Action Implicates Attorney-Client Privilege and Other Concerns

Factual Background

On January 10, 2023, the SEC filed a subpoena enforcement action against Covington, a large law firm that was victimized by the so-called Hafnium cyberattack by Chinese state actors.[1]  Hafnium reportedly was engaged in espionage to determine priorities of the incoming Biden administration in November 2020.  The SEC seeks names of Covington clients whose information was accessed by the attackers.  Covington has refused to supply the name of its clients, arguing that such information is protected by the attorney-client privilege and work-product doctrine, and that compliance with the subpoena would be unduly burdensome.

Covington asserts that disclosing its clients’ names will reveal client confidences by notifying the SEC which clients it communicated with about the attack, which communications would undoubtedly be privileged.  Covington arguably has no choice but to refuse compliance with the subpoena.  What would its clients think if the firm turned them over to the SEC?  Covington views refusal to disclose as a business imperative but also as an ethical requirement.  The SEC, however, contends that the names of clients are not protected by any privilege or exemption from compliance with a federal subpoena. 

SEC Subpoena Enforcement Actions

The action against Covington is far from the routine subpoena enforcement action.  In the more typical case, a party will either simply ignore the subpoena or make dubious arguments for non-compliance.  In such a case, the SEC has no choice but to file a subpoena enforcement action.  The problem for the subpoenaed party is that the subpoena enforcement action will describe the conduct under investigation.  This can be nearly as damaging to one’s reputation as an actual enforcement action by the SEC.  Generally speaking, it is extremely unwise to refuse to comply with a subpoena.  In the Covington case, however, we think Covington is taking the right approach.

Key Takeaway

This will be an interesting case to observe as attorney-client privilege issues continue to be litigated across the country.  Indeed, the United States Supreme Court recently heard oral argument regarding the threshold for claiming attorney-client privilege in the context of tax advice regarding digital assets.[2] At issue in the Supreme Court is to what extent dual-purpose communications—communications for both business and legal purposes— are protected by the attorney-client privilege.  The SEC’s subpoena enforcement action and the pending Supreme Court case could both have important ramifications for the sanctity of the attorney-client privilege.


[1] Memorandum of Points and Authorities In Support of Application For An Order to Show Cause And For An Order Compelling Compliance with Investigation Subpoena, SEC v. Covington & Burling LLP, Case No. 1:23-mc-00002 (D.D.C., Jan. 10, 2023), available at extension://elhekieabhbkpmcefcoobjddigjcaadp/https://fingfx.thomsonreuters.com/gfx/legaldocs/dwvkdaalwpm/SEC-v-Covington-cyber-attack-2023-01-10.pdf.

[2] Petition for Writ of Certiorari, In Re Grand Jury, ____ U.S. ____ (No. 21-1397).