Covington & Burling’s court-ordered requirement to share hacked customer names with the Securities and Exchange Commission opens a crack in attorney-client privilege that makes legal practitioners uneasy.
The ruling will have “chilling ramifications” on attorney-client relations, said Sarah Concannon, a Quinn Emanuel partner and former SEC trial lawyer. The commission will craft more subpoenas for law firm records “based on nothing more than suspicion of violation of the securities laws,” she said.
US District Judge Amit Mehta ruled July 24 that Covington must disclose the identities of seven public-company clients to the SEC as part of an investigation into a 2020 cyberattack. Mehta narrowed the SEC’s request for nearly 300 client names, saying it was “too broad” and that Covington’s probe found only seven clients may have had non-public information exposed.
The dispute became a test case over how far a law firm’s obligations could go as it responds to data breaches. More than 80 law firms submitted an amicus brief arguing the SEC’s request violated bedrock principles of confidentiality while turning attorneys against their clients.
Even in its narrowed form, Mehta’s order represents “a door” that law firms “don’t want opened,” said John Browning, a Spencer Fane trial partner and former Texas appellate court judge. “We’re opening the door a crack and that might lead it to being widened later on,” he said.
Covington said in a statement the firm will “consider any next steps in consultation with our affected clients.” The SEC declined to comment.
Client Protections
The case has its roots in a 2020 hack on Microsoft software servers perpetrated by actors believed to be associated with the Chinese government.
The SEC argued that it needs the Covington client names to support an investigation into illicit trading and to analyze whether affected companies made adequate cyber disclosures in compliance with securities laws.
“Future firms will be hacked and the question will arise over and over again: What are regulators going to be able to obtain through subpoena?” said Fordham Law School professor Bruce Green. The opinion of one district court judge carries limited significance, he added.
“Firms will continue to contend with the SEC until there is a settled understanding,” Green said.
The case could have broad implications as law firms become a more frequent target of cyberattacks. Mehta’s order, however, raises the question of whether Covington’s clients could object to the firm sharing their identities after disclosing their non-public information may have been compromised, said Jennifer Arlen, a New York University law professor.
Adam Pritchard, a University of Michigan law professor, said the order is lessened in consequence since the disclosure is a client’s identity, rather than their data or communications.
“Standing on its own, it’s not an earth-shaking decision,” Pritchard said. “But with the SEC, when you give them an inch, they will always ask for a mile. It’d be surprising if this were the last case we saw like this.”
The case is Securities and Exchange Commission v. Covington & Burling LLP, D.D.C., No. 23-00002, order filed 07/24/2023
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.