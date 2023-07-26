July 26 (Reuters) - A U.S. judge’s ruling that law firm Covington & Burling must identify clients caught up in a cyberattack on the firm gives federal agencies a path to scrutinize companies by obtaining information from their law firms, attorneys said.

But lawyers watching the case also said the ruling placed curbs on the U.S. Securities and Exchange Commission’s authority that allayed some of law firms’ biggest concerns.

U.S. District Judge Amit Mehta ruled that Covington, a prominent Washington-D.C.-based law firm, must name seven clients that could be relevant to the SEC's probe of insider trading and other securities violations associated with the 2020 hack.

Mehta's holding that the SEC’s subpoena did not cross legal or constitutional lines opens a new avenue of investigation for the SEC at a time when law firms are increasingly victimized by cyberattacks.

“This has always been a possibility, but the SEC has not used it,” said Bethany Kristovich, a partner at Munger Tolles & Olson who has represented law firms.

The financial regulator had sought the identities of all the nearly 300 public companies whose information was accessed or stolen during the breach, a request Mehta called “too broad.” The judge instead ordered Covington to name seven clients the firm could not “rule out” as having had private information material to investors swept up in the attack.

The decision is likely to be appealed to the U.S. Court of Appeals for the D.C. Circuit. A Covington spokesperson said the firm would “consider any next steps in consultation with our affected clients.” An SEC spokesperson declined to comment.

The SEC’s willingness to seek the identities of Covington’s clients unnerved many private lawyers, prompting a group of 83 large U.S. law firms to file a friend-of-the-court brief backing Covington in the case.

Covington argued that a law firm’s clients are entitled to privacy protections under the U.S. Constitution and that the firm should not be forced to subject its own clients to government scrutiny without evidence of wrongdoing.

But Mehta ruled that Covington “could not promise any of its clients that their identities, which generally are not protected by privilege, would remain secret in the face of a lawfully issued administrative subpoena.”

The dispute does not center around attorney-client privilege because the SEC sought only client names and not communications.

LAW FIRM CYBER RISKS

The case has drawn particular attention at a moment of both heightened SEC interest in policing cybersecurity and an increase in hacks targeted at law firms, which house a wide variety of sensitive information about clients.

The SEC argued in court filings that investigating insider trading and disclosure violations tied to cyberattacks is a crucial part of its mission to protect investors.

Law firms and business groups countered that the SEC’s subpoena could chill cooperation between the private sector and the U.S. government following breaches.

Mehta acknowledged the concern but said it was not his task to evaluate the "wisdom of the SEC's investigative approach."

Several large law firms have disclosed that they have been targets of cyberattacks. Hackers with the ransomware group known as cl0p recently claimed to have stolen data from the Kirkland & Ellis, the largest law firm in the United States, and K&L Gates. The firms have not confirmed the claims.

Kwaku Akowuah, a partner at Sidley Austin who represented the Association of Corporate Counsel in support of Covington, said the SEC may move cautiously in using law firms as a source of investigative leads, even if it is a legally viable option.

“I hope what we’ll see is that the Commission will take the lesson that there are other ways to proceed that are less likely to result in this level of discord and concern from the legal community,” Akowuah said.

Reporting by Andrew Goudsward

Our Standards: The Thomson Reuters Trust Principles.