By: Casey Reilly

In November 2020, Covington & Burling suffered a Microsoft Exchange cyber-attack sponsored by Hafnium, a group of Chinese-sponsored threat actors.  Hafnium is a highly sophisticated actor that exploited four vulnerabilities in the Microsoft Exchange email platform in order to steal data from U.S. contractors, infectious disease researchers, and law firms.  Fast forward to 2022, the U.S. Securities and Exchange Commission (“SEC”) demanded that Covington release the names of approximately 300 clients whose information was compromised.  Covington, backed by many other prominent law firms, is taking a strong stance against providing the clients’ names to protect their attorney-client privilege.

Covington & Burling is an international law firm headquartered out of Washington, D.C. The firm specializes in regulatory and public policy matters and is known for working alongside regulators; some of their attorneys even include former government officials.  Near the end of 2020, the Hafnium actors conducted a three-step cyber-attack.  First, they gained access to Exchange Servers using stolen passwords or by disguising themselves as legitimate users.  Then, they controlled the Exchange Server remotely by utilizing servers located in the U.S., and were able to quickly exfiltrate the firms’ internal data.  After disclosing the breach to the FBI, the government was able to decipher that Hafnium was “looking for information ‘about policy issues of specific interest to China in light of the incoming Biden administration.’”

Of the clients whose information was compromised by Hafnium, some included companies that are regulated by the SEC.  As a result, the SEC brought a lawsuit against Covington & Burling to retrieve further information about the victim clients and to determine whether the malicious activity resulted in any violations of federal securities laws.  The March 2022 subpoena requested that Covington “hand over information about the security breach including, among other things, all of the affected clients’ names, and the amount of information that was accessed or stolen, and communications between the law firm and the clients about the exfiltration.”  Initially, Covington complied with a majority of the request, but did not provide a list of the clients whose information was affected.  Given the response, the SEC clarified their request to only SEC-regulated clients whose data was “‘viewed, copied, modified, or exfiltrated during the attack,’” as well as communications between the publicly traded companies and their attorneys.  Although the SEC has an interest in protecting these clients, so does Covington; the law firm ultimately viewed the SEC’s request as an attempt to intrude on confidential client information and their attorney-client privilege.

Attorney-client privilege is sacred to the practice of law and provides one of the longest-standing privileges for the communications between a client and their attorney to remain confidential.  The doctrine prevents an attorney from being able to testify against their client and encourages clients to fully disclose all information to their attorney, without fear that this information will be used against them.  Furthermore, the privilege only exists for communications that were intended to be confidential; if a third-party is present or the communication takes place in a public setting, it may not be protected by the doctrine.

In June 2022, Gibson Dunn, the law firm that is representing Covington & Burling, sent a letter to the SEC stating that Covington “‘does not have the option of complying’” with the requested subpoena because the communications are protected by attorney-client privilege.  Kevin Rosen, a partner at Gibson Dunn, stated that this request was a fishing expedition on behalf of the SEC and a broad assault on their attorney-client privilege.  Additionally, Covington representatives expressed major concern over providing the list of impacted clients; they fear it would not only breach client confidentiality, but would also have a rippling impact on the legal industry in general, resulting in a lack of trust between companies and their attorneys.

Covington has devoted over 500 attorney hours to comply with the SEC’s request.  As part of their internal investigation, they determined that seven out of the nearly three hundred compromised clients’ data could possibly contain material non-public information (“MNPI”).  MNPI is “data relating to a company that has not been made public but could have an impact on its share price,” thus prompting the SEC to determine if any federal securities violations took place.  Covington is standing their ground and they are receiving widespread support from other prominent law firms to protect the attorney-client privilege.

An amicus brief was filed in February 2022 by 83 law firms, including Kirkland & Ellis, Latham & Watkins, Cravath Swaine & Moore, and DLA Piper, to support Covington’s argument that attorney-client privilege should block the SEC subpoena demanding client names.  The brief explained that “[n]ot only would the SEC breach well-established principles of confidentiality in the service of this fishing expedition, it would turn attorneys into witnesses against their own clients.”  Typically, the identity of a client itself is not considered privileged.  However, Covington and the other major players argue that retrieving the client names are only a first step in a broader attempt to get more information.  Fordham Law Professor, Bruce Green, stated that if the SEC’s request was narrow in only requesting client names, it may be difficult for the firms to beat because privilege does not protect every aspect of representation.  Additionally, providing the client names could be enough to help the SEC determine whether any public companies failed to comply with cybersecurity events disclosure, which would result in a violation of securities laws.

 

Student Bio: Casey Reilly is a second-year student at Suffolk University Law School.  She is a staff writer on the Journal of High Technology Law.  Prior to law school, Casey received a Bachelor of Science Degree in International Business, with a concentration in Finance, from Bryant University and spent several years working at a financial services institution in Boston.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.