23 Feb 2023

Top US law firms unite to support Covington in fight against SEC over client information

Eighty-three firms file brief supporting Covington’s stance that client confidentiality rules bar disclosure of names of clients affected by cyber attack

an Francisco, CA, USA - May 1, 2022: Covington logo is seen outside its office in the Salesforce Tower in San Francisco, California. Covington and Burling LLP is an American multinational law firm.

Tada Images; Shutterstock

A group of 83 leading US law firms has filed an amicus brief backing Covington & Burling in a dispute with the US Securities and Exchange Commission (SEC) over client information. 

Kirkland & Ellis, Latham & Watkins and Morrison Foerster are among those to have signed the brief, which was filed in the federal court in Washington DC earlier this week in support of Covington’s position that attorney-client privilege should block an SEC subpoena demanding the names of almost 300 of Covington’s clients affected by a cyber attack on its network. 

The signatory law firms told US District Judge Amit Mehta in the brief that collectively they comprise more than 50,000 lawyers and represent many public companies regulated by the SEC. 

They wrote that they were ‘deeply troubled’ by the SEC’s demand for confidential client information. 

‘Not only would the SEC breach well-established principles of confidentiality in the service of this fishing expedition, it would turn attorneys into witnesses against their own clients,’ they said.

The brief comes amid a long-running dispute between the SEC and Covington over the fallout from a November 2020 cyber attack that saw hackers associated with the Hafnium cyber-espionage group, which allegedly has ties to the Chinese government, gain access to Covington’s computer network.

The SEC sued Covington in January to comply with the subpoena, arguing that it needed to know which of the law firm’s clients had been affected to determine if anyone traded on insider information gathered through the hack and ensure the affected companies’ disclosures were sufficient. 

But Covington resisted and earlier this month a group of attorneys from Gibson Dunn & Crutcher, counsel to Covington on the matter, filed a brief asserting that confidentiality rules and a lack of evidence of any wrongdoing should shield the firm from being forced to comply. 

‘While lawyers are not immune from discovery, their clients’ time-honored privacy and confidentiality interests should not yield to intrusive government fishing expeditions, especially where all evidence suggests that the cyberattack here was motivated by state espionage objectives unrelated to the securities markets,’ the brief argued. 

Other law firms realised that the case could affect their own client relationships and, though generally fiercely competitive for clients and legal talent, joined forces to produce the friend-of-the-court brief in support of Covington. 

After the SEC filed its suit in January, Morrison & Foerster partner Brian Matsui agreed to head the drafting of the brief, according to Reuters, with Cravath Swaine & Moore, Debevoise & Plimpton, Latham & Watkins and Kirkland & Ellis also pitching in.

The brief argues that the D.C. Bar has made clear that a client’s identity is a ‘confidence’ or ‘secret’ subject to protection, and that attorneys are strictly obligated to resist disclosure of such information without client consent.

The mere fact that a client has sought legal counsel is highly sensitive, the brief says, and ‘if attorneys could be compelled to reveal client identities without their consent, clients would be less likely to seek legal counsel in the first place’. They may also be less forthright about what they discuss with the lawyers and instead make their own judgments based on what they do no want to risk being exposed. 

The brief goes on to note that the SEC’s demand went beyond the identity of clients and extended to part of the substance of attorney-client communications. 

‘The Commission’s subpoena sought privileged client communications. But even just the disclosure of which clients were contacted about the data breach necessarily discloses the substance of what Covington communicated to those clients — that is, that the clients’ data was compromised,’ it said. 

The first conference between the parties involved in the case is set for next month. Groups including the US Chamber of Commerce and the Association of Corporate Counsel also submitted amicus briefs on Tuesday backing Covington.