By Andrew Goudsward
(Reuters) -Covington & Burling must identify some clients caught up in a 2020 hack on the law firm to the U.S. Securities and Exchange Commission, a federal judge in Washington ruled on Monday in a case that could impact future cyberattack investigations.
U.S. District Judge Amit Mehta ordered Covington to give the SEC the names of seven public company clients that may have had information relevant to investors accessed or stolen, dealing a partial victory to the financial regulator in its probe of the attack.
A spokesperson for Covington said the firm will "review the decision carefully and consider any next steps in consultation with our affected clients."
An SEC spokesperson did not immediately respond to a request for comment.
The ruling, which is likely to be appealed to the D.C. Circuit U.S. Court of Appeals, strikes a middle ground in a dispute closely watched by the U.S. legal industry.
Any final outcome could make it easier for the government to get information on law firm clients in the future, and law firms warn it could chill cooperation between the private sector and authorities investigating cyberattacks.
The SEC had sought the names of all the nearly 300 companies affected, but Covington resisted identifying any clients. An internal review by the firm had identified seven companies that may have had market-relevant information accessed in the hack, according to court filings.
Mehta wrote that the SEC's subpoena was "too broad" but that there was nothing improper about the regulator gaining access to some client names for a probe.
The SEC sued Covington in January to force the prominent Washington-based firm to identify public company clients whose information was accessed or stolen in the breach carried out by the Chinese-linked Hafnium cyber-espionage group, filings showed.
The agency said it needed the names to probe for securities law violations associated with the attack, arguing that Covington’s law firm status did not shield it from cooperating.
Covington told the court a law firm’s clients are part of a “zone of privacy” protected by the U.S. Constitution and legal ethics rules. It also argued the subpoena would force the firm to expose clients to government scrutiny without evidence of wrongdoing.