SEC Demands That Covington & Burling "Name Names"

Earlier this week, the United States Securities and Exchange Commission filed a complaint against one of the country's leading law firms - Covington & Burling LLP.  According to the complaint, "threat actors" associated with the Microsoft Hafnium cyberattack gained unauthorized access to the firm’s computer network and certain individual devices.  The SEC is now investigating, among other things, whether any persons or entities involved in or impacted by this cyberattack have been or are engaging in violations of the federal securities laws.  As part of this investigation, the SEC has issued a subpoena to Covington asking the firm to name the nearly 300 public company clients who had information accessed by the attackers.  When negotiations over the response reached an impasse, the SEC sued in the U.S. District Court for the District of Columbia.

The SEC alleges that disclosure is permitted under D.C. Rules of Professional Conduct 1.6:  

[Rule 1.6](a)(1) generally prevents an attorney from “knowingly . . . reveal[ing] a confidence or secret of the lawyer’s client.”  However, if issued a subpoena, the recipient must comply notwithstanding Rule 1.6, absent some other valid objection.  This is because Rule 1.6(e)(2)(a) provides an exception to the general rule, and permits the lawyer to “reveal client confidences or secrets” when “required by law or court order.

If that is the case, the rules are very different here in California.  The California State Bar Act famously enjoins lawyers "to maintain inviolate the confidence, and at every peril to himself or herself to preserve the secrets, of his or her client".  Cal. Bus. & Prof. Code § 6068(e)(1).  Lawyers are only permitted to reveal client confidences and secrets "to the extent that the attorney reasonably believes the disclosure is necessary to prevent a criminal act that the attorney reasonably believes is likely to result in death of, or substantial bodily harm to, an individual".   Cal. Bus. & Prof. Code § 6068(e)(2).  This statutory mandate is included in Rule 1.6 of the California Rules of Professional Conduct.  As Justice Shinn wrote in his concurring opinion in People v. Kor, 277 P.2d 94, 100-101 (Cal. App. 1954):

The privilege of confidential communications between client and attorney should be regarded as sacred. . . .  Here the attorney was compelled to testify against his client under threat of punishment for contempt. . . .  Defendant's attorney should have chosen to go to jail and take his chances of release by a higher court.

Finally, Section 955 of the California Evidence Code requires an attorney to claim the privilege whenever he or she is present when a privileged communication is sought to be disclosed.  

The SEC's complaint was brought in Washington D.C., but Covington is a national law firm with several offices in California.  It is unclear to me why the SEC believes that D.C. Rule 1.6 is relevant to lawyers who practice in other jurisdictions and are not members of the D.C. bar.

For more on the statutory and ethical obligations of California attorneys to maintain client confidences, see Conflicting Currents: The Obligation to Maintain Inviolate Client Confidences and the New SEC Attorney Conduct Rules,  32 Pepp. L. Rev. 89 (2004).