June 9, 2023

Volume XIII, Number 160


June 08, 2023

Subscribe to Latest Legal News and Analysis

June 07, 2023

Subscribe to Latest Legal News and Analysis

June 06, 2023

Subscribe to Latest Legal News and Analysis

SEC Sues Law Firm for Refusing to Disclose List of Clients Affected by Cyberattack

Last week, the U.S. Securities and Exchange Commission (“SEC”) filed an enforcement action in federal court requesting that the court compel an international law firm to comply with an administrative subpoena by disclosing the names of its clients whose information was obtained by malicious actors through a cyberattack on the law firm.  This lawsuit may have big implications for the scope of attorney-client privilege and the ability of companies to turn to their lawyers without fear of disclosing confidential information to the government.

According to the SEC’s filing, back in November 2020, the law firm was a victim of a cyberattack that resulted in malicious actors gaining access to the law firm’s computer network.  From the cyberattack, the malicious actors were able to access non-public information of roughly 300 of the law firm’s clients that are regulated by the SEC.  In March 2021, following a disclosure of a technical vulnerability affecting Microsoft Exchange Server, the law firm investigated its network and determined “that the threat actor collected email from the Outlook accounts of the Firm lawyers and staff who were targeted.”  The law firm disclosed the data breach to the FBI, but did not disclose the names of its clients that were affected.

In early 2022, the SEC learned that the law firm was a victim of the cyberattack and in March, the SEC issued a subpoena to the law firm in support of its own investigation.  Most notably, the SEC’s subpoena requested that the law firm produce documents “sufficient to identify all [law firm] clients or other impacted parties that are public companies whose data, files, or other information may have been viewed [in the cyberattack].”  The law firm objected to the request, arguing in its communications with the SEC that, under the D.C. Rules of Professional Conduct, lawyers cannot disclose the name of their clients in these circumstances because it would reveal a client secret, i.e., “that those clients . . . were affected by the cyberattack on their law firm.”  Although the law firm determined that only 7 of its roughly 300 SEC-regulated clients had material non-public information accessed by malicious actors, the SEC maintains that it needs the names of all SEC-regulated clients in order to investigate potential illegal trading on information obtained through the cyberattack.

In its filing last week, the SEC requests that the federal court order the law firm to comply with subpoena by providing client names.  The SEC argues that the D.C. Rules of Professional Conduct grants an exception to the rule against disclosing client confidences in the case of a valid subpoena.  In a statement following the filing, the law firm’s attorneys insisted that the firm is “ethically bound to protect the identities of its clients” and described the SEC’s action as “a blatant fishing expedition.”  Assuming both sides stick to their positions, this dispute sets up a showdown between the investigatory power of the SEC and the scope of attorney-client privilege that the federal court will have to squarely address.  When that decision comes, Privacy World will be here to break it down.  Stay tuned.

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume XIII, Number 17

About this Author

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

James M. Brennan Litigation Lawyer Squire Patton Boggs

James (Jim) Brennan is an associate in the Litigation Practice Group, where he represents clients in complex commercial litigation matters in state and federal courts. Prior to joining the firm, Jim clerked for Chief Judge D. Brooks Smith of the US Court of Appeals for the Third Circuit. Before that, he was an associate at an AmLaw 100 law firm in New York City.