Covington & Burling, a prominent law firm, is contemplating the possibility of appealing a recent federal court order that mandates the firm to disclose the names of clients affected by a cyberattack to the U.S. Securities and Exchange Commission (SEC).
The order, issued on July 24 by Judge Amit Mehta of the U.S. District Court for the District of Columbia, instructs Covington to provide information about seven of its corporate clients impacted by the Microsoft Hafnium cyberattack in November 2020.
A spokesperson for Covington stated, "We will review the decision carefully and consider any next steps in consultation with our affected clients." While the firm remains open to the possibility of an appeal, it declined to provide further details about its potential course of action.
The SEC initiated a comprehensive investigation in 2021 into publicly traded companies affected by the Microsoft Hafnium cyberattack, which was attributed to a threat actor from China. In March 2022, the SEC issued a subpoena to Covington, seeking the names of clients whose data may have been compromised during the attack.
In response, Covington conducted an internal assessment and identified 298 impacted clients. The SEC's concern revolved around the possibility of the cyber intrusions leading to fraudulent trading activities. Additionally, the agency aimed to ensure that companies disclosed any pertinent information about the attack's potential material impact to their investors.
Covington, however, refused to comply with the expansive requests of the subpoena, arguing that it would infringe upon attorney-client privilege. The firm's internal investigation revealed that, apart from seven instances, no material nonpublic information was exposed.
To address the matter, the SEC requested in January that Covington be compelled to provide information about all affected clients. Judge Mehta granted the SEC's request but narrowed its scope, ordering Covington to disclose the names of the seven publicly traded corporate clients potentially impacted by the breach. This measure would enable the SEC to fulfill its obligation of safeguarding investor interests.
Judge Mehta ruled that the SEC's demand for client names did not exceed its legal authority or transgress constitutional boundaries. However, he acknowledged that the agency's initial request was overly broad. The judge's decision highlighted Covington's concerns that enforcing the subpoena could set a precedent for the SEC to target law firms more frequently and issue even more intrusive information requests.
Covington also emphasized its commitment to complying with the D.C. Rule of Professional Conduct, which mandates that lawyers protect their clients' confidential information. The law firm argued that even disclosing the mere fact of representing a client constitutes a breach of confidentiality.
Expressing appreciation for the court's careful consideration of the underlying principles, a spokesperson for Covington remarked, "We believed from the beginning that we had a duty to protect our clients’ confidential information."
The legal community has been closely observing this case. The Association of Corporate Counsel (ACC) asserted its stance that the SEC's subpoena and similar actions jeopardize attorney-client privilege. Susanna McDonald, Vice President and Chief Legal Officer of the ACC, stated, "ACC stands by our position that the SEC is overstepping its authority and that the client information sought by administrative subpoena is protected by attorney-client privilege and the D.C. Rules of Professional Conduct." McDonald also expressed concern that the court's ruling could expand the use of administrative subpoenas and undermine attorney-client privilege.
As the case continues to unfold, the legal industry remains vigilant in safeguarding the fundamental principles of attorney-client privilege and confidentiality.
By fLEXI tEAM