Cybersecurity

Judge whittles SEC request for names of nearly 300 BigLaw clients to 7

  •  
  •  
  •  
  • Print

shutterstock_Covington logo

U.S. District Judge Amit P. Mehta of the District of Columbia has ruled that the U.S. Securities and Exchange Commission could learn the names of seven publicly traded clients to determine whether hackers used their material. Image from Shutterstock.

A federal judge in Washington, D.C., has ruled that the U.S. Securities and Exchange Commission is entitled to learn the names of seven Covington & Burling corporate clients affected by a cyberattack.

U.S. District Judge Amit P. Mehta of the District of Columbia said the SEC could learn the names of seven publicly traded clients to determine whether hackers used their material, nonpublic information for illegal trading. But Mehta said the SEC was not entitled to information from 291 other clients because Covington had determined that their material, nonpublic information was not accessed by the hackers.

Law360, Law.com, Bloomberg Law and Reuters have coverage, while the Legal Profession Blog published highlights of the July 24 opinion.

Covington’s investigation had found that the hackers, who were likely backed by China, were likely looking for information about the incoming Biden administration and policy issues of interest to China. Only seven clients may have had their material, nonpublic information exposed, the law firm determined.

Covington nonetheless contended that all its clients’ names—including those of the seven clients—were protected by attorney-client privilege.

Summing up Covington’s argument, Mehta said the firm “asserts that the SEC’s demand exceeds its investigative authority, as there is no valid purpose in demanding client information where there is no suspicion of wrongdoing by the firm or any client. It also sounds the alarm that, if the SEC’s subpoena is enforced, the Commission will become emboldened to target law firms with greater frequency and serve even more intrusive demands for information.”

Mehta said the SEC’s demand for client names “does not exceed its statutory authority or cross any constitutional lines.” But he said the SEC request was too broad, and Covington had to only reveal the seven clients with possibly hacked nonpublic information that could be used for trading.

Eighty-three firms had filed an amicus brief backing Covington’s position in the case.

Covington released a statement to Law.com that said it would review Mehta’s decision and “consider any next steps in consultation with our affected clients.”

“We are appreciative of the court’s thoughtful consideration of the fundamental principles at stake. We believed from the beginning that we had a duty to protect our clients’ confidential information and are grateful for the broad amicus support our position received from both the client community and the legal profession,” the statement said.

Give us feedback, share a story tip or update, or report an error.