Lawyers join forces to fight common enemy: The SEC and its probes into cyber-victims
Did the financial watchdog just do the impossible and herd cats?
More than 80 law firms say they are "deeply troubled" by the US Securities and Exchange Commission's demand that Covington & Burling hand over names of its clients whose information was stolen by Chinese state-sponsored hackers.
In an amicus brief filed this week, 83 firms with a total of more than 50,000 attorneys employed backed their fellow lawyers in Covington's ongoing battle with America's financial watchdog.
The government agency has put Covington in an impossible situation, asking the law firm to breach attorney-client privilege by identifying customers involved in the cyberattack, and doesn't even have a good reason outside of "mere curiosity" for doing so, the attorneys argued in the friends of the court filing.
"Not only would the SEC breach well-established principles of confidentiality in the service of this fishing expedition, it would turn attorneys into witnesses against their own clients, while offering no guarantees that it will not disseminate the information to other parts of the government, the press, and the public," the court documents [PDF] say.
In the filings, the lawyers ask the court to deny the SEC's application for an order enforcing the subpoena of Covington's clients' names and other information.
"This violation of confidentiality is especially troubling given that it re-victimizes the targets of a foreign nation's cyberattack — an increasingly common feature of modern life that even the most diligent businesses and governments cannot prevent," the law firms said.
The attack was a particularly egregious one that Redmond says was Beijing-backed. The 2020 Microsoft Exchange attack saw the use of Hafnium to exploit four zero-day vulnerabilities in the email platform to steal data from US-based defense contractors, law firms, and infectious disease researchers.
Covington was one of the breached law firms, and the intrusion gave the spies access to some of Covington's clients that are regulated by the US agency.
Last year, the SEC issued a subpoena asking Covington to hand over the names of SEC-regulated clients whose data had been "viewed, copied, modified or exfiltrated during the attack" as well as communications between those publicly traded companies and their attorneys. Covington refused, on the grounds of client confidentiality, and last month the regulatory agency sued the law firm.
Requesting communications between the attorneys and their clients would have a particularly chilling effect on confidentiality, and would be a "dramatic overreach" on the part of the SEC, according to the court documents filed this week.
- Lawyers slam SEC for 'blatant fishing expedition' after Exchange mega-attack
- Microsoft fixes four zero-day flaws in Exchange Server exploited by China's 'Hafnium' spies to steal victims' data
- Intruder alert: FBI tackles 'isolated' IT security breach
- Russian crook made $90M exploiting stolen info on Tesla, Roku, Avnet, Snap, more
Although the agency has suggested it needs this information to determine if Covington's clients traded on material non-public information as a result of the Hafnium cyberattack, the "SEC already has other, far less intrusive methods for detecting possible insider trading," the 83 firms wrote.
Additionally, this forced disclosure would "fundamentally change the calculus when law firms consider how to respond to a cyberattack," they said. Law firms can either "fulfill their ethical obligations to their clients" and accept potential legal sanctions if they refuse to hand over the subpoenaed information.
Or they can comply with the legal obligations and possibly face disbarment for revealing confidential communications. Said the attorneys, backed by a symphony of tiny violins (we hope): "Either outcome imposes a significant and unfair burden on attorneys." ®