Scott Greenfield comments on a ruling previously noted on this site:
In an underappreciated ruling, District of Columbia Judge Amit Mehta ruled that the multinational law firm Covington & Burling must comply with an SEC subpoena requiring the firm to give up the names of clients, publicly-traded corporations, in order for the SEC to investigate whether there was any trading on non-public information. This didn’t arise because of suspicious trades or other red flags on the corporate side of the ledger, but because hackers working for China launched a successful cyber attack on Microsoft which ultimately gave them access to the firm’s internal records.
This case concerns the intersection of a federal law enforcement agency’s interest in rooting out possible law violations and a law firm’s ethical obligations to its clients. On March 21, 2022, the Securities and Exchange Commission (“SEC” or “the Commission”) served a subpoena on Covington & Burling, LLP (“Covington”), a multinational law firm headquartered in Washington, D.C. The subpoena sought information relating to a cyberattack on Covington’s information technology systems that had occurred a year prior. Covington largely complied with the subpoena. It balked, however, in one key respect. Citing its ethical obligation to protect its clients’ identities, Covington refused to disclose the names of its nearly 300 public company clients whose files had been compromised by the attack.
Read more at Simple Justice.