Risk Update

Law Firm Information Security & Hacking — SEC v. Covington Client Identity Data Fight Continues, Troutman Cyberattack Fallout and Concern

Big Law Firms Back Covington in SEC Fight Over Client Data” —

  • “A total of 83 US law firms are backing Covington & Burling in its fight with the Securities and Exchange Commission over client data.”
  • “The agency wants a federal court in Washington to force Covington to turn over the names of nearly 300 clients whose information may have been exposed in a 2020 cyberattack that impacted the firm.”
  • “The SEC says it needs the information to help an investigation into whether hackers behind the cyberattack engaged in illicit trading. Covington has argued that confidentiality rules and a dearth of evidence of wrongdoing should shield them.”
  • “Firms signing onto the new brief include Kirkland & Ellis, Latham & Watkins, Cravath Swaine & Moore, and DLA Piper, some of the highest-grossing law firms and competitors of the Washington-based Covington.”
  • “‘Not only would the SEC breach well-established principles of confidentiality in the service of this fishing expedition, it would turn attorneys into witnesses against their own clients,’ they said.”
  • “The filing comes amid a long-running fight between the SEC and Covington that could have significant implications for law firms. Covington and the other law firms have argued that a judgment in favor of the SEC could open the door to further weakening of attorney-client confidences.”
  • “‘The mere identity of a client itself is something that can be privileged,’ said John Browning, a Spencer Fane trial partner. ‘Whether or not the court believes that under these circumstances merely revealing the identity is [protected], that remains to be seen.'”
  • “Fordham Law School professor Bruce Green previously told Bloomberg Law that the narrowness of the SEC’s request—focusing on client names—could ultimately be hard to beat. ‘Privilege doesn’t protect every piece of information that a lawyer has related to a client representation,’ Green said.”
  • “Covington has argued the client names are only a ‘first step’ in an attempt to pull more information out of the firm and its clients.”


Troutman Pepper Hit With Cyberattack, Firm Acknowledges” —

  • “Troutman Pepper Hamilton Sanders suffered a cyberattack on Wednesday [Feb 8] that left employees without access to their work email accounts and other management software. The attack was confirmed Thursday afternoon by a representative for the firm.”
  • “Firm leaders went on to say that they have no indication any client data was compromised ‘at this time.'”
  • “‘We will continue to work with outside experts to recover systems, investigate and respond accordingly,’ firm leaders said.”
  • “A source in contact with Troutman Pepper, who declined to be identified for this story, said correspondence from the firm’s attorneys this week has come from their personal emails because their work emails were shut down.”
  • “While the firm has ‘a great IT staff,’ the source said using personal emails for client matters is less than desirable.”
  • “‘From a discovery standpoint, you’re sending documents and communicating with clients and other people and you’re going to have to search those emails in future,’ the person said.”
  • “The source went on to say that requesting documentation for discovery is always frustrating but that now lawyers at Troutman Pepper may have to include their private emails, and those of their paralegals and associates, in discovery requests.”

Above The Law shares internal notices that went out, with additional detail: “Cybersecurity Incident Shuts Down Biglaw Network