Law firm data breach, is the fed overreaching?
Every now and then, something really important happens that somehow seems to slide under the radar without much visibility. Those of us in the cybersecurity business pray daily for these occasions. Occasionally however, these proceedings have significance and influence far beyond the initial matter.
On January 12, 2023, the SEC Filed a Subpoena Enforcement Action Against Law Firm Covington & Burling LLP directing them to identify the names of clients who were associated with the November 2020 Hafnium cyberattack on Covington. The SEC subpoena states that the information is requested:
I acknowledge that the issue of material nonpublic information (MNPI) related to cybersecurity is important since it was front page news when the SEC charged an Equifax insider for improperly trading company stock based on prior knowledge of the 2017 Equifax data breach. The SEC’s enforcement division allegedly took similar actions following the Solar Winds cyber-attack in 2021 to determine whether any victimized Solar Winds customers subject to U.S. securities laws properly disclosed to investors whether or not there was any suspicious trading related to the incident and whether private data was compromised.
领英推荐
While these may be appropriate actions for the SEC to take, it seems to highlight the whole issue of secondary victims of data breaches. Additionally, it raises the question of whether other companies might get an SEC subpoena for information that could be used against their customers who may have been victimized by a cyber-attack. There are clear ethical boundaries and client expectations regarding attorney-client privilege, client confidentiality, and doctor-patient privilege, but perhaps not-so-clear boundaries for those companies where privilege issues aren’t codified in statute or prior precedent.
Another concern I have is that, while not specifically stated, once the SEC has the names of customers, they, or another federal agency such as the FTC, could begin additional investigations to determine whether or not those customers had ‘appropriate’ security controls in place, possibly completely unrelated to the initial incident that prompted the investigation. That should scare the bejesus out of everyone including CEOs, GCs, CIOs, and CISOs.
Finally, I am not lawyer and these are just my musings as an interested layman. Happy to hear your thoughts.
CTO of OODA LLC.
1 年I enjoy your thoughts on this Mark. Thanks. I would just point out that we currently find ourselves in an interesting position where entities in China including the Chinese government and the communist party have access to information on whose data was viewed, but no US regulatory body does. Maybe the rule should be that if a bad guy got the data then automatically the good guys can get the data. Maybe that would be yet another reason to make it harder for anyone to view data they are not supposed to.
Thanks, Mark, for your post. I find this rather disconcerting that the federal government is demