by Todd W. Smith
It’s every lawyer’s worst nightmare. Your firm experiences a cyber attack. Your clients’ data is accessed. You take steps to mitigate the harm. Then, you are served with a subpoena from the SEC asking for the names of the clients whose data was accessed. You object, citing your duty of confidentiality to the impacted clients. The court sustains your objection. Right?
Not so fast. A recent federal decision out of the District of Columbia, SEC v. Covington & Burling LLP, has lawyers re-thinking the bounds of client confidentiality.
Some background is helpful here. In 2021, the law firm of Covington & Burling, a large multi-national law firm based in Washington, D.C., discovered that unauthorized parties (later discovered to be hackers associated with the Chinese government), undertook a “series of malicious activities” against Covington’s computer network, including “stealing credentials and engaging in search, reconnaissance, and export activity.” Sec. & Exch. Comm’n v. Covington & Burling, LLP, No. 23-MC-00002 (APM), 2023 WL 4706125, at *2 (D.D.C. July 24, 2023). Covington promptly reported the malicious activity to the FBI and worked cooperatively with the law enforcement to investigate the incident. And Covington was not alone. The hackers, exploiting vulnerabilities in Microsoft’s Exchange Server, had targeted thousands of organizations around the world.
In March of 2022, the SEC served a document subpoena on Covington regarding the cyber attack. Investigating whether the hackers accessed and traded on material non-public information and whether any public companies made any false or misleading statements about the attack, the SEC’s subpoena included ten requests generally relating to the cyber attack and the information that had been accessed. Covington produced records in response to nine of the requests, but objected to Request No. 3 which sought, among other information, documents sufficient to identify Covington’s impacted clients. Covington took the position that the firm’s fiduciary duties, including its duty of confidentiality to its clients, precluded it from identifying the clients whose data had been accessed.
Despite extensive negotiations between Covington and the SEC, the parties were unable to resolve their dispute over Request No. 3. In January 2023, the SEC filed an application to enforce the subpoena in D.C. District Court. The issues, including Covington’s objection on client confidentiality grounds, were extensively briefed. A group of eighty-three law firms submitted an amicus brief supporting Covington’s position. The group noted that it was “deeply troubled by the SEC’s demand for confidential client information” and argued at length about the ethical, legal, and policy ramifications of compelling the disclosure of client names.1 In addition to running afoul of time-honored principles of attorney-client confidentiality, the brief argued that requiring disclosure of client names would punish innocent clients, burden attorneys, and undermine law firm’s incentives to cooperate with law enforcement.
Covington itself also mounted a fierce opposition to the SEC’s motion to compel disclosure of client names.2 Among other arguments, Covington cited Rule 1.6 of the D.C. Rules of Professional Conduct which commands that a lawyer “shall not knowingly . . . reveal a confidence or secret of the lawyer’s client” without that client’s consent. Covington cited authority that client identity is considered a “secret” under Rule 1.6. It also emphasized that Rule 1.6 requires Covington to protect all information that may be “embarrassing” or “detrimental” to its clients or that the “client has requested to be held inviolate.” The fact that a client had been affected by a cyber attack, Covington argued, could prove to be “embarrassing” or “detrimental” to that client; accordingly, Covington was duty bound to keep that information confidential.
The SEC, for its part, took the position that client names, on their own, were not confidential or privileged. It also pointed out that Rule 1.6 contains an exception which authorizes a lawyer to disclose client confidences and secrets when “required by law or court order.” The SEC’s subpoena, it argued, was the equivalent of a court order and thus Covington was authorized to make the requested disclosure without violating Rule 1.6.
After a hearing, the court granted in part and denied in part the SEC’s application. While Covington had reported that 298 of its clients had information that may have been viewed, copied, modified, or exfiltrated by the hackers, they concluded that the hackers had not accessed material non-public information for 291 of those clients. Viewing this distinction as significant, the court denied the SEC’s application as to those 291 clients. However, the court ordered Covington to disclose to the SEC the names of the seven clients for whom Covington could not rule out that the hackers had accessed their nonpublic material information.
While it surely will be the subject of rigorous appellate scrutiny, the ruling sent shockwaves through the legal community. Law firms are understandably concerned not only about the potential of being required to disclose client names in response to a regulatory subpoena, but more broadly about what they view as a step towards the erosion of long-settled and sacrosanct principles of attorney-client privilege and confidentiality. Perhaps most troubling was the dismissive manner in which the court treated the question of client confidentiality in its opinion. The discussion of Covington’s objection based on the duty of confidentiality is relegated to a footnote in which the court noted that the question of client confidentiality was “academic” in light of the exception to D.C. Rule of Professional Conduct 1.6 for disclosure when “required by law or court order.” The court’s own order, it reasoned, would permit Covington to comply with Request No. 3 without running afoul of Rule 1.6.
Leaving aside the circular reasoning embedded in the Court’s conclusion, what can practitioners take away from the Covington decision? At a minimum, lawyers should expect that, where they make objections to a subpoena or other discovery device based on their ethical duty of confidentiality, opposing parties will point to Covington to try to overcome those objections and compel disclosure. That said, the unique circumstances of Covington, including an SEC investigative subpoena propounded after a cyber attack in the District of Columbia, will limit the applicability of Covington. Indeed, the fact that the decision focused on the scope of the SEC’s administrative authority, and barely touched on the issue of client confidentiality, should give lawyers some comfort that the ethical duty of confidentiality has not been eroded.
For California practitioners, while the Covington saga is certainly worth following, there are key differences between California’s ethical duty of confidentiality and the corresponding duty of confidentiality in Washington, D.C. that suggest that the result would be different in California. Client confidences enjoy robust protection in California, with an extremely broad ethical duty of confidentiality supported by strong public policy provisions favoring confidentiality.
In California, the ethical duty of confidentiality is set forth in Business & Professions Code section 6068(e)(1), which states that it is the duty of an attorney “[t]o maintain inviolate the confidence and at every peril to himself or herself preserve the secrets, of his or her client.”3 Rule 1.6 of the California Rules of Professional Conduct states, “A lawyer shall not reveal information protected by Business & Professions Code section 6068, subdivision (e)(1) unless the client gives informed consent, . . . .”4 Notably, unlike in Washington, D.C., there is no exception permitting disclosure where “required by law or court order” in California. In fact, at least one California ethics opinion could not conclude one way or another whether it was ethical to disclose to the court a client confidence even in the face of a court order to do so.5 At a minimum, the lawyer in such a position would be wise to exhaust all avenues of appellate review of such an order before determining whether he or she can ethically comply with it.
The only exception to the duty to maintain client confidences in California is where the lawyer reasonably believes disclosure is necessary to prevent a criminal act that the lawyer believes is likely to result in death or substantial bodily harm.6 And, even in that extreme circumstance, disclosure is permissive, i.e., the lawyer may—but is not required—to make the disclosure.
Thus, while the Covington court dismissed the firm’s confidentiality objections based on the exception to D.C. Rule 1.6 permitting disclosure when “required by law or court order,” no such exception exists in California. That distinction, coupled with California’s robust rules and policies favoring confidentiality, suggests that the outcome in Covington likely would have been different had it been decided under the California law and, in particular, California’s ethics rules.
So, while lawyers are understandably concerned over the Covington decision and its potential impact on client confidentiality, California practitioners can take comfort in California’s broad confidentiality protections which obligate lawyers to protect client confidences at every peril—even when the SEC comes knocking.
ENDNOTES
Todd W. Smith is a partner at Umberg Zipser LLP where he practices complex business litigation in state and federal courts, with a focus on defending law firms and lawyers in legal malpractice actions. He is a member of the OCBA’s Professionalism & Ethics Committee. The views expressed herein are his own. He can be reached at tsmith@umbergzipser.com.