Insights

Federal_Court_Grants_the_SEC_Limited_Access_to_th

Federal Court Grants the SEC Limited Access to the Identities of Law Firm Clients Impacted by a Cyberattack

In Short

The Situation: Following a cyberattack on a law firm's systems, the Securities and Exchange Commission ("SEC") subpoenaed the firm for information, including the identity of clients whose information may have been accessed during the attack. After the firm refused to provide this information, the SEC filed suit to enforce its subpoena. 

The Result: On July 24, 2023, the court issued an order that granted the SEC a limited portion of its requested relief. In so ruling, the court acknowledged the SEC's broad investigative authority and rejected the law firm's arguments that the names of its clients are subject to privilege protection and its Fourth Amendment objections. The court nonetheless restricted the SEC to discovering the names of seven of the 298 clients it sought, concluding that the remaining clients were irrelevant to the SEC's stated investigative purpose. 

Looking Ahead: While the decision is unlikely to deter the SEC from continuing to subpoena companies who have suffered cyber incidents to identify SEC-regulated parties who have been affected, the court's curtailment of the SEC's demand that a law firm identify its clients, and the widespread criticism of its efforts, may diminish the agency's appetite to intrude on the attorney-client relationship.

In a case watched closely by lawyers and clients alike, the U.S. District Court for the District of Columbia compelled a law firm whose systems had been breached in a cyberattack to provide to the SEC the identities of certain clients whose material nonpublic information may have been accessed during the attack. While the Court overruled the law firm's objections to this request, it nevertheless gave the SEC access to just seven of the 298 client names it had sought. See SEC v. Covington & Burling, LLP, No. 23-MC-00002 (July 24, 2023).

This case stems from a cyberattack the law firm experienced over four months beginning in fall 2020. The firm cooperated with the FBI's investigation into the attack, which also impacted other businesses. The FBI did not seek or obtain information about firm clients.

The SEC opened an investigation into the matter in early 2021 after a software company publicly disclosed security vulnerabilities in its widely-used software, which had been exploited by threat actors to intrude into company systems. A year later, the SEC subpoenaed a law firm that suffered such an attack, demanding that the firm provide information about the attack, including the names of clients whose information may have been affected. The firm objected to providing the identity of its public company or SEC-regulated clients whose information may have been accessed or the law firm's communications with them. The SEC ultimately narrowed its request to seek only client identities, but the parties remained at an impasse. The SEC filed an action in federal district court to compel subpoena compliance.

In court, the SEC argued that it needed the client identities to determine whether there had been insider trading on any of these clients' material nonpublic information ("MNPI") accessed in the cyberattack and to evaluate whether any publicly traded clients had failed to disclose material information about the attack. The SEC further argued that the law firm was the only source for the information and that, without it, the SEC could not conduct its investigation.

In response, the law firm objected to providing client information on two primary grounds: (i) that the clients' identities are protected by the attorney-client privilege; and (ii) that the SEC's demand is "an unreasonable fishing expedition that violates the Fourth Amendment." 

Overruling these objections, the court first concluded that, absent special circumstances not present here, a client's identity is not protected from disclosure by the attorney-client privilege in federal court "because it does not reveal a 'fundamental communication in the attorney-client relationship.'" The court also rebuffed concerns that disclosing client identities would "effectively reveal" the content of the firm's communications with them about the cyberattack, stating that this argument "conflates the fact of a communication" with its content, only the latter of which is privileged. Lastly, the court was unmoved by arguments that the SEC's request for identification information was merely its first step toward an inevitable demand for more intrusive information, reasoning that any such requests could be dealt with if and when they arose.

Turning to the Fourth Amendment arguments, the court noted that the SEC's investigative authority, while broad, is not boundless and must still be "sufficiently limited in scope, relevant in purpose, and specific in directive that compliance will not be unreasonably burdensome." But the court declined to subject the SEC's civil investigative authority to the "robust" reasonableness review applied to criminal warrants. The court also declined to apply a heightened standard to subpoenas seeking nonprivileged information from law firms, concluding that "the mere fact of an attorney-client relationship" implicates no greater privacy interest than other kinds of nonpublic information the SEC regularly subpoenas. In response to the argument that the SEC should not be permitted to "rummage" through the law firm's files without first having reasonable grounds to believe a securities law violation had occurred, the court observed that the Supreme Court had authorized law enforcement agencies "to satisfy themselves that corporate behavior is consistent with the law and public interest, even if prompted by nothing more than official curiosity." 

The court acknowledged public policy concerns raised by the law firm and amici (including Jones Day) that the SEC's approach could discourage clients from seeking legal advice about cyberattacks, and law firms from reporting such events to avoid scrutiny of their clients. But the court explained that its role was limited to assessing the legality of the SEC's request, not its wisdom, and overruled the firm's objections.

The court nevertheless sharply limited the SEC's request. The law firm's exhaustive internal investigation (which the SEC acknowledged) had identified only seven clients whose MNPI may have been accessed. The other 291 clients, whose MNPI was not accessed, were by the SEC's own admission irrelevant to the stated purposes of its investigation. Rejecting the agency's complaint that it could not "independently verify" the law firm's conclusions, the court noted that law enforcement "necessarily" must rely on a subpoena recipient's good faith in producing information. The court therefore limited the SEC to the seven clients' identities.

Three Key Takeaways

  1. Despite affirming the SEC's broad investigative authority, the court limited the SEC's requests to information directly connected to its stated investigative objectives. This decision reflects that courts increasingly view the SEC's power much more narrowly than does the agency itself. 
  2. The outcome in this case may embolden the SEC to seek similar information in the future from law firms that experience a cyberattack, since it largely prevailed on its legal arguments against the law firm. But the agency received significant external criticism for seeking this information and the court ultimately exercised discretion to hold the SEC to a tighter standard of relevancy than is typical in subpoena enforcement actions, suggesting that the court was unsympathetic toward the agency's actions. Under future SEC administrations, it would not be surprising to see the agency adopt tighter internal standards for subpoenaing law firms akin to those the agency has for subpoenaing the press.
  3. SEC investigations are but one of the many legal challenges companies may face in the wake of a cybersecurity incident. Companies should not be deterred by this case from seeking legal counsel to help identify, navigate, and mitigate those risks, especially when involved early in the incident response.  
Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.