SEC Sues Law Firm for Refusing to Disclose List of Clients Affected by Cyberattack
Last week, the U.S. Securities and Exchange Commission (“SEC”) filed an enforcement action in federal court requesting that the court compel an international law firm to comply with an administrative subpoena by disclosing the names of its clients whose information was obtained by malicious actors through a cyberattack on the law firm. This lawsuit may have big implications for the scope of attorney-client privilege and the ability of companies to turn to their lawyers without fear of disclosing confidential information to the government.
According to the SEC’s filing, back in November 2020, the law firm was a victim of a cyberattack that resulted in malicious actors gaining access to the law firm’s computer network. From the cyberattack, the malicious actors were able to access non-public information of roughly 300 of the law firm’s clients that are regulated by the SEC. In March 2021, following a disclosure of a technical vulnerability affecting Microsoft Exchange Server, the law firm investigated its network and determined “that the threat actor collected email from the Outlook accounts of the Firm lawyers and staff who were targeted.” The law firm disclosed the data breach to the FBI, but did not disclose the names of its clients that were affected.
In early 2022, the SEC learned that the law firm was a victim of the cyberattack and in March, the SEC issued a subpoena to the law firm in support of its own investigation. Most notably, the SEC’s subpoena requested that the law firm produce documents “sufficient to identify all [law firm] clients or other impacted parties that are public companies whose data, files, or other information may have been viewed [in the cyberattack].” The law firm objected to the request, arguing in its communications with the SEC that, under the D.C. Rules of Professional Conduct, lawyers cannot disclose the name of their clients in these circumstances because it would reveal a client secret, i.e., “that those clients . . . were affected by the cyberattack on their law firm.” Although the law firm determined that only 7 of its roughly 300 SEC-regulated clients had material non-public information accessed by malicious actors, the SEC maintains that it needs the names of all SEC-regulated clients in order to investigate potential illegal trading on information obtained through the cyberattack.
In its filing last week, the SEC requests that the federal court order the law firm to comply with subpoena by providing client names. The SEC argues that the D.C. Rules of Professional Conduct grants an exception to the rule against disclosing client confidences in the case of a valid subpoena. In a statement following the filing, the law firm’s attorneys insisted that the firm is “ethically bound to protect the identities of its clients” and described the SEC’s action as “a blatant fishing expedition.” Assuming both sides stick to their positions, this dispute sets up a showdown between the investigatory power of the SEC and the scope of attorney-client privilege that the federal court will have to squarely address. When that decision comes, Privacy World will be here to break it down. Stay tuned.