Risk Update

SEC Risk Response — Firm Subpoenaed Over Law Firm Client Information Hack Raises Client Confidentiality Concerns, Investment Manager Conflict Called, MSG Lawyer Facial Recognition Strikes Again

The SEC’s subpoena fight with Covington — a ‘perilous new course’?” —

  • “Every law firm in the United States ought to be paying attention to the U.S. Securities and Exchange Commission’s lawsuit to force Covington & Burling to cough up the names of about 300 clients whose confidential information was exposed to hackers in a 2020 cyberattack.”
  • “Today it’s Covington that is stuck in what the firm portrays as an ethical conundrum. Tomorrow, if you have clients and a computer network, it might well be your firm that gets hit with an SEC subpoena for information that can be used against clients victimized by a hack of your files.”
  • “The SEC, as my colleague Andrew Goudsward reported on Wednesday, sued Covington in federal court in Washington, D.C., to enforce compliance with a subpoena the agency issued to the law firm last March, after SEC investigators learned that hackers from the Hafnium cyber-espionage group, which allegedly has ties to the Chinese government, exploited a vulnerability in Microsoft software to tap into Covington’s computer network.”
  • “The FBI, according to Covington, did not ask the firm to reveal the identity of the clients whose files were exposed. But in March 2022, the SEC informed Covington that it was also investigating the hack.”
  • “The commission, according to Wednesday’s lawsuit, said it needed to know more about Covington’s affected clients in order to ascertain whether anyone used hacked information to engage in insider trading and whether Covington’s SEC-regulated clients adequately disclosed the cyberattack to their investors.”
  • “The SEC demanded that Covington disclose the identity of affected SEC-regulated clients; the information from clients’ files that Covington believed to have been illegally accessed; and the firm’s communications notifying clients of the attack.”
  • “In an emailed statement on Thursday, SEC enforcement director Gurbir Grewal said the Covington subpoena is narrowly tailored and does not seek information shielded by attorney-client privilege.”
  • “Covington, however, told the SEC in June that its duty of confidentiality precludes the firm from disclosing the identity of affected clients. During negotiations with the SEC, the firm asked affected clients if they would voluntarily reveal their identity to the agency. Only two — of nearly 300 — agreed.”
  • “Covington didn’t mention this consideration in the June letter, but there are potential financial consequences for a law firm that breaches its fiduciary duties to clients. What if Covington tells the SEC about a client it is not publicly known to represent and the SEC ends up bringing an enforcement action accusing the client of inadequate disclosures? The client might well try to blame Covington for prompting the SEC to investigate.”
  • “Covington counsel from Gibson Dunn have not yet formally responded to the SEC’s lawsuit, but based on the June letter, the firm will argue that there’s no precedent for the SEC to demand confidential information from a law firm unless either the firm or its client is already suspected of wrongdoing.”

(I’m curious if and when the SEC will pursue other parties to see if they are in the know, such as an insurance provider or IT/security forensics consultant… And, depending on how this plays out, if we’ll see implications in engagement letter and/or outside counsel guidelines language covering these types of situations…)

SEC fines ex-Blackrock manager for conflict of interest” —

  • “The Securities and Exchange Commission (SEC) has handed former Blackrock portfolio manager Randy Robertson a $250,000 (£208,650) penalty for failing to disclose a conflict of interest over his relationship with film distribution firm Aviron Group.”
  • “The commission found that the Blackrock Multi-Sector Income Trust (BIT), co-managed by Robertson, invested up to $75m in Aviron between 2015 and 2019. The US watchdog said Robertson played “a significant role” in recommending loans to the firm’s subsidiaries, while at the same time seeking help from Aviron in advancing his daughter’s acting career.”
  • “Andrew Dean, co-chief of the SEC enforcement division’s asset management unit, said: ‘Investment professionals must be forthcoming about any conflicts of interest they may have with the companies in which they invest client funds, including situations involving favours or assistance to family members… Investors must be able to know that the advice they receive is free of undisclosed conflicts, regardless of whether the conflict is financial in nature.'”

And for those like me who can’t quite take their eyes off this one, here the latest: “Third NYC lawyer booted from MSG by James Dolan’s facial recognition technology” —

  • “A Brooklyn lawyer says he was barred from entering a Rangers game at Madison Square after being flagged by facial recognition technology — the same system the firm used to boot at least two other attorneys from its venues.”
  • “Benjamin Pinczewski, a 61-year-old personal injury and civil rights lawyer, had just passed through a metal detector at the arena and was headed to plum lower-level seats with friends on Jan. 10 when he was stopped by two officials and kicked out, he told The Post.”
  • “‘It was a slap in the face,” he said. “I’m at the main entrance with thousands of people — and they’re looking at me like I’m some sort of terrorist or criminal.'”
  • “The guards informed him he’d been “denied entry” due to the policy implemented by MSG CEO James Dolan banning all lawyers involved in active lawsuits against the firm.”
  • “‘It’s simply for harassment for the purposes of putting a chilling effect on anyone who wants to sue [them],’ he said. ‘I’m pissed, pardon my language.'”
  • “Madison Square Garden Entertainment defended its policy Friday, sending The Post the same stock statement it has distributed for weeks following the facial recognition controversy. ‘MSG instituted a straightforward policy that precludes attorneys from firms pursuing active litigation against the Company from attending events at our venues until that litigation has been resolved,’ the statement said.”