Hacked Washington law firm fights SEC subpoena in effort to protect attorney-client privilege

Covington & Burling has much than 700 lawyers successful Washington, D.C., wherever the planetary steadfast has built a estimation of moving with regulators alternatively than warring them.

But successful caller weeks, Covington has recovered itself mired successful an unprecedented courtroom conflict with the Securities and Exchange Commission successful a lawsuit that's rattled Capitol Hill's ineligible manufacture and threatened to upend 1 of the astir ineffable concepts successful American jurisprudence: attorney-client privilege.

It started with a hack of Covington's systems opening successful 2020. After disclosing the breach to the FBI, the steadfast and instrumentality enforcement concluded that a Chinese state-sponsored histrion was liable and was looking for accusation "about argumentation issues of circumstantial involvement to China successful airy of the incoming Biden Administration," a tribunal filing said.

Last year, the SEC issued a subpoena demanding Covington supply the names of impacted clients, the magnitude of accusation compromised and the quality of Covington's communications with those clients. After Covington refused to comply, the SEC sued the firm successful January, trying to unit it to uncover the names of astir 300 clients, each U.S.-listed companies oregon concern advisors.

"The SEC's subpoena turns advocator into informant, conscripting Covington arsenic a root for investigative leads against its ain clients," the steadfast said successful a filing.

An SEC spokesperson declined to remark beyond nationalist filings. A Covington spokesperson pointed CNBC to the firm's filings successful national tribunal but besides declined to remark further.

Covington remains unyielding successful its opposition, and the steadfast is getting a hefty dose of enactment from its ineligible peers. Last week, much than 80 of the astir influential instrumentality firms successful the state filed a little defending Covington, arguing that the SEC's attempts to subvert attorney-client privilege would fracture "one of the oldest and astir inviolate principles successful American law."

In a filing connected Feb. 14, Covington said that handing implicit the names of its clients would breach lawsuit confidentiality and person a chilling effect crossed the industry, with institutions nary longer definite they could spot their lawyers with delicate information. Covington not lone represents ample corporations, but has 1 of the astir progressive pro bono practices successful the U.S., representing tiny businesses, nonprofits and veterans.

Now, a Washington national justice volition find the destiny of a lawsuit that's pitted pressing nationalist information interests against humanities ineligible standards.

In the aftermath of high-profile attacks connected the country's captious energy, financial, and legal infrastructure, protecting U.S. institutions from overseas cyber intrusion has go a apical precedence for the authorities and the FBI. Officials person said practice and enactment from the backstage sector, ranging from tiny businesses to apical instrumentality firms, is simply a captious portion of instrumentality enforcement's efforts to support U.S. interests.

Anything involving China is peculiarly sensitive, arsenic commercialized and diplomatic tensions proceed to escalate betwixt the world's 2 largest economies.

But Covington said successful a filing that, with "very fewer exceptions," nary clients were targeted specifically by the Chinese state-sponsored hacker. Covington that if the SEC succeeded successful forcing it to disclose the names of its perchance impacted clients, the determination would undermine the "cooperative narration betwixt the nationalist and backstage sector."

The hack, which began successful November 2020, progressive a blase histrion exploiting a vulnerability successful Microsoft's Exchange Server software, the exertion that powers email and calendar solutions for galore businesses. It was a zero-day exploit, which meant Microsoft didn't cognize astir the occupation and couldn't pass users until the breach was discovered successful March 2021. By that time, the hacker had already compromised Covington's systems.

Covington didn't disclose to the FBI the names of clients whose accusation was impacted, nor did it archer the SEC. A root acquainted with the substance said it inactive isn't wide however the SEC became alert of the hack, which yet led the regulator to contented a subpoena a twelvemonth ago.

The SEC has justified its efforts by saying it seeks to guarantee that nary amerciable trades were made arsenic a effect of the cybersecurity breach, and that nary worldly nonpublic accusation was utilized for profit. The SEC pursued an enforcement action successful 2016 against a brace of Chinese hackers who earned much than $3 cardinal trading disconnected worldly nonpublic accusation they obtained by hacking instrumentality firms.

Covington said it had already engaged successful an "extensive interior review," tribunal filings show, and devoted astir 500 hours of lawyer clip successful an effort to comply with the SEC's requests for information. The reappraisal progressive 9 Covington attorneys, including a erstwhile SEC subordinate director, and concluded that the compromised information of lone 7 of the 298 impacted clients "might perchance incorporate MNPI."

The litigation and associated enactment could unit Covington and its extracurricular instrumentality firm, Gibson Dunn, to perpetrate hundreds of billable hours warring the SEC action, a root acquainted with the substance suggested.

Covington shared its findings with the SEC, but the bureau refused to judge the constricted data, according to a filing from the firm, and demanded the names of each of unidentified clients. Covington described itself arsenic an "innocent 3rd party," and said the SEC's attempts to entree lawsuit accusation were unprecedented.

"An lawyer is expected to basal betwixt his lawsuit and the powerfulness of the government," Covington's absorption filing reads.

"Despite each of this, the SEC is again demanding to invade a ineffable precinct of spot and confidence," Covington's filing said. "This Court should barroom the door."

WATCH: U.S. Select Committee connected China wants accent connected nationalist communications