The Securities and Exchange Commission has filed a case against Covington & Burling, one of the largest law firms in the United States, seeking an Order of the Court to compell it to comply with an SEC investigative subpoena relating to a Russian cyber attack around November 2020. According to the Government memorandum, the threat intruder, Hafnium gained access to Covington’s computer network and certain individual devices. During that cyberattack by the computer hackers were able to access non-public information of certain Covington clients, including 298 companies regulated by the Commission. The SEC said it subpeonad Covington in March 2022 after learning of the cyberattack but that Covington regused to comply with that part of the subpoena asking for information about potentially affected clients, citing “privilege and clien t confidentiality.” The SEC argued the following: “As a large law firm with hundreds of public company clients, Covington is regularly in possession of MNPI the theft of which puts investors at significant risk. Neither Covington’s position as a victim of a cyberattck, nor the fact that it is a law firm insulates it from the commission’s legitimate investigative responsibilities.” Counsel for Covington called the subpoena a fishing expedition. The SEC said “The request does not seek any information protected by the attorney client privilege or other sensisitve information, rather it only requests the names of entities regulated by the commission whose data was maliciously and unlawfully breached as part of a cybarattack against Covington.
The attacks were ultimetaly attributed to Chinse government affiliated hackers.
Jeffrey Newman is a whistleblower lawyer that handles SEC whistleblower cases as well as False Claims Act cases and he can be reached at Jnewman@NewmanShapiro.com or at 978-880-4758