SEC sues Covington for names of nearly 300 clients affected by 2020 cyberattack
The U.S. Securities and Exchange Commission sued Covington & Burling on Tuesday to obtain the names of 298 publicly traded clients affected by a 2020 cyberattack.
The Jan. 10 lawsuit, filed in Washington, D.C., federal court, says the SEC regularly seeks information on corporate cyberattack victims, partly to determine whether there was illegal trading associated with the attack and to determine whether the companies made required disclosures to the investing public.
Covington told the SEC in a June 2022 letter that it “fully cooperated with law enforcement and undertook
a considerable effort to identify and inform its affected clients.” But the law firm said it can’t ethically comply with an investigative subpoena for client names because it is privileged information.
Covington learned through its investigation and cooperation with the FBI that the hackers, backed by China, were mostly focused on “policy issues of specific interest to China in light of the incoming Biden administration,” the letter said. The hackers targeted a small group of lawyers and advisers, collecting their emails, their folders on networks drives and the content on one user’s laptop.
Covington said its review found that the cyberattack accessed material nonpublic information for only seven of the 298 clients. The SEC said, however, it hasn’t been able to confirm the information, and it disagrees with Covington’s methodology for determining what constitutes material nonpublic information.
According to Bloomberg Law, former U.S. Attorney General Eric Holder is a Covington partner. Among the firm’s clients is President Joe Biden’s 2020 presidential campaign.
Covington said in a statement published by Law.com it intends to contest the SEC subpoena enforcement action.
“We regard the SEC’s action as an unwarranted attempt to intrude on client confidences and the attorney-client privilege, the protection of which is a fundamental ethical obligation of the legal profession,” the statement said.
Law.com also published a statement by Kevin Rosen, a Gibson, Dunn & Crutcher partner representing Covington in the litigation with the SEC.
“The SEC’s action is a blatant fishing expedition that both targets Covington’s clients without even a whiff of wrongdoing and attempts to coerce Covington’s complicity in that effort,” Rosen said. “This broad assault on the attorney-client relationship and confidential client information threatens all clients and their lawyers, and Covington will do everything in its power as the law demands to protect that relationship and those privileged confidences by opposing the SEC’s unwarranted intrusion here.”