Eighty-three U.S. law firms, employing more than 50,000 attorneys, have filed an official protest in support of some of their colleagues working on an SEC lawsuit.
In the letter, the plaintiffs urged the court to rule in the SEC, alleging that the current demands put their associates at law firm Covington & Burling in a lose-lose situation and set a dangerous precedent for the future.
The case concerns a major cybercrime incident that occurred in late 2022 in which Chinese state-sponsored hackers known as Hafnium exploited multiple zero-day vulnerabilities in Microsoft Exchange servers to compromise countless emails and steal data from US-based defense contractors, law firms and scientists. One of the victims was Covington & Burling, which allowed the threat actors to access sensitive data (opens in new tab) to its clients, including companies regulated by the Securities & Exchange Commission (SEC).
When the SEC found out, it issued a subpoena demanding the law firm share the names of SEC-regulated companies whose records were “viewed, copied, altered, or exfiltrated during the attack.” It also called for all communication between those firms and their lawyers. When the law firm said no, arguing that the move would violate client and attorney confidentiality, the SEC sued the firm.
Now 83 law firms have said they are “deeply troubled” by the lawsuit.
Not only is the SEC demanding that the law firm breach confidentiality (which could lead to suspension), but it is also doing so, the filing reads, out of sheer curiosity.
“Not only would the SEC be violating established principles of confidentiality in the service of this fishing expedition, it would be turning lawyers into witnesses against their own clients, offering no guarantees that it will not distribute the information to other parts of the government, the press and the public,” the filing said.
The group asked the court to deny the SEC’s application.
“This breach of confidentiality is especially troubling as it re-victimizes the targets of a cyber-attack from a foreign nation – an increasingly common feature of modern life that even the most diligent companies and governments cannot avoid,” reads the statement. submission.
Furthermore, if the law firm were forced to comply, that would “fundamentally change the analysis when law firms consider how to respond to a cyber-attack. They can either “comply with their ethical obligations to their clients” and face legal sanctions, or comply and risk expulsion.
“Both outcomes place a significant and unfair burden on lawyers,” they concluded.
Via: The Registry (opens in new tab)