Subpoena Drama Plays Out Against Cybersecurity Backdrop

Lawyers agreeing on something doesn’t have the same ring to it as hell freezing over or pigs flying, but it happens just about as often. Covington & Burling LLP’s recent fight against the Securities and Exchange Commission represents one of those rare occasions.

In January, the SEC asked the U.S. District Court for the District of Columbia to force Covington to comply with a subpoena for information on clients that may have been caught up in a 2020 cyberattack on the firm. Hackers breached Covington’s cybersecurity systems in the incident to access non-public information from a group of clients that included nearly 300 registered companies. Authorities pinned the cyberattack on a Chinese state-sponsored effort seeking insight into policy issues that could take on greater importance under the Biden administration. For its part, the SEC wants to know if the hacking ultimately led to any violations of federal securities laws.

More than 80 law firms have banded together behind Covington’s opposition to the subpoena. Allies in the dispute include other major players in the legal industry, including some of Covington’s rivals, like Morrison & Foerster LLP and Kirkland & Ellis LLP. Naturally, the coalition is challenging the SEC’s action to prevent the erosion of attorney-client privilege. In an amicus brief filed last month, the firms said the SEC is attempting to “breach well-established principles of confidentiality in the service of this fishing expedition,” a move that “would turn attorneys into witnesses against their own clients.”

It seems possible – if not likely – that the legal system will eventually come down on the SEC’s side in this dispute, given the narrow scope of the agency’s subpoena. However, the cyberattack supposedly targeted policy issues of interest to the Chinese government. Where is the evidence that it also resulted in securities fraud? Sounds rather flimsy.

Interestingly, though, the fight is taking place as the White House prioritizes cybersecurity as part of its national agenda. The administration last week rolled out a series of cyber-centric measures in support of a handful of strategic objectives, such as “defend critical infrastructure” and “shape market forces to drive security and resilience.” Broadly speaking, the idea is to put more of the onus on the private sector to bolster the country’s collective cyber defenses. That includes both the technology players that make the ubiquitous software and devices we use to access the online world, as well as the companies that use those applications in everyday business.

According to Anne Neuberger, deputy national security adviser for cyber and emerging technologies, the main takeaway from the strategy is that it is “inadequate” to count on the private sector to protect the infrastructure and networks that underlie the economy voluntarily. The next time a high-profile law firm gets hacked, its biggest concern may be the fact that it got hacked in the first place, not dealing with the SEC fallout.