By Andrew Goudsward
(Reuters) – A federal judge on Wednesday urged the U.S. Securities and Exchange Commission to resolve its dispute with law firm Covington & Burling over the agency’s demand for the names of 300 clients affected by a cyberattack on the firm.
But both sides indicated during the hearing in Washington, D.C., that a court order would be necessary to break the impasse.
The SEC sued Covington in January to force the prominent Washington-based firm to identify public company clients whose information was accessed or stolen in the breach. The hack was carried out by the Chinese-linked Hafnium cyber-espionage group, according to court filings, and the SEC said it needed the client names to probe for securities law violations associated with the attack.
Covington, represented by law firm Gibson, Dunn & Crutcher, has resisted the subpoena, arguing that its clients are confidential and identifying them would run afoul of legal ethics standards and constitutional privacy protections.
U.S. District Judge Amit Mehta called the SEC’s request “concerning” at Wednesday’s hearing, but also appeared skeptical that he had the legal authority to block the agency’s demand.
Mehta told an SEC lawyer that the subpoena puts Covington in the “very awkward position” of having to identify its clients to an enforcement agency without evidence of wrongdoing.
“We’re not targeting any particular party,” SEC lawyer Eugene Hansen responded. “We’re following the evidence wherever it leads.”
The SEC has said the client identities are necessary to investigate potential insider trading associated with the hack and to ensure that the companies affected made required disclosures.
A lawyer for Covington, Theodore Boutrous, said the SEC has made Covington a “test case” for new authority to scrutinize public companies through demands on their law firms following a hack. A group of 83 large U.S. law firms has backed Covington in the case.
The judge appeared to search for a resolution short of a court order, asking Hansen if the SEC could narrow its demand to only clients that had private information material to investors accessed during the cyberattack.
The SEC said it needed more transparency from Covington about which clients were affected, rejecting the results of an internal investigation by the firm that found only seven clients had market-relevant information caught up in the hack.
Covington also appeared skeptical of a settlement, arguing that identifying a smaller set of companies would only help the SEC focus an investigation that could implicate its clients.
(Reporting by Andrew Goudsward)