Securities and Exchange Commission v. Covington & Burling LLP

Court: U.S. District Court for the District of Columbia

Date Filed: Feb. 21, 2023

Background: As part of its investigation into a 2020 cyberattack targeting Covington & Burling LLP, the Securities and Exchange Commission issued a subpoena to the law firm in March 2022 seeking the production of information, including the names of Covington’s SEC-regulated clients impacted by the network intrusion.

Covington mostly complied with the subpoena, but it refused to disclose the client names, citing attorney-client privilege, ethical responsibilities, and legal limits on government investigations that obligate the firm to resist the SEC’s demand that it identify its clients.

In January 2023, the SEC sued Covington to enforce the subpoena.

Our Position: The U.S. District Court for the District of Columbia should reject the SEC’s sweeping assertion of investigative authority.

• Credible assurances of confidentiality given to legal clients and journalistic sources alike are essential, as courts and legislatures have widely recognized.
• Absent a stronger news media policy like that at the Department of Justice, adopting the SEC’s legal theory here could increase the potential for agency overreach.

Quote: “[C]rediting the SEC’s theory in this case … could chill the free flow of information from confidential sources to the press and, therefore the public, by signaling to SEC investigators that an unauthorized intrusion into a news organization’s computer systems could provide adequate basis for legal process to identify those confidential sources.”