In 2020, the prominent legal firm, Covington & Burling suffered a cyberattack in which a foreign actor may have accessed nonpublic information about clients, including 298 regulated companies. As a result of the attack, The Securities and Exchange Commission (SEC) opened an investigation to analyze who was affected, how, and why. During this investigation, the SEC requested the private names of individuals who may have been affected by the attack. Covington declined to hand over these names.
Which brings us to the present: a current case in federal court sees the SEC attempting to enforce subpoena compliance on Covington; this subpoena came after the Commission learned that the attackers exploited a vulnerability in Microsoft software to access to the firm’s computer network. In the lawsuit, the SEC argues it needs to know more about who among Covington’s clients may have been affected. Without this information, they claim they cannot know whether this hacked information was used to engage in insider trading or whether the attack was properly disclosed by Covington.
Recently, 83 law firms (including 23 of the 50 highest-grossing firms in the country) co-signed an amicus brief declaring their belief that attorney-client privilege ought to supersede an SEC subpoena. The legal community’s support for Covington is overwhelming, but the reasons inform many observer’s fears. The concern is this: if the SEC wins this case, it opens the door for future client-attorney confidentiality to be sidestepped in favor of pressing concerns (such as cyberattacks and threats).
It is undoubtedly easier for law enforcement and trading commissions to do their jobs if they have access to the names of clients; however, it is not clear that this disclosure would not come in the form of an even larger privacy violation. Furthermore, this trial has come in wake of the SEC’s new rules for disclosing major cyber incidents, which would, according to Chair Gary Gensler, “strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”
The only question for Gensler is this: would the information gained be worth the threat to privacy? We will continue to watch the case in federal court to find out.
Legal Matters