Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Hacked Law Firm Ordered to Reveal Some Client Names

July 26, 2023

The Washington Post reported (gift article) on July 25  that U.S. District Judge Amit Mehta ordered on July 24 that Covington and Burling give the Security and Exchange Commission (SEC) a list of seven clients whose material nonpublic information may have been accessed by Chinese hackers.

The SEC had asked for a list of nearly 300 other clients whose material nonpublic information the law firm found wasn’t accessed by the hackers.

Judge Mehta wrote, “The court finds some merit to both parties’ positions, but ultimately holds that the SEC’s demand for the names of affected clients does not exceed its statutory authority or cross any constitutional lines.”

Both the SEC and the law firm have indicated that they would not be happy with such a ruling so the odds are high that the ruling will be appealed.

Covington & Burling spokesman David Schaefer told The Post in a statement that the firm is “appreciative of the Court’s thoughtful consideration of the fundamental principles at stake. We believed from the beginning that we had a duty to protect our clients’ confidential information and are grateful for the broad amicus support our position received from both the client community and the legal profession,” Schaefer said. He also said that the firm will “review the decision carefully and consider any next steps in consultation with our affected clients.”

The SEC declined to comment.

If you’ve forgotten the underlying story, several years ago Chinese hackers successfully leveraged vulnerabilities in Microsoft’s email software.

Covington discovered that it was breached in November 2020. “State-sponsored” Chinese hackers focusing on a “small group of lawyers and advisors” were behind the attack, and they were “principally focused on state espionage to learn about policy issues of specific interest to China in light of the incoming Biden Administration,” Covington told the SEC in a letter.

In early 2022, the SEC sent Covington a subpoena for nearly a dozen different types of documents. Covington said it couldn’t comply with one of the requests — a demand for records that could identify Covington clients or impacted public companies hit in the cyberattack.

Covington argued that it has a duty to keep client names confidential. It also said that the SEC’s demand for client names could damage relationships between law firms and clients and could cause victims of cyberattacks not to turn to law firms.

It also warned, backed by many law firms, that victims could be disincentivized from reporting breaches to the federal government. That’s a critical point because the U.S. government says it relies on voluntary cooperation from victims to understand the scope of hacks and respond.

Judge Mehta, in his opinion, did not disagree, writing “The SEC’s approach here could cause companies who experience cyberattacks to think twice before seeking legal advice from outside counsel. Law firms, too, very well might hesitate to report cyberattacks to avoid scrutiny of their clients.”

Mehta noted that “[t]he court’s role, however, is limited. Its task is only to assess whether the subpoena exceeds the SEC’s statutory authority or fails to meet minimum constitutional requirements. It is not to pass on the wisdom of the SEC’s investigative approach.”

Mehta’s ruling requires Covington only to “disclose the names of the seven clients as to whom it has not been able to rule out that the threat actor accessed material nonpublic information.”

He also wrote, “In the court’s estimation, the SEC has not made the case that it needs the names of the 291 clients whose material nonpublic information Covington has determined was not accessed. Those clients, by the SEC’s own admission, are not relevant to its investigation. Therefore, the court is not prepared to grant the SEC access to a client list of nearly 300 names when only seven are actually needed to satisfy the agency’s stated law enforcement interests.”

Mehta noted that the SEC argued that it couldn’t “independently verify” Covington’s accounting but said that didn’t mean it should get the full list of names.

I suspect it is a given that one or both sides will appeal.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology