] ability to assure clients of the secrecy of their communications.” 249 F.3d at 1084. The D.C. Circuit rejected that “novel theory.” Id. It reasoned that a request for client identities was “wholly consistent with the rules governing client secrets and generally consistent with the attorney-client privilege, so it in no way alters the degree of secrecy appellant can justifiably promise its clients.” Id. The same is true here. Covington could not promise any of its clients that their identities, which generally are not protected by privilege, would remain secret in the face of a lawfully issued administrative subpoena.
Covington looks to cases from the First CircuitWhitehouse v. U.S. Dist. Ct. for the Dist. of R.I., 53 F.3d 1349, 1354 (1st Cir. 1995), and In re Grand Jury Matters, 751 F.2d 13, 17-18 (1st Cir. 1984)-to underscore the “damage that subpoenas can inflict on the attorney-client relationship.” Covington Opp'n at 31. This court is, of course, obligated to follow the D.C. Circuit's precedent in Legal Service for New York City.
The costs Covington has incurred likewise do not justify excusing compliance. The court does not doubt that Covington has expended considerable time and resources to stave off and narrow the SEC's demands. But “[e]very subpoena imposes a burden on its recipient.” Linde Thomson, 5 F.3d at 1517. Covington has not carried its burden of showing the costs it has borne are “undue.” Id. (finding burden was not undue where the request was limited “to a reasonable time-frame” and there was no “undue disruption or serious hindrance of the normal operations of [defendant's] business”).
Before moving on, the court briefly addresses two additional arguments made by Covington. First, Covington criticizes the SEC's demand as “an aimless effort ‘to cast about for potential wrongdoing.'” Covington Opp'n at 33 (quoting In re Sealed Case (Admin. Supboena), 42 F.3d 1412, 1418 (D.C. Cir. 1994)). “Absent reasonable grounds to believe a violation of the securities laws has occurred,” Covington contends, “the SEC cannot rummage through Covington's files or disrupt its attorney-client relationships.” Id. at 34. And it adds that the SEC has alternative ways to root out market manipulation other than demanding information from Covington. Id. at 35-36.
The D.C. Circuit long ago said that the type of “illegal fishing expedition” argument that Covington makes “would have been a potent argument in the early era of administrative law but it retains scarcely any of its clout today.” Arthur Young, 584 F.2d at 1029-30. After all, the Supreme Court has said that “law-enforcing agencies have a legitimate right to satisfy themselves that corporate behavior is consistent with the law and the public interest,” even if prompted by “nothing more than official curiosity.” Morton Salt, 338 U.S. at 652 (emphasis added). As for other investigative avenues, Covington cites no case that requires a law enforcement agency to demonstrate that it attempted but failed to obtain the information sought from an alternative source before issuing an administrative subpoena.
Second, Covington and amici appeal to public policy. Highlighting the words of FBI Director Christopher Wray, Covington observes that cooperation from the private sector is critical to countering cyber threats. Covington Opp'n at 39-40. But “this cooperation between the federal government and the private sector is imperiled when agencies effectively punish law firms that come forward with information about possible cyberattacks by reflexively slapping them with a subpoena to serve up their clients for investigation.” Id. at 40. The amicus brief of 83 Law Firms similarly contends that “the requested compelled disclosure would harshly penalize blameless clients, back attorneys into a corner, and discourage law firms like amici from cooperating with law enforcement in the future.” Br. of 83 Law Firms as Amici Curiae, ECF No. 17 [hereinafter Law Firm Br.], at 10; see also Amicus Curiae Br. of the Chamber of Commerce, ECF No. 19 [hereinafter Chamber of Commerce Br.], at 11-12 (“The SEC's public, punitive approach is incongruous with policy choices by Congress and other agencies to protect victims. The SEC's approach may discourage voluntary collaboration with the FBI.”).
“If American businesses don't report attacks and intrusions, we won't know about most of them, which means we can't help you recover, and we don't know how to stop the next attack, whether that's another against you or a new attack on one of your partners.” Christopher Wray, FBI Partnering With the Private Sector to Counter the Cyber Threat, Fed. Bureau of Investigation (Mar. 22, 2022), https://perma.cc/GEX6-LNL9.
The court understands and appreciates the policy concerns raised by Covington and amici. They are not unfounded. The SEC's approach here could cause companies who experience cyberattacks to think twice before seeking legal advice from outside counsel. See Chamber of Commerce Br. at 9-10. Law firms, too, very well might hesitate to report cyberattacks to avoid scrutiny of their clients. See Law Firms Br. at 9-12. The court's role, however, is limited. Its task is only to assess whether the subpoena exceeds the SEC's statutory authority or fails to meet minimum constitutional requirements. It is not to pass on the wisdom of the SEC's investigative approach.
