Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Covington & Burling Calls SEC Subpoena for Client Names an “Assault”

February 22, 2023

Reuters reported on February 14 that law firm Covington & Burling fired back at a lawsuit from the U.S. Securities and Exchange Commission, arguing the agency overstepped its authority by asking the firm to identify clients affected by a 2020 cyberattack on the firm.

Covington said an SEC subpoena for the names of nearly 300 publicly traded companies whose information was accessed or stolen during the data breach threatened to expose confidential client information that the firm is required to safeguard.

“The SEC’s effort to compel Covington to help the agency investigate the firm’s clients, without any evidence whatsoever of wrongdoing by Covington or those clients, is an assault on the sanctity and confidentiality of the attorney-client relationship,” Covington told the Washington, D.C., federal court hearing the case.

The SEC sued Covington in January to compel the law firm to identify the clients as part of an investigation into potential securities law violations associated with the hack. The agency has said the attack came from the Chinese-linked Hafnium cyber-espionage group.

The SEC has argued that its subpoena was narrowly targeted and did not seek information covered by attorney-client privilege. It said its request was necessary to determine if the breach resulted in insider trading and if the companies made all required disclosures to investors about the breach.

Covington accused the SEC of engaging in a “fishing expedition” and attempting to force the firm to turn over information that could lead to scrutiny of its own clients without evidence of misconduct.

The firm cited legal ethics rules that mandate law firms to keep the confidences of their clients and protect potentially embarrassing information.

It said the SEC’s demand could chill cooperation between law firms and the government following future cyberattacks and cause a “cascading series of dilemmas” for firms caught between reporting breaches and protecting their clients.

Covington’s legal team at Gibson, Dunn & Crutcher has said the 2020 hack was aimed at a small group of lawyers and advisors to glean information about the incoming Biden administration’s policies on China.

The firm also said it worked with the FBI to investigate the cyberattack and notified all clients whose information was potentially compromised.

On February 21, Morrison & Foerster LLP, Kirkland & Ellis LLP, Latham & Watkins LLP and 80 other law firms backed Covington & Burling LLP’s opposition to releasing the names of clients targeted by a cyberattack to the U.S. Securities and Exchange Commission, emphasizing the dangers of weakening the principle of attorney-client privilege.

The case is Securities and Exchange Commission v. Covington & Burling, U.S. District Court for the District of Columbia, No. 23-mc-00002.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology