Law firm must hand over names of some clients affected by 2020 cyberattack, judge says

A multinational law firm must give the Securities and Exchange Commission the names of seven clients affected by a 2020 cyberattack attributed to a China-linked cyber-espionage group, a federal judge ruled Monday.

U.S. District Judge Amit Mehta ordered Washington, D.C.-based Covington & Burling to identify those companies to assist the SEC’s investigation into the incident, which affected nearly 300 clients of the law firm overall.

The SEC had sued the firm in January for the names of all of the clients, but the judge limited the order to seven public companies that could have been exposed to illegal trading because of the incident. Covington cited attorney-client privilege, arguing that it had an obligation to protect the identities of all the affected clients.

The decision essentially affirms the SEC’s power to investigate whether a cyberattack has allowed attackers or others to engage in securities fraud, and whether publicly traded companies have made proper disclosures about the attack.

The November 2020 attack on Microsoft Exchange servers affected multiple organizations. In March 2021, Microsoft attributed the incident to Hafnium, which it now calls Silk Typhoon. The White House linked the attack to China’s Ministry of State Security in July 2021.

In its own internal investigation, Covington found that most of the clients did not have “material nonpublic information” exposed by the attack, Mehta noted. The judge said that information about the remaining seven companies, however, fell under the SEC’s jurisdiction.

A Covington spokesperson said the firm was “appreciative of the Court’s thoughtful consideration of the fundamental principles at stake.” The judge noted the amicus support for Covington in the case, including briefs from 83 other law firms, the U.S. Chamber of Commerce and the Reports Committee for the Freedom of the Press.

“We will review the decision carefully and consider any next steps in consultation with our affected clients," the spokesperson said.

A spokesperson for the SEC declined to comment.

The judge said Monday’s decision was focused solely on the federal agency’s statutory authority to request the companies’ names, and it was not a ruling on the “wisdom of the SEC’s investigative approach.”

“The SEC’s approach here could cause companies who experience cyberattacks to think twice before seeking legal advice from outside counsel. … Law firms, too, very well might hesitate to report cyberattacks to avoid scrutiny of their clients,” Mehta wrote.