IV. SUBPOENA MODIFICATION
Nevertheless, the court believes that a significant narrowing of the SEC's demand for affected client names is in order. “[T]he enforcement of a subpoena is an independent judicial action,” and this court is “free to change the terms of an agency subpoena as it sees fit.” United States v. Exxon Corp., 628 F.2d 70, 77 (D.C. Cir. 1980). Further, it is “within the discretion of the court to go beyond the scope of the subpoena in order to provide measures of confidentiality” if the agency has not provided sufficient safeguards to protect affected parties. See Hunton & Williams, 952 F.Supp. at 856-57 (citing Exxon, 628 F.2d at 70; FTC v. Owen-Corning Fiberglas Corp., 626 F.2d 966, 974 (D.C. Cir. 1980)).
The SEC has identified two purposes in investigating the Hafnium Cyberattack: (1) to determine whether a threat actor or others engaged in illegal trading based upon access to material nonpublic information; and (2) to evaluate whether any publicly traded issuers failed to disclose material cybersecurity events in connection with the attack. SEC Mot. at 8. After an extensive internal investigation involving nearly 500 hours of attorney time, Covington “concluded that the threat actor had not accessed [material nonpublic information] for 291 of 298 public company clients affected by the SEC subpoena.” Hodgkins Decl. ¶¶ 34-35. Covington “could not rule out that the threat actor accessed [material nonpublic information] for the remaining seven out of the 298 affected clients.” Id. ¶ 36. The SEC acknowledges Covington's efforts. It admits that “the Commission would likely identify numerous Covington clients who were not impacted by the breach, making trading in their shares irrelevant to any analysis of potential unlawful trading.” SEC Reply at 24 (emphasis added); Hr'g Tr. at 7-8. Yet, the SEC insists that it needs all 298 client names in order “to conduct an effective investigation.” Hr'g Tr. at 20.
In the court's estimation, the SEC has not made the case that it needs the names of the 291 clients whose material nonpublic information Covington has determined was not accessed. Those clients, by the SEC's own admission, are not relevant to its investigation. Therefore, the court is not prepared to grant the SEC access to a client list of nearly 300 names when only seven are actually needed to satisfy the agency's stated law enforcement interests.
The SEC says that the receipt of only those seven client names would be unsatisfactory. It asserts that, because Covington has conveyed its investigative findings at such a “high level,” the agency cannot “independently verify [Covington's] conclusions.” Hr'g Tr. at 9. But any law enforcement agency that issues a subpoena necessarily has to rely on the recipient's good faith in producing the information requested. This case is no different. If the SEC contests the accuracy or completeness of Covington's conclusions, the proper course is to ask the court for an independent evaluation. It is not to grant access to hundreds of client names that are not relevant to the investigation.
Covington, for its part, believes it could be “worse” to provide the seven client names because “it would be revealing more information, not just the [client's] identity, not just that . . . their data was subjected . . . to this cyberattack, but also that it may have revealed or at least they may have accessed material nonpublic information.” Hr'g Tr. at 40. Fair enough. But Covington has not contested that the demand for its affected clients' names is limited in scope and relevant in purpose, and the court has found that the demand, as modified, is not unduly burdensome. That is where the inquiry ends. See Arthur Young, 584 F.2d at 1024. Furthermore, identifying the seven client names would not divulge any protected communications about the data breach. If Covington believes that the SEC's regulations are not adequate to safeguard its clients' identities from public disclosure, see, e.g., 15 U.S.C. § 78x(b); 17 C.F.R. §§ 200.735-3 (2010), 230.122 (2011), 240.24c-1 (1993), Covington can seek a protective order.
In a footnote, Covington suggests that “[t]he names of the seven clients whose files contained potential [material nonpublic information] are protected work product because they reflect the efforts, opinions, and legal conclusions of Covington's lawyers and were compiled in anticipation of a subpoena enforcement action from the SEC.” Covington Opp'n at 36 n.12 (citing SEC v. Volkswagen Aktiengesellschaft, No. 19-cv-01391 (AGT), 2023 WL 1793870, at *2 (N.D. Cal. Feb. 7, 2023)). Covington said the same at oral argument. See Hr'g Tr. at 40. Neither party has adequately addressed what could be a complicated issue. See In re Sealed Case, 676 F.2d 793, 811 (D.C. Cir. 1982) (noting that there is “qualified protection for ‘fact' work product and more absolute protection for ‘opinion' work product”); Volkswagen Aktiengesellschaft, 2023 WL 1793870, at *2 (distinguishing between an interrogatory that “asks for facts” versus one that “asks for an opinion”; only a response to the latter is protected by the work product doctrine). Accordingly, the court does not address the contention. See Armstrong v. Geithner, 608 F.3d 854, 858 n.** (D.C. Cir. 2010) (stating that a court is not required to “address an argument raised only cursorily in a footnote”).
V. CONCLUSION
For the stated reasons, the Commission's Application for an Order to Show Cause Requiring Compliance with the Subpoena, ECF No. 1, is granted in part. Covington shall produce to the Commission the names of the seven clients as to whom it has not been able to rule out that a threat actor accessed material nonpublic information.
A final, appealable order accompanies this Memorandum Opinion.