A total of 83 US law firms are backing Covington & Burling in its fight with the Securities and Exchange Commission over client data.
The firms signed onto an amicus brief filed late Tuesday supporting Covington’s stance that attorney-client privilege should block an SEC subpoena. The agency wants a federal court in Washington to force Covington to turn over the names of nearly 300 clients whose information may have been exposed in a 2020 cyberattack that impacted the firm.
The SEC says it needs the information to help an investigation into whether hackers behind the cyberattack engaged in illicit trading. Covington has argued that confidentiality rules and a dearth of evidence of wrongdoing should shield them.
Firms signing onto the new brief include Kirkland & Ellis, Latham & Watkins, Cravath Swaine & Moore, and DLA Piper, some of the highest-grossing law firms and competitors of the Washington-based Covington.
“Not only would the SEC breach well-established principles of confidentiality in the service of this fishing expedition, it would turn attorneys into witnesses against their own clients,” they said.
The filing comes amid a long-running fight between the SEC and Covington that could have significant implications for law firms. Covington and the other law firms have argued that a judgment in favor of the SEC could open the door to further weakening of attorney-client confidences.
“The mere identity of a client itself is something that can be privileged,” said John Browning, a Spencer Fane trial partner. “Whether or not the court believes that under these circumstances merely revealing the identity is [protected], that remains to be seen.”
Fordham Law School professor Bruce Green previously told Bloomberg Law that the narrowness of the SEC’s request—focusing on client names—could ultimately be hard to beat.
“Privilege doesn’t protect every piece of information that a lawyer has related to a client representation,” Green said.
The information would also help the SEC determine whether any public companies failed to disclose “material cybersecurity events” in violation of securities laws, the agency said in an earlier court filing.
Covington has argued the client names are only a “first step” in an attempt to pull more information out of the firm and its clients.
“If in fact the SEC wants something more than client names, this presents a very problematic situation for the firms,” said Richard Hong, a Morrison Cohen partner and former SEC trial lawyer. In order to win, the agency may need to “thread the needle” on the attorney-client privilege question, he said.
Groups including the US Chamber of Commerce and the Association of Corporate Counsel also submitted amicus briefs on Tuesday backing Covington.
District Judge Amit P. Mehta is overseeing the case, which is set for its first conference between the parties next month.
Covington is among a growing group of large law firms who have been impacted by cyberattacks in recent years. Jones Day and Goodwin Procter were exposed as a result of a breach at Accellion in 2021. Both firms acknowledged that the breach left confidential client data exposed.
The case is Securities and Exchange Commission v. Covington & Burling LLP, D.D.C., No. 23-00002, amicus brief filed 2/21/2023.
To contact the reporter on this story:
To contact the editors responsible for this story:
To read more articles log in.
Learn more about a Bloomberg Law subscription.