Covington & Burling is fighting the Securities and Exchange Commission over what it calls an “unprecedented assault on the privacy and confidentiality” of the law firm and its clients.
The Washington-based firm said it shouldn’t have to hand over the names of 298 clients regulated by the SEC whose information may have been exposed in a November 2020 cyber attack. The SEC filed an enforcement action in D.C. federal court in January after the firm refused to comply with a subpoena for client names.
“Clients’ time-honored privacy and confidentiality interests should not yield to intrusive government fishing expeditions, especially where all evidence suggests that the cyberattack here was motivated by state espionage objectives unrelated to the securities markets,” the firm said in a Tuesday court filing.
Covington’s opposition extends a fight with the SEC that has implications for other law firms that hold information about clients regulated by the agency.
Covington, represented by lawyers from Gibson Dunn & Crutcher, has argued that professional ethics rules on privilege and confidentiality prevents it from divulging the information. It has also claimed that the SEC has no right to the client names when it has no evidence of wrongdoing by the firm or its clients.
The SEC has said it wants the names to examine whether actors behind the attack engaged in illicit trading using “material nonpublic information.” The agency also wants to find out whether any public companies failed to disclose “material cybersecurity events” in violation of securities laws.
Covington was among many victims of attacks later attributed to actors—dubbed Hafnium—affiliated with the Chinese government.
The firm said it reported the breach to the FBI and cooperated with the agency in its investigation. An internal law firm probe found that the actor was “was engaged in geopolitical espionage for the Chinese state—not financial sleuthing,” Covington said.
The firm also said it told the SEC that only seven of its impacted clients’ files may have included “material non-public information.” The SEC has said previously, however, that it was unable to to verify that claim and disagrees with Covington’s methodology.
The SEC argued in its enforcement action that the names of agency-regulated clients are not privileged.
District Judge Amit P. Mehta is overseeing the proceedings. Amicus curia briefs from nonparties to the case are due by Feb. 21.
The case is Securities and Exchange Commission v. Covington & Burling LLP, D.D.C., No. 23-00002.
To contact the reporter on this story:
To contact the editors responsible for this story:
To read more articles log in.
Learn more about a Bloomberg Law subscription.