Cyberattacks And Compromise of Attorney Client Confidences | Simple Justice
Cyberattacks And Compromise of Attorney Client Confidences
5 Comments
In an underappreciated ruling, District of Columbia Judge Amit Mehta ruled that the multinational law firm Covington & Burling must comply with an SEC subpoena requiring the firm to give up the names of clients, publicly-traded corporations, in order for the SEC to investigate whether there was any trading on non-public information. This didn’t arise because of suspicious trades or other red flags on the corporate side of the ledger, but because hackers working for China launched a successful cyber attack on Microsoft which ultimately gave them access to the firm’s internal records.
This case concerns the intersection of a federal law enforcement agency’s interest in rooting out possible law violations and a law firm’s ethical obligations to its clients. On March 21, 2022, the Securities and Exchange Commission (“SEC” or “the Commission”) served a subpoena on Covington & Burling, LLP (“Covington”), a multinational law firm headquartered in Washington, D.C. The subpoena sought information relating to a cyberattack on Covington’s information technology systems that had occurred a year prior. Covington largely complied with the subpoena. It balked, however, in one key respect. Citing its ethical obligation to protect its clients’ identities, Covington refused to disclose the names of its nearly 300 public company clients whose files had been compromised by the attack.
When Covington became aware of the attack, it notified its clients in order to address its significance. What happened there is between Covington and its clients. But the SEC’s concern wasn’t about the poor client, but that the possibility that the attack put non-public information into the hands of Chinese attackers, essentially insider trading, which the SEC frowns upon. The dual problem was that while the attack gave rise to the possibility that such trading occurred, the SEC had no evidence to suggest it had, in fact, happened, but merely wanted to investigate because it might have happened and it wanted to find out whether it did or not.
All it needed was for Covington to cough up its clients’ names, at least at first. Covington, seeing what was painfully obvious, that the names were only a first step, meaningless without the next step of combing through client files to determine what information might have been hacked and used by the Chinese, refused.
The SEC now moves to compel disclosure of the withheld client names. The Commission says it has a legitimate purpose in seeking that information: it is investigating whether there have been violations of the securities laws arising from the cyberattack on Covington’s systems, and the information is necessary to determine (1) whether any illegal trading occurred using material nonpublic information, or (2) whether any publicly traded issuers failed to make disclosures relating to the cyberattack.
Covington cries foul. It asserts that the SEC’s demand exceeds its investigative authority, as there is no valid purpose in demanding client information where there is no suspicion of wrongdoing by the firm or any client. It also sounds the alarm that, if the SEC’s subpoena is enforced, the Commission will become emboldened to target law firms with greater frequency and serve even more intrusive demands for information.
Had there been evidence that wrongdoing had, in fact, occurred, the SEC’s rifling through attorneys’ files would still present an insurmountable violation of client confidentiality. In the absence of wrongdoing, it’s just a fishing expedition. And yet, Judge Mehta put the SEC’s inchoate claim of “we’re just asking questions” ahead of a law firm’s fundamental ethical duty to its clients.
Under federal law, the identities of clients are not, per se, confidential, except if the revelation itself implicates a client’s confidential communication (as in, why did the client need to consult with a lawyer to begin with?). But the SEC’s initial demand for names was obviously just a first step since it provided the SEC with no useful information absent the next series of investigative steps.
It first maintains that “the SEC’s demand for client names is only the first step toward an inevitable demand for privileged information and work product” because the Commission seeks the client list in part to investigate insider trading; thus it “will need to probe for details about the content of the files accessed by the threat actor” to determine whether they contained material nonpublic information that “could be exploited for insider trading.”
Judge Mehta found no dots to necessarily connect.
But the mere prospect that the SEC might demand actual confidential matter cannot transform a present request for nonprivileged client identities into a privileged one. If the SEC eventually does demand client confidences, that request will rise or fall on its own merits.
Given the putative justification for the subpoena in the first place, this is either absurdly naive or obsequiously deferential to the SEC. From the decision, either could explain the ruling.
The Commission is statutorily authorized to “make such investigations as it deems necessary to determine whether any person has violated, is violating, or is about to violate” the federal securities laws or the “rules or regulations thereunder.” 15 U.S.C. § 78u(a)(1). To that end, the SEC “is empowered to . . . require the production of any books, papers, correspondence, memoranda, or other records which the Commission deems relevant or material to the inquiry.”
Sure, if there is cause to investigate rather than a fishing expedition just because, you know, it might have happened, and if the corporation believed to have engaged in wrongdoing, not their lawyers who were the secondary victims of a cyberattack on Microsoft and are being ordered to violate, in seriatim, both the evidentiary rule of attorney/client privilege and the ethical rule of revealing client confidences.
Curiously, Judge Mehta limited the reach of the SEC’s subpoena, accepting Covington’s word that no material information was taken from others and that it was unable to assure the same for only seven clients. While this might not seem like much of a big deal, the fact that clients now have reason to fear that an external cyberattack of a third party could give rise to a government law enforcement agency rummaging through attorneys’ files could fundamentally undermine the nature of the attorney client relationship.
5 Comments
In an underappreciated ruling, District of Columbia Judge Amit Mehta ruled that the multinational law firm Covington & Burling must comply with an SEC subpoena requiring the firm to give up the names of clients, publicly-traded corporations, in order for the SEC to investigate whether there was any trading on non-public information. This didn’t arise because of suspicious trades or other red flags on the corporate side of the ledger, but because hackers working for China launched a successful cyber attack on Microsoft which ultimately gave them access to the firm’s internal records.
This case concerns the intersection of a federal law enforcement agency’s interest in rooting out possible law violations and a law firm’s ethical obligations to its clients. On March 21, 2022, the Securities and Exchange Commission (“SEC” or “the Commission”) served a subpoena on Covington & Burling, LLP (“Covington”), a multinational law firm headquartered in Washington, D.C. The subpoena sought information relating to a cyberattack on Covington’s information technology systems that had occurred a year prior. Covington largely complied with the subpoena. It balked, however, in one key respect. Citing its ethical obligation to protect its clients’ identities, Covington refused to disclose the names of its nearly 300 public company clients whose files had been compromised by the attack.
When Covington became aware of the attack, it notified its clients in order to address its significance. What happened there is between Covington and its clients. But the SEC’s concern wasn’t about the poor client, but that the possibility that the attack put non-public information into the hands of Chinese attackers, essentially insider trading, which the SEC frowns upon. The dual problem was that while the attack gave rise to the possibility that such trading occurred, the SEC had no evidence to suggest it had, in fact, happened, but merely wanted to investigate because it might have happened and it wanted to find out whether it did or not.
All it needed was for Covington to cough up its clients’ names, at least at first. Covington, seeing what was painfully obvious, that the names were only a first step, meaningless without the next step of combing through client files to determine what information might have been hacked and used by the Chinese, refused.
The SEC now moves to compel disclosure of the withheld client names. The Commission says it has a legitimate purpose in seeking that information: it is investigating whether there have been violations of the securities laws arising from the cyberattack on Covington’s systems, and the information is necessary to determine (1) whether any illegal trading occurred using material nonpublic information, or (2) whether any publicly traded issuers failed to make disclosures relating to the cyberattack.
Covington cries foul. It asserts that the SEC’s demand exceeds its investigative authority, as there is no valid purpose in demanding client information where there is no suspicion of wrongdoing by the firm or any client. It also sounds the alarm that, if the SEC’s subpoena is enforced, the Commission will become emboldened to target law firms with greater frequency and serve even more intrusive demands for information.
Had there been evidence that wrongdoing had, in fact, occurred, the SEC’s rifling through attorneys’ files would still present an insurmountable violation of client confidentiality. In the absence of wrongdoing, it’s just a fishing expedition. And yet, Judge Mehta put the SEC’s inchoate claim of “we’re just asking questions” ahead of a law firm’s fundamental ethical duty to its clients.
Under federal law, the identities of clients are not, per se, confidential, except if the revelation itself implicates a client’s confidential communication (as in, why did the client need to consult with a lawyer to begin with?). But the SEC’s initial demand for names was obviously just a first step since it provided the SEC with no useful information absent the next series of investigative steps.
It first maintains that “the SEC’s demand for client names is only the first step toward an inevitable demand for privileged information and work product” because the Commission seeks the client list in part to investigate insider trading; thus it “will need to probe for details about the content of the files accessed by the threat actor” to determine whether they contained material nonpublic information that “could be exploited for insider trading.”
Judge Mehta found no dots to necessarily connect.
But the mere prospect that the SEC might demand actual confidential matter cannot transform a present request for nonprivileged client identities into a privileged one. If the SEC eventually does demand client confidences, that request will rise or fall on its own merits.
Given the putative justification for the subpoena in the first place, this is either absurdly naive or obsequiously deferential to the SEC. From the decision, either could explain the ruling.
The Commission is statutorily authorized to “make such investigations as it deems necessary to determine whether any person has violated, is violating, or is about to violate” the federal securities laws or the “rules or regulations thereunder.” 15 U.S.C. § 78u(a)(1). To that end, the SEC “is empowered to . . . require the production of any books, papers, correspondence, memoranda, or other records which the Commission deems relevant or material to the inquiry.”
Sure, if there is cause to investigate rather than a fishing expedition just because, you know, it might have happened, and if the corporation believed to have engaged in wrongdoing, not their lawyers who were the secondary victims of a cyberattack on Microsoft and are being ordered to violate, in seriatim, both the evidentiary rule of attorney/client privilege and the ethical rule of revealing client confidences.
Curiously, Judge Mehta limited the reach of the SEC’s subpoena, accepting Covington’s word that no material information was taken from others and that it was unable to assure the same for only seven clients. While this might not seem like much of a big deal, the fact that clients now have reason to fear that an external cyberattack of a third party could give rise to a government law enforcement agency rummaging through attorneys’ files could fundamentally undermine the nature of the attorney client relationship.