Around November 2020, foreign threat actors associated with the Mircosoft Hafnium cyberattack were able to gain entry into Covington & Burling’s computer network. Covington & Burling, LLP is a U.S. multinational firm with 13 offices, eight located abroad. Hafnium has alleged ties with the Chinese Government. According to court documents, the law firm promptly contained the intrusion and reported it to the FBI.According to court documents, the threat actors accessed non-public information regarding certain Covington clients, including 298 regulated by the SEC. After the attack, Covington created a list of potentially affected clients and contacted them to notify them about the intrusion. The SEC is investigating and seeking to determine whether the cyber intrusion resulted in violations of any federal securities laws to the detriment of investors. In its pleadings, the Commission explained that it regularly seeks information from companies that were victors of cyberattacks to understand the nature and scope of the attack and assess potential illegal trading on the information obtained in the attack. Covington identified 298 clients whose information was viewed or exfiltrated by the intruder while in its possession. The law firm has refused to provide the names of those clients. The SEC says that knowing the clients’ names would allow it to conduct targeted analysis on trading in those entities’ securities around the time of the cyberintrusion.
Covington argues that the names of its clients are privileged under the circumstances of this case as the SEC will use those names to demand more information from the firm and its clients. It also says that the SEC has no obvious way to determine whether the information in Covington’s files was material and nonpublic without taking further steps to ask for more information.
Covington also points to the societal ramifications of allowing the agency to have the information it seeks. “Cyberattacks have become an ever-increasing part of commercial life and have affected many law firms…” and that the SEC position threatens to chill the relationship between public companies and their counsel and between victims of cybercrime and the FBI.
The underlying descriptions of various cyber intrusions, described in the court pleadings, reveal the astoundingly high level of sophistication that the nation-state hackers have and how deeply they can penetrate US computer systems. For example, on March 2, 2021, Microsoft disclosed that a threat actor had exploited vulnerabilities to its Exchange Server software to gain access to email accounts and to install malware to facilitate long-term access to victim environments. Because Covington uses Microsoft’s Exchange Server software, it launched an investigation that revealed that the threat actor had infiltrated its computer system.
The case raises thorny legal issues for law firms, corporations, courts as well as for the SEC. As a general rule, client names fall outside the attorney-client privilege. However, where disclosing the names would result in harm to the clients, it may be privileged.
A Covington stated it, “Clients’ time-honored privacy and confidentiality interests should not yield to intrusive government fishing expeditions, especially where all evidence suggests that the cyberattack here was motivated by state espionage objectives unrelated to the securities markets.”
As U.S. relations with China and Russia worsen and intensify, the probability of major cyber intrusions increases exponentially. To ensure that we don’t wrongfully penalize our own companies unfairly, care must be taken to consider the risks while still allowing the SEC and other agencies to perform their tasks appropriately. While this task presently falls to Judges hearing individual cases, it is an issue that policymakers should consider given the various interests and societal significance.
Jeffrey Newman is a whistleblower lawyer. He can be reached at jeff@jeffnewmanlaw.com or at 617-823-3217
.
