Who’s Representing Who?: SEC vs. Covington and the Sixth Amendment

For the United States, a nation deeply embedded in individualism and liberal rights, the trade-off between crime prevention and personal privacy has always been a contentious balance to strike. With the advent of emergent technologies, the battle over right-to-data between the state and the individual has continued to dominate legal theory. Can governmental and regulatory agencies legitimately demand that private firms provide information based on concerns of national security or suspicions of criminal offense? In 2020, the preeminent multinational law firm Covington & Burling LLP was subjected to a cyberattack carried out by hackers associated with Halfnium, an organization suspected of having Chinese state backing. Many of Covington’s high-profile clients – including two hundred ninety-eight publicly traded companies – were victims of this leakage. Due to the weight of these companies in the financial market, the Securities Exchange Commission filed suit against Covington in a D.C. federal court order to enforce a subpoena issued in March 2022 that would compel Covington to provide the names of the affected clients. Covington’s representative lawyer has preliminarily invoked attorney-client privileges as a defensive strategy. [1] SEC’s order to enforce the subpoena for disclosure of the clients’ names is not entirely consistent with precedent. Furthermore, Covington & Burling’s wide variety of legal strategies, mostly predicated on the attorney-client privileges established by the Sixth Amendment and other related cases and legal frameworks, are highly capable of shielding them from this intrusive and overreaching lawsuit.

The main constitutional backing that the SEC is relying on is the SEC Act of 1934 and a potential violation of it by the access to MNPI (material nonpublic information that would be used by Halfnium for insider trading purposes). [2] The phrasing of the legislation is nebulous, affording the SEC the ability to issue subpoenas based on mere suspicion to aid in, “determining whether any person has violated, is violating, or is about to violate any provision of this title.” [3] The implication of this potentiality-oriented phrasing is that even if Covington’s clients make the guarantee that the leakage has not yet resulted in any verifiable insider trading schemes, the SEC can still base the subpoena on the fact that the leakage still carries danger for the future. This significantly lightens the SEC's burden of proof. Rather than proving that insider trading has already happened, SEC can simply cite how MNPI’s historical employment in insider trading schemes as evidence that the unauthorized access to MNPI in this case could very likely lead to the same outcomes.

Covington’s defense for not complying with the SEC’s subpoena, roughly laid out in their letter to the agency, is largely based on attorney-client privileges and its “ethical duty” that “extends beyond the bounds of attorney-client privilege.” [4] The notion of attorney-client privilege traces its origins back to the Sixth Amendment phrase “...in all criminal prosecutions, the accused shall

enjoy the right to... have the assistance of counsel for his defense.” [5] It was not until 1973, however, that a clear definition of this right was provided. In United States v. Rosner, District Judge Gurfein famously concluded that "[t]he essence of the Sixth Amendment right is ... privacy of communication with counsel." [6] “Privacy,” the key term often extracted from this ruling, would later become a contentious issue, with critical debate regarding appropriate levels of government intrusion and/or interference. For the purpose of Covington’s case, however, a more pertinent case to examine would be United States v. Singer. In this 1965 Supreme Court ruling, the government's review of the defendant's confidential trial strategy files, acquired through an informant, demonstrated an unconstitutional intrusion into the defendant's attorney-client relationship. [7] The specific relevance of this case is Covington’s presumed role as the “informant.” What this case does suggest for the close future is the potential legal issues that the SEC could face if it decides ever to file lawsuits against the clients that Covington names under the subpoena. If the possible defendants choose to frame their legal defenses around the cyberattack, then it can reasonably be argued that the information the SEC acquired through Covington – the details of the cyberattack – could constitute a large component of the defendants’ trial strategies and therefore its request would constitute as a violation of the attorney-client privileges.

Most substantially, the definition of what constitutes an intrusion into the attorney-client relationship was firmly established in the 1976 Supreme Court case Weatherford. v. Bursey. Justice White, speaking for the majority, stated that an important criteria for such a determination was that the act in question must demonstrate a showing of prejudice to the defendant. [8] Later cases would continue to debate over the proof of burden for the specific “prejudice to the defendant's preparation for or conduct of the trial.” [9] Whichever party that is deemed responsible for this demonstration of proof would inevitably have to rely on a certain amount of counterfactual assumptions: the plaintiff would be tasked with proving how the case would have proceeded substantially in the same manner with or without the “intrusion,” while the defendant has to construct the opposite scenario. Depending on which party bears the burden of proof, SEC would have to show that the breach caused no change in the paths of subsequent legal actions, or Covington would have to prove the opposite. Given that both are arguments based on counterfactuals, it is not difficult to see how it can be an uphill battle for both the SEC and Covington.

However, Weatherford v. Busey also differs much from SEC v. Covington in the legal identity of the parties. Weatherford and Bursey are both private individuals. Both parties thereby are able to appeal to certain well-enumerated and solidified civil liberties to which corporate entities (such as that of Covington) may not be entitled. On the contrary, one can also argue that Weatherford’s status as an undercover agent for the state is an undeniably critical point of conflict and thus the state is more involved than the outlines indicate. The relation between the parties directly involved and the general public can also be seen as a point of contention.

From the cases reviewed above, several defense strategies emerge as the naturally-advantageous routes for Covington. Covington’s most direct argument would be that simply giving the names of the firms constitutes an intrusion into the clients’ right to privacy of communication with counsel. The law firms who disclosed to Covington that the hacker had gained access to their MNPI did so with the full expectation that this information will remain confidential, as Covington’s letter to the SEC states. [10] Alternatively, Covington could also argue that giving the names to SEC would inspire a showing of prejudice, coupled with the inherently uncertain process of determining the existence of insider trading schemes. In this scenario, Covington’s information may perversely encourage the SEC to lean toward affirming occurrences of insider trading rather than being more benevolent in its judgment. If the SEC is aware that certain firms were victims of this cyberattack, abnormal trading patterns due to alternative causes are now prejudiced to be interpreted as results of insider trading instead.

More radically, Covington could cite the 1992 case Golden Trade, S.r.L. v. Lee Apparel Co, in which Judge Dolinger of the Southern District of New York explicitly states attorney-client privilege is “absolute in the sense that it cannot be overcome merely by a showing that the information would be extremely helpful to the party seeking disclosure.” [11] This strategy requires Covington to firmly establish that the information they are subpoenaed to disclose is part of the “attorney-client privilege,” and not merely a “work product,” since Judge Dolinger also states that “work-product rule and deliberative-process privilege” are “not absolute.” [12] This distinction suggests that certain categorization of data must happen before one can inquire about the level of protection to which they are entitled. The privacy of ancillary data would most likely not be taken under the wings of attorney-client privileges. Thus, Covington would have to prove the criticality of the information they are asked to provide, rather than simply stating that it is an information transferred from a client to an attorney.

Taking a look at the less well-protected work-product doctrine, then, one notices certain overlaps (but more importantly, exceptions). The doctrine similarly permits attorneys to withhold documents “prepared by or for counsel with a view to litigation,” endowing the same level of protection afforded to any documents that are considered part of the attorney-client privilege. [13] In the 1992 Second Circuit Court case, U.S. v. Adlman, however, it was further specified that documents created primarily for business purposes – rather than anticipated litigation – are not covered by the work product doctrine. [14] If Covington’s consultation with their clients after the hacking was considered more relevant to the financial relations between the two parties rather than legal implications of the incident, then one could well argue that the exchanged information (what the SEC is demanding from Covington) is not protected even by the work-product doctrine. However, Covington may have an easier time than other firms in terms of fulfilling this requirement, since its business relationships with the law firms are largely legal in nature.

Last, but certainly not least, one has to address the “ethical duties” and threats to future confidence in and willingness to cooperate with federal agencies in criminal investigations that Covington mentions in their own letter, especially in situations in which the party in question has committed “no wrongdoing.” [15] If this precedent is established, many confidential contractual relationships are no longer safe from investigations with trivial causes, due to rising cybersecurity concerns and historically high volatility of the equity market. The private sector will not be happy with this overwhelming application of SEC (and, by extension, other federal regulatory agencies) authority. One can expect there to be a huge amount of legal effort dedicated to overturn this ruling if it does lean in favor of the SEC. Even those who are not actively engaged in contractual relationships with publicly traded companies (whom the SEC is explicitly allowed to regulate) will still worry about their own privacy in the face of government intrusion. For those who continue to worry about issues of insider trading, one only has to consider the nature of the data-information era: the “Efficient” Market ensures that all “leaks” of MNPI will instantaneously become public goods – in terms of their non-exclusivity – from which speculators from around the world can easily benefit. The financial (and thus legal) impact of insider trading is heavily downplayed under this financial framework. Regardless of the unbelievably wide scope outlined in the Securities Exchange Act with regard to what the SEC is allowed to subpoena, the one issued to Covington is nevertheless highly likely to be a violation of Covington and its clients’ attorney-client relationship and the privileges that it accords them.

Edited by Rebecca Reyes

[1] Alison Frankel, “The SEC’s subpoena fight with Covington -- a 'perilous new course'?” Reuters, January 12, 2023, https://www.reuters.com/legal/government/secs-subpoena-fight-with-covington-perilous-new-co urse-2023-01-12/.

[2] Memorandum of Points and Authorities In Support of Application For An Order to Show Cause And For An Order Compelling Compliance with Investigation Subpoena, SEC v. Covington & Burling LLP, Case No. 1:23-mc-00002 (D.D.C., Jan. 10, 2023), available at https://fingfx.thomsonreuters.com/gfx/legaldocs/dwvkdaalwpm/SEC-v-Covington-cyber-attack- 2023-01-10.pdf.

[3] U.S. Congress, House, To provide for the regulation of securities exchanges and of over-the-counter markets operating in interstate and foreign commerce and through the mails, to prevent inequitable and unfair practices on such exchanges and markets, and for other purposes (SECURITIES AND EXCHANGE ACT) of 1934, Pub. L. 73-291, U.S. Law (1934), https://www.govinfo.gov/content/pkg/COMPS-1885/pdf/COMPS-1885.pdf.

[4] Frankel, “SEC’s subpoena fight.”

[5] U.S. Const. amend. VI.

[7] United States v. Singer, 785 F.2d 228, 232 (8th Cir.).

[8] Weatherford v. Bursey, 429 U.S. 545 (1977).

[9] Weatherford v. Bursey, 429 U.S. 550 (1977).

[10] Frankel, “SEC’s subpoena fight.”

[11] Golden Trade, S.r.L. v. Lee Apparel Co., 143 F.R.D. 522 (S.D.N.Y. 1992).

[12] Id.

[13] Hickman, Administrator v. Taylor, et al., trading as Taylor & Anderson Towing & Lighterage Company, et al, 329 U.S. 514 (1947).

[14] U.S. v. Adlman, 134 F.3d 1194 (2d Cir. 1998). [15] Frankel, “SEC’s subpoena fight.”

Skylar Wu