Judge Questions if SEC Covington Client Demand Opens Floodgates

A judge questioned whether the SEC will “open the floodgates” to law firm data demands if Covington & Burling is forced to release names of 298 publicly-traded clients whose information may have been exposed in a cyberattack.

The Securities and Exchange Commission lawsuit to compel Covington to release the names in the 2020 firm attack presents “challenging” questions, District Judge Amit Mehta said Wednesday.

But it’s also not clear what privacy standard would constrain the SEC, Mehta acknowledged. He urged Covington and the SEC to try to reach an agreement, even as attorneys from both parties said they wouldn’t compromise on their positions.

The dispute carries implications for the legal industry as to what information firms can protect in the name of attorney-client privilege. More than 80 law firms, including Big Law powers such as Kirkland & Ellis and Latham & Watkins, have claimed the SEC is trying to breach well-established principles of confidentiality in the service of a “fishing expedition.”

“However this shakes out, the hope is there will be some guidance to harmonize” the regulation of cyber and how businesses respond to hacks, said Kevin Muhlendorf, a Wiley Rein partner who represented the US Chamber of Commerce in an amicus brief the Chamber filed in support of Covington.

The SEC is seeking the client names as part of an investigation into potential securities violations stemming from a 2020 cyberattack that impacted Covington. The attacks were later attributed to actors—dubbed Hafnium—affiliated with the Chinese government. The commission in January sued Covington after the firm refused to comply with a subpoena for the names.

The SEC is turning its action into a “test case to intrude on attorney-client privilege,” Gibson Dunn partner Theodore Boutrous, Covington’s counsel, argued during Wednesday’s hearing.

Boutros argued the SEC is asking the firm to act against its own clients by giving up information that could support an investigation of them.

SEC attorney Eugene Hansen said the “breadth of the attack” shows why the SEC is in court, and he said the commission has no intention of extending its authority to target law firms in the future.

Hansen cited a list of law firms that have been hit by cyberattacks in recent years and noted that the SEC has not subpoenaed any of them.

The commission needs the information to support an investigation into whether any illicit trading took place on nonpublic material information the actors may have seen, Hansen said. The SEC “can’t turn a blind eye because it happened to a law firm,” he said.

Judge Mehta ended the hearing by saying he has “a lot to think about.” He gave no indication as to when he may reach a decision.