Defending Attorney-Client Privilege In Response To SEC Subpoena

With over 700 lawyers in Washington, D.C., Covington & Burling has built a reputation as an international law firm that is willing to work with regulators rather than working against them.

‍

However, Covington has found itself entangled in a legal battle with the Securities and Exchange Commission in recent weeks that has rattled the Capitol Hill legal industry as well as threatened to upend one of the most sacred concepts in American jurisprudence: attorney-client privilege in what has become an unprecedented courtroom battle.

‍

There was a hack of Covington's systems that started in the year 2020, and it progressed from there. A court filing said that the firm and law enforcement concluded that a Chinese state-sponsored actor was responsible for the breach and was seeking information about “political issues of particular interest to China in light of the incoming Biden Administration,” after disclosing the breach to the FBI.

‍

Covington was served a subpoena by the Securities and Exchange Commission (SEC) last year demanding the names of those clients who were impacted by the breach, the amount of information that was compromised, and what communications Covington had with those clients. Following Covington's refusal to comply, the Securities and Exchange Commission filed a lawsuit against the firm in January, asking that it reveal the names of nearly 300 clients, all of who are U.S.-listed companies or investment advisors.

‍

“As a result of the SEC’s subpoena, Covington has been turned into an informant, conscripted to serve as a source of information about its own clients,” the firm said in a filing.

‍

In response to a question about the SEC's public filings, a spokesperson declined to comment. Trade Algo was directed to the firm's federal court filings by a Covington spokesperson but refused to provide further comment on the matter.

‍

In spite of the firm's unyielding opposition, Covington remains unyielding, and it's getting a hefty dose of support from its peers in the legal profession as well. The SEC is trying to subvert attorney-client privilege in an effort to gain access to sensitive client information, and more than 80 of the most influential law firms in the country have filed a brief in support of Covington, arguing that this would undermine arguably one of the oldest and most inviolate principles of American law.

‍

In a filing made on Feb. 14, Covington said that handing over the names of its clients would violate their confidentiality and have a chilling effect across the industry, resulting in institutions no longer knowing whether they can trust their lawyers with important information. Not only does Covington represent large corporations, but the firm has one of the most active pro bono practices in the United States, representing small businesses, nonprofits, and veterans as well.

‍

The case will now be decided by a Washington federal judge, who will have to decide how to proceed in a case that pits pressing national security interests against historically significant legal precedents.

‍

Following high-profile attacks on the country's energy, financial, and legal infrastructure, the protection of U.S. institutions from foreign cyber intrusion has become a top priority for the government and the FBI in the aftermath of recent high-profile attacks. The Department of Homeland Security has said cooperation and support from the private sector, ranging from small businesses to top law firms, are critical to the efforts of law enforcement agencies to protect the interests of the United States.

‍

The issue of any deal involving China is particularly sensitive, as tensions between the world's two largest economies continue to escalate as a result of trade and diplomatic tensions.

‍

However, according to Covington, with only a very few exceptions, the Chinese state-sponsored hacker did not specifically target any of their clients in the filing. There was some concern expressed by Covington that if the SEC succeeded in forcing it to disclose the names of its potentially impacted clients, it would undermine the "cooperative relationship between the public and private sectors.".

‍

This hack, which began in November 2020, was carried out by a sophisticated actor who exploited a vulnerability in the Microsoft Exchange Server software, which is used by many businesses to manage their email and calendar functions. Since it was a zero-day exploit, Microsoft had no idea about the problem and could not warn users about it until March 2021, when it was discovered that there had been a breach. The hacker had already compromised Covington's systems by the time he reached that point in time.

‍

Covington did not inform the FBI of the names of its clients whose information was impacted, nor did it inform the Securities and Exchange Commission about this. There is no clear indication as to how the SEC became aware of the hack, a year ago, which ultimately led the regulator to issue a subpoena for the documents related to the hack.

‍

SEC officials have justified the efforts they have taken by stating that they are seeking to ensure that no illegal trades have been made in the wake of the cybersecurity breach and that no material nonpublic information has been used for the purpose of making a profit. The SEC pursued an enforcement action against two Chinese hackers in 2016 for trading on material non-public information they acquired through hacking law firms and earning more than $3 million from it.

‍

Among other things, Covington said it had already conducted an "extensive internal review," according to court filings, and had devoted nearly 500 hours of attorney time to complying with the SEC's requests for information, he said. There were nine attorneys from Covington involved in the review, including a former SEC associate director, and the review concluded that only seven out of the 298 impacted clients were susceptible to MNPI theft.

‍

There is a possibility that the litigation and associated work could force Covington and its outside law firm, Gibson Dunn, to spend hundreds of billable hours fighting the SEC's lawsuit, according to a source familiar with the matter.

‍

In a filing filed with the SEC, Covington shared the findings of its investigation with the agency, but the agency refused to accept the limited data shared by the firm and demanded the names of all unidentified clients be provided. This was the first time the SEC has attempted to gain access to client information and Covington has described itself as an “innocent third party.”

‍

“An attorney's duty is to stand between his client and the power of the government on behalf of his client,” Covington stated in his opposition filing.

‍

"Despite all of this, the SEC is again demanding that a sacred precinct of trust and confidence be invaded," Covington wrote in its filing. "This Court should close the door on this case."