The Securities and Exchange Commission has accused law firm Covington & Burling of failing to comply with a subpoena for information about a 2020 cyberattack on the firm that potentially exposed client data.
(Bloomberg) — The Securities and Exchange Commission has accused law firm Covington & Burling of failing to comply with a subpoena for information about a 2020 cyberattack on the firm that potentially exposed client data.
In a new case filed this week in federal court in Washington, the commission said that Covington had been the subject of a breach known as the Microsoft Hafnium cyberattack in November 2020. The commission said it launched an investigation into whether any federal securities laws had been violated as a result of the “malicious activity,” in which a foreign actor may have accessed non-public information about clients, including 298 regulated companies.
Covington is one of the largest and most prestigious Washington-based multinational law firms, with former Attorney General Eric Holder among its partners.
The commission said it issued a subpoena to Covington in March 2022 after learning the firm was targeted by the breach, and that Covington had produced some information. However, government lawyers said the firm refused to comply with part of the subpoena asking for information about potentially affected clients, citing “privilege and client confidentiality.”
Covington told the commission that only seven of the 298 clients at issue had “material non-public information,” or MNPI, that the “threat actor” accessed, modified, or took, according to the SEC’s court filing. The commission wrote that they hadn’t been able to verify that information and disagreed with how Covington determined what was “material non-public information.”
“As a large law firm with hundreds of public company clients, Covington is regularly in possession of MNPI, the theft of which puts investors at significant risk. Neither Covington’s position as a victim of a cyberattack, nor the fact that it is a law firm, insulate it from the Commission’s legitimate investigative responsibilities,” the commission argued in its filing.
Covington released a statement saying they would fight the SEC’s effort to enforce the subpoena in court. The firm said that they had “promptly” turned over information to the commission and cooperated with the FBI, but “we made clear to the SEC that we cannot voluntarily comply with any attempt by the agency to obtain client confidential information, including the identity of affected clients and attorney-client communications.”
Kevin Rosen of Gibson Dunn, who is representing Covington, called the case “a blatant fishing expedition” in a separate statement.
“We regard the SEC’s action as an unwarranted attempt to intrude on client confidences and the attorney-client privilege, the protection of which is a fundamental ethical obligation of the legal profession,” the firm said in its statement.
The case is Securities and Exchange Commission v. Covington & Burling, 1:23-mc-00002, US District Court for the District of Columbia.
More stories like this are available on bloomberg.com
©2023 Bloomberg L.P.