Judge orders Covington & Burling to give the SEC the names of seven clients affected by 2020 cyberattack on the law firm by China

Posted on

The multinational law firm Covington & Burling has been ordered by a federal judge to give the Securities and Exchange Commission the names of seven clients affected by a 2020 cyberattack attributed to a China-linked cyber-espionage group. The SEC had sued the firm in January for the names of all of the clients, but the judge limited the order to seven public companies that could have been exposed to illegal trading because of the incident. Covington cited attorney-client privilege, arguing that it had an obligation to protect the identities of all the affected clients. In its own investigation, Covington found that most of the clients did not have “material nonpublic information” exposed by the attack, Mehta noted. The judge said that information about the remaining seven companies, however, fell under the SEC’s jurisdiction.

The decision ratifies the SEC’s power to investigate whether a cyberattack has allowed attackers or others to engage in securities fraud, and whether publicly traded companies have made proper disclosures about the attack. The decision could possibly allow the Commission to examine such records when national security issues are at risk.

It is unclear at this time whether the decision will be appealed to a higher court, given the thorny legal issues involved. The judge said Monday’s decision was focused solely on the federal agency’s statutory authority to request the companies’ names, and it was not a ruling on the “wisdom of the SEC’s investigative approach.”

The November 2020 attack on Microsoft Exchange servers implicated many organizations. In March 2021, Microsoft traced the incident to Hafnium, which it now calls Silk Typhoon.

JEFFREY NEWMAN IUS A WHISTLEBLOWER LAWYER WHO HANDLES SEC WHISTLEBLOWER CASES AS WELL AS CASES UNDER THE FALSE CLAIMS ACT. HE CAN BE REACHED AT 617-823-3217 OR jEFF@jEFFNEWMANLAW.COM

The SEC sued Covington in January to force the prominent Washington-based firm to identify public company clients whose information was accessed or stolen in the breach carried out by the Chinese-linked Hafnium cyber-espionage group, filings showed.

The agency said it needed the names to probe for securities law violations associated with the attack, arguing that Covington’s law firm status did not shield it from cooperating.

Covington told the court a law firm’s clients are part of a “zone of privacy” protected by the U.S. Constitution and legal ethics rules. It also argued the subpoena would force the firm to expose clients to government scrutiny without evidence of wrongdoing.

Reporting by Andrew Goudsward; Editing by David Bario and Susan Heavey