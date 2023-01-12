













(Reuters) - Every law firm in the United States ought to be paying attention to the U.S. Securities and Exchange Commission’s lawsuit to force Covington & Burling to cough up the names of about 300 clients whose confidential information was exposed to hackers in a 2020 cyberattack.

Today it’s Covington that is stuck in what the firm portrays as an ethical conundrum. Tomorrow, if you have clients and a computer network, it might well be your firm that gets hit with an SEC subpoena for information that can be used against clients victimized by a hack of your files.

The SEC, as my colleague Andrew Goudsward reported on Wednesday, sued Covington in federal court in Washington, D.C., to enforce compliance with a subpoena the agency issued to the law firm last March, after SEC investigators learned that hackers from the Hafnium cyber-espionage group, which allegedly has ties to the Chinese government, exploited a vulnerability in Microsoft software to tap into Covington’s computer network.

It's not clear how the SEC found out about the hack. According to a white paper that Covington’s counsel from Gibson, Dunn & Crutcher presented to the SEC last June and that was filed as an exhibit to Wednesday's complaint, the law firm approached the U.S. Federal Bureau of Investigation within days of learning that its network had been breached. The firm, which believes cyber attackers were looking for information about China-related policies as President-elect Joe Biden prepared to take office, has said Covington coordinated with the FBI as it conducted its own internal investigation of the hack and alerted affected clients.

The FBI, according to Covington, did not ask the firm to reveal the identity of the clients whose files were exposed. But in March 2022, the SEC informed Covington that it was also investigating the hack.

The commission, according to Wednesday's lawsuit, said it needed to know more about Covington's affected clients in order to ascertain whether anyone used hacked information to engage in insider trading and whether Covington’s SEC-regulated clients adequately disclosed the cyberattack to their investors.

The SEC demanded that Covington disclose the identity of affected SEC-regulated clients; the information from clients’ files that Covington believed to have been illegally accessed; and the firm’s communications notifying clients of the attack.

Covington refused, prompting several months of negotiation. The SEC narrowed its demand to just the names of the 298 Covington clients that are regulated by the SEC and were affected by the hack. Covington would not agree, so the SEC sued.

The SEC contends that it needs the information in order to protect investors. As the agency explained in its complaint, it has previously brought enforcement actions against both public companies that botched the revelation of cyber attacks and traders who capitalized on non-public information obtained through illegal hacks. (In one instance – a case involving a former Equifax Inc executive – the SEC brought claims of insider trading based on the disclosure of a cyber attack.)

In an emailed statement on Thursday, SEC enforcement director Gurbir Grewal said the Covington subpoena is narrowly tailored and does not seek information shielded by attorney-client privilege. “Covington is the only source of this information, which is key to helping the SEC identify the hackers, any residual access and any violations of securities laws,” the statement said.

Covington, however, told the SEC in June that its duty of confidentiality precludes the firm from disclosing the identity of affected clients. During negotiations with the SEC, the firm asked affected clients if they would voluntarily reveal their identity to the agency. Only two -- of nearly 300 -- agreed.

“Covington has no discretion in this situation,” the firm insisted in its letter to the SEC. “It cannot comply with [SEC demands] under the current circumstances and still uphold its professional obligations to its clients.” (Covington maintains that its ethical duty to protect clients' confidences extends beyond the technical bounds of attorney-client privilege.)

Covington didn’t mention this consideration in the June letter, but there are potential financial consequences for a law firm that breaches its fiduciary duties to clients. What if Covington tells the SEC about a client it is not publicly known to represent and the SEC ends up bringing an enforcement action accusing the client of inadequate disclosures? The client might well try to blame Covington for prompting the SEC to investigate.

Covington counsel from Gibson Dunn have not yet formally responded to the SEC’s lawsuit, but based on the June letter, the firm will argue that there’s no precedent for the SEC to demand confidential information from a law firm unless either the firm or its client is already suspected of wrongdoing. Here, Covington contends, the SEC has no independent reason to investigate its clients but is simply engaged in what defense counsel Kevin Rosen of Gibson Dunn called a “fishing expedition.”

The agency’s “attempt to pry client confidences from an innocent law firm to assess whether any securities violations have taken place charts a perilous new course that threatens to chill the relationship between public companies and their counsel,” Covington argued.

Covington also told the SEC that its subpoena will end up hurting government efforts to identify cyber attackers. If law firms fear that they’re exposing their clients to SEC investigations by helping the FBI investigate hacks, they’ll “reevaluate that cooperation and transparency,” the letter said.

I reached out to the SEC to ask about Covington’s assertion that the subpoena is misguided as a matter of ethics and public policy but didn’t hear back.

Covington counsel Rosen emphasized the sweeping consequences of the case in a statement to me on Thursday. The SEC subpoena will “adversely affect incentives for clients and lawyers who now must navigate new layers of complexity and risk before they can assist criminal authorities as good citizens--an outcome that should concern other federal agencies as well,” Rosen said. “This action should concern every lawyer and every client whose confidences will be sought routinely by the SEC without any evidence of wrongdoing.”

Like I said: Pay attention.

