As previously reported in this blog, the United States Securities and Exchange Commission is attempting to force the international law firm of Covington & Burling, LLP to identify hundreds of its publicly traded clients. See SEC Demands That Covington & Burling "Name Names". After Covington declined to violate its clients' confidences by naming names, the SEC applied to the U.S. District Court for enforcement of its subpoena. Earlier this week, Covington, which is being represented by Gibson Dunn & Crutcher LLP, filed this full throated opposition.
The SEC is seeking its names because "a threat actor associated with the Chinese government infiltrated Covington's network and gained access to emails or files associated with some of the firm's clients". According to Covington, the SEC wants to compel disclosure of client names in order to "facilitate the agency's fishing expedition targeting the firm's clients, despite the absence of any evidence to suggest that those clients or anyone violated the securities law".
I am impressed by the costs that Covington has already incurred to protect its clients' privacy rights. Not only has Covington hired outside counsel, it engaged in an intensive, multi-week review of the client files affected by the cyberattack. This review involved a team of seven attorneys "working under the supervision of a firm general counsel and led by a senior partner who had spent 20 years in the SEC’s Enforcement Division, rising to the level of an Associate Director". Covington claims to have expended nearly 500 of attorney time in this effort.
While Covington deserves kudos for its efforts, it presumably can afford to do so. The same may not be true for others. As Covington points out in its opposition:
If the SEC prevails here, the agency's inevitable subpoenas could cause even greater harm to small firms and solo practitioners that have the same ethical duties (but not the same resources) to resist disclosures, as well of course their clients.
In this regard, it is noteworthy that Covington's includes an appendix that lists over 100 law firms that have suffered recent cyberattacks.