Case Lawyer

SEC sues Covington law firm for names of 300 clients caught up in hack

(Reuters) – The US Securities and Exchange Commission has sued law firm Covington & Burling for details about nearly 300 of the firm’s clients whose information was accessed or stolen by hackers in a previously undisclosed cyberattack, court documents show.

Hackers associated with the Hafnium cyber-espionage group, which has alleged ties to the Chinese government, gained access to Covington’s computer networks around November 2020, accessing private information about the firm’s clients, including 298 publicly traded companies, according to a lawsuit filed Tuesday by the SEC.

The agency asked a federal judge in Washington, DC, to force Covington to comply with a subpoena asking the firm to turn over the companies’ names, saying it is investigating possible securities violations associated with the hack.

An SEC spokesperson declined to comment.

In a letter to SEC investigators filed in the case, Covington’s legal team said an internal investigation determined the hack was directed at a “small group of lawyers and advisors” and was focused on “policy issues of specific interest to China in light of the incoming Biden Administration.”

Washington, DC-headquartered Covington specializes in regulatory work and litigation and features a deep bench of lawyers with federal government experience, including former US Attorney General Eric Holder.

The law firm told the SEC it is bound by attorney-client privilege and client confidentiality to resist the portion of the subpoena requiring it to name its clients. It said only seven of the affected companies’ files contained information that could be material to investors, a commission figure said it could not verify, according to the SEC’s lawsuit.

Covington confirmed to Reuters that the firm had been a victim of a “state-sponsored” cyberattack. A firm spokesperson said it communicated with potentially affected clients and worked with the FBI in investigating the breach.

The SEC, which has made cybersecurity a key priority under the Biden administration, said in a filing that Covington’s status as a major law firm does not “insulate it from the Commission’s legitimate investigative responsibilities.”

Kevin Rosen, a partner at law firm Gibson, Dunn & Crutcher representing Covington, called the SEC’s demand a “fishing expedition” and a “broad assault on the attorney-client relationship and confidential client information.”

Our Standards: The Thomson Reuters Trust Principles.