Courtroom battle between law firm and SEC raises questions about cyber regulators, out-of-bounds information
Can the government force a private law firm to hand over the names of its clients so it can investigate a major cyberattack?
That’s the question at stake in a courtroom battle between a major U.S. law firm and the Securities and Exchange Commission, which is aggressively probing a 2021 attack on Microsoft email servers.
The SEC says the firm, Covington & Burling, is the only place where it can obtain a list of hundreds of Covington clients that were hacked. The firm is resisting, saying the SEC is fishing for the names of clients whose identity the firm is obligated to protect.
“I don’t know what [the] SEC was thinking,” Richard Pierce, a law professor at George Washington University Law School, told The Cybersecurity 202 in an email. “They are demanding access to information that is protected by the core of the attorney client privilege. They will and should fail.”
Gibson Dunn partner Kevin Rosen, who is representing Covington, called the SEC’s actions “a blatant fishing expedition that both targets Covington’s clients without even a whiff of wrongdoing and attempts to coerce Covington’s complicity in that effort.”
The dispute goes back to a devastating hack of Microsoft’s widely used email servers by Chinese government hackers that Microsoft disclosed in March 2021.
The SEC’s enforcement division quickly opened an investigation into whether federal securities laws had been broken, the regulator said in court filings.
Covington & Burling, a law firm with offices in Washington and a dozen other cities around the world, investigated whether it was a victim — and ultimately found that hackers compromised its software in November 2020.
- It blamed the hack on “state-sponsored” Chinese hackers who focused on a “small group of lawyers and advisors” and tried to gather information on issues of interest to China ahead of the Biden administration, the firm wrote in a letter disclosed by the SEC.
- Around 300 of Covington’s SEC-regulated clients were affected, according to the letter.
- The firm cooperated with the FBI “within days” of discovering the hack, it said in the letter.
The subpoena and court case
The SEC didn’t learn Covington was hacked until early 2022, it said in a court filing. It’s not clear how the regulator found out, and it declined to comment. The FBI also declined to comment.
On March 21, the regulator issued Covington a subpoena, and Covington complied with most of it. But the SEC also demanded that it provide names and other information of Covington’s SEC-regulated clients who were also affected.
Covington’s lawyers pushed back, calling SEC’s demand a “perilous new course” that could chill the relationship between law firms and their clients if the clients can’t be confident their identities will be protected.
Rosen wrote in a letter to the SEC that he couldn’t find a previous time when the SEC sought “to pry open client communications or intrude on the attorney-client relationship where neither the law firm, nor its partners, nor its clients, are suspected of violating any law.”
- The firm also warned that the push could hurt voluntary cooperation by disincentivizing law firms from disclosing potential cyberthreats to the government in the future.
This month, the SEC went to court to try to force Covington to hand over the list of 298 Covington clients affected by the hack. Covington, which says it will contest the subpoena, has argued that ethical rules prevent it from disclosing the names of clients or communications with those clients.
For his part, the commission’s enforcement director, Gurbir S. Grewal, has argued that its request is narrowly tailored and doesn’t seek any information protected by attorney-client privilege. Grewal insisted the SEC needs the list for it to identify the hackers and any violations of securities laws.
It’s not clear whether the SEC voted unanimously to authorize the lawsuit. The commission declined to comment beyond Grewal’s statement. It also pointed to its website listing commission votes, which doesn’t include the Covington vote.
- But Commissioner Mark Uyeda told Law360 that he has “concerns about us doing enforcement actions against law firms where you have potential privileges at stake.”
The suit comes as the SEC adopts a more aggressive posture on cyber issues. Last year, the commission proposed new rules for investment funds and publicly traded firms that would require them to disclose major cyber incidents.
Its chairman, Gary Gensler, has also signaled that the SEC should be playing a major role on cybersecurity issues.
Recently, @CISAJen said that “cybersecurity is a team sport.” “Each and every one of us are a member of Team Cyber.”
Folks from the private sector are on the front lines, and other government entities captain Team Cyber, but I think the SEC has a key role to play. pic.twitter.com/K6ttASbiRy
— Gary Gensler (@GaryGensler) January 24, 2022
Himes named top Democrat of House Intelligence Committee
House Minority Leader Hakeem Jeffries (D-N.Y.) on Wednesday named Rep. Jim Himes (D-Conn.) as the top Democrat on the House Permanent Select Committee on Intelligence, which is charged with overseeing the nation’s intelligence agencies and their often secret activities.
“I am deeply honored to have been appointed Ranking Member of the Intelligence Committee,” Himes said in a statement. “The threats against our nation are fast evolving, and it is critical that the Intelligence Community keep pace.”
Himes has long been vocal on cybersecurity issues, including by calling for a more intense response to Russian cyberattacks in 2021 after the Biden administration sanctioned 32 entities and individuals linked to the Kremlin.
Himes has also been active in the debate over foreign commercial spyware. He has called on the administration to withhold U.S. tax dollars from nations that have used foreign commercial spyware to eavesdrop on U.S. citizens, to publicly detail any instances of spyware being used against U.S. diplomats and to “reach an understanding to ban the use of foreign commercial spyware.”
GoodRx leaked user health data to Facebook and Google, FTC says
The Federal Trade Commission on Wednesday imposed a fine of $1.5 million on GoodRx, a drug discount app, for leaking millions of users’ sensitive health information to companies like Facebook and Google without consent, Natasha Singer reports for the New York Times.
In its complaint, the FTC said GoodRx’s use of tracking tools and other information-sharing practices to identify users’ social media accounts for targeted medical ad purposes went against a federal regulation that requires health apps to notify consumers of cybersecurity breaches and the unauthorized disclosure of their data to a third party.
“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” Samuel Levine, director of the FTC’s bureau of consumer protection, said in a statement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
GoodRx, which is used to find lower prices on prescriptions like antidepressants, HIV medications and treatments for sexually transmitted diseases, said that it disagreed with the regulator’s accusations dating back to 2017 but agreed to settle the case to avoid litigation.
If the settlement is approved by a judge, GoodRx would be permanently prohibited from disclosing users’ health details for advertising purposes. This case marks the first time that the commission has deployed its Health Notification Rule. It comes as the FTC is cracking down on health privacy and security, especially in states that have moved to ban or restrict access to abortions.
Cyberattack at ION impacts financial trading
The financial data group ION’s derivative trading unit was hit by a cyberattack Tuesday, forcing several European banks and brokers to process stock, bond and commodity trades manually, Isis Almeida, Mark Burton and Lydia Beyoud report for Bloomberg News.
The attack, which impacted 42 of the U.K.-based group’s clients, was linked to the Russian ransomware group LockBit, according to internal ION messages obtained by Bloomberg News.
It caused an outage that “is affecting vital processes such as the calculation of margin calls and regulatory reporting on large market positions, according to impacted brokers,” Almeida, Burton and Beyoud write. “Rival trade-processing systems have also been affected due to complications matching off trades routed via ION, and as a workaround some trades are being processed manually, the brokers said.”
In January, the infamous hacking group targeted Royal Mail, which prevented the U.K. postal company from sending mail internationally. LockBit is known for using malicious software to overtake a victim’s computer before demanding large sums of money to unlock it.
TikTok dealt another hit as Democratic senator joins calls for banning the app (Wall Street Journal)
- U.S. cyber ambassador Nathaniel Fick speaks at an event hosted by the German Marshall Fund today at 10:30 a.m.
- California’s Privacy Protection Agency Board will meet today to discuss possible action on proposed cybersecurity regulations.
Thanks for reading. See you tomorrow.