A cyberattack that results in a breach of client information can be devastating to a law firm’s reputation and financial picture. But can it also jeopardize privilege over the identification of a law firm’s clients?
On January 12, 2023, the SEC announced that it had filed an application for an Order to Show Cause regarding compliance with an administrative subpoena served to D.C.-based law firm Covington & Burling LLP (“Covington”) after it had suffered a cyberattack.
The SEC had been investigating a previous major attack on Microsoft Exchange’s software that had allowed hackers to gain access to thousands of companies’ private data from November 2020 to March 2021. Microsoft reported that its investigation revealed that the attack had been conducted by Hafnium, a hacker group operating out of China.
In March 2022, a year into its investigation, the SEC discovered that Covington was one of the companies that had been affected by the Microsoft cyberattack. The SEC subsequently issued a subpoena to Covington for the names of its clients whose information had been viewed, copied, modified, or exfiltrated (taken) during the breach. This would have amounted to the “non-public files of nearly 300 Covington clients that are regulated by the SEC.”
However, Covington objected to the subpoena on attorney-client privilege grounds. In a letter sent to the SEC by Covington’s counsel in June 2022, the firm stated that it could not ethically hand over its clients’ confidential information. The firm argued that it was “duty-bound” to protect the identify of its clients, stating:
“Clients hire Covington for their most serious and sensitive matters, and they expect the Firm to hold all information provided, including the fact of their representation, in the strictest confidence. From Covington’s perspective, maintaining the sanctity of these client relationships is not simply a business imperative, but a mandate imposed by applicable law and the District of Columbia Bar.”
In its announcement and application for its Order to Show Cause, the SEC argues that its purpose in obtaining Covington’s client information is to determine whether: a) there was any unusual trading activity as a result of the loss of data from the firm and b) whether the firm’s clients made the required disclosures to their investors regarding the cyberattack, pursuant to SEC regulations. The SEC has therefore asked the court to 1) direct Covington to show cause for why they shouldn’t be required to produce the client information and 2) subsequently order Covington to comply with the subpoena.
This incident should be a warning to all law firms, but especially to those that represent public companies, to assess their cybersecurity controls and defenses. Any law firm, particularly one that represents public companies, would sustain significant reputational damage following a breach of the information of those clients, and in the wake of the breach may have difficulty retaining them. If that law firm then had to provide the names of those clients to a government agency like the SEC, after which the client list could become a public record, the firm could lose additional business. A firm may even have to face ethics inquiries for its loss of client information after a major cyberattack leading to a breach of its clients’ data.
If you have questions or need assistance in evaluating your law firm’s cybersecurity controls in relation to your firm’s legal, client engagement, and ethical obligations, please contact Kenneth N. Rashbaum.
