Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

SEC Sues Law Firm Covington & Burling for Details About Data Breach

January 12, 2023

Reuters reported on January 11 that the U.S. Securities and Exchange Commission has sued law firm Covington & Burling for details about nearly 300 of the firm’s clients whose information was accessed or stolen by hackers in a previously undisclosed cyberattack, according to court documents.

Hackers associated with the Hafnium cyber-espionage group, which has alleged ties to the Chinese government, gained access to Covington’s computer networks around November 2020, accessing private information about the firm’s clients, including 298 publicly traded companies, according to the lawsuit filed by the SEC.

The agency asked a federal judge in Washington, D.C., to force Covington to comply with a subpoena asking the firm to turn over the companies’ names, saying it is investigating possible securities violations associated with the hack.

In a letter to SEC investigators filed in the case, Covington’s legal team said an internal investigation determined the hack was directed at a “small group of lawyers and advisors” and was focused on “policy issues of specific interest to China in light of the incoming Biden Administration.”

Washington, D.C.-headquartered Covington specializes in regulatory work and litigation.

The law firm told the SEC it is bound by attorney-client privilege and client confidentiality to resist the portion of the subpoena requiring it to name its clients. It said only seven of the affected companies’ files contained information that could be material to investors, a figure the commission said it could not verify, according to the SEC’s lawsuit.

Covington confirmed to Reuters that the firm had been a victim of a “state-sponsored” cyberattack. A firm spokesperson said it communicated with potentially affected clients and worked with the FBI in investigating the breach.

The SEC, which has made cybersecurity a key priority under the Biden administration, said in a filing that Covington’s status as a major law firm does not “insulate it from the Commission’s legitimate investigative responsibilities.”

Kevin Rosen, a partner at law firm Gibson, Dunn & Crutcher representing Covington, called the SEC’s demand a “fishing expedition” and a “broad assault on the attorney-client relationship and confidential client information.”

While I will monitor this suit with interest, I do wonder why a data breach was not reported under the requirements of state data breach notification laws.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology