The clash between Covington & Burling LLP and the US Securities and Exchange Commission over the identities of some agency-regulated clients tests the limits of attorney-client privilege for firms trying to shield such information.
The SEC asked a Washington federal court last week to force Covington to comply with a subpoena seeking the names of 298 of its clients whose information may have been exposed in a cyberattack that hit the firm’s computer systems.
The agency wants companies it regulates to be more transparent about cyber incidents. Some attorneys worry that the SEC’s push for client names may weaken the ability of law firms to protect clients.
If the court sides with the SEC, such a decision could create a “slippery slope risk” for firms, said Bradford Newman, a partner at Baker & McKenzie LLP.
“Once the door is opened a crack between attorneys and our clients, there’s arguments to keep opening it, and that door should probably stay firmly shut and locked absent a compelling reason,” Newman said. “And I’m not sure from what I see in a public record on this SEC subpoena directed toward Covington there is a basis to crack open the door here.”
Attorneys representing Covington, one of the largest US law firms, have argued the SEC’s request flies in the face of D.C. ethics rules on attorney-client relationships and requirements for sealing confidential client communications.
The narrowness of the SEC’s request could make it hard for Covington to fend off, said Bruce Green, a Fordham Law School professor.
“Privilege doesn’t protect every piece of information that a lawyer has related to a client representation,” Green said.
The SEC’s move is the latest front in the agency’s efforts to more aggressively police cyberattacks involving public companies.
“It’s definitely an emerging trend” for the SEC to drill down on breaches to determine what entities were impacted, Paul Hastings LLP partner Kenneth Herzinger said.
Herzinger pointed to the SEC’s response to a cyberattack on software company SolarWinds Corp. Following the hack, disclosed in 2020, the agency contacted public companies that may have been impacted in an attempt to learn whether they made appropriate disclosures to investors.
“The law firm piece is a new twist,” Herzinger said.
The agency says it needs Covington’s client names to investigate whether actors behind the attack engaged in illicit trading using “material non-public information.” The SEC said it would use the information to probe whether any publicly traded issuers have failed to disclose “material cybersecurity events” in violation of federal securities laws.
“There is no other place for the Commission to obtain the relevant information as to which regulated companies were impacted,” the SEC said in a court filing. “That information is uniquely in Covington’s possession as the party whose network was accessed.”
Kevin Rosen of Gibson, Dunn & Crutcher LLP, who is representing Covington against the SEC, said in a statement that clients have a right to expect that legal counsel will shield them.
“Covington is simply honoring that ethical obligation to its clients by resisting the SEC’s demands here, especially where the SEC’s demands effectively make Covington’s clients an SEC target,” Rosen said.
Publicly traded firms are required under federal securities laws to disclose information that could be considered materially important information for an investor. The SEC last year proposed requiring public companies to disclose “material” cyber breaches within four days.
The situation is “very different” from SolarWinds, said Jay Dubow, a securities enforcement practice leader at Troutman Pepper Hamilton Sanders LLP, “especially in the context” of law firms’ attorney-client relationships.
“Covington doesn’t want to get sideways with their clients,” Dubow said. “Without the court order, there’s a lot of risk in just turning over that information.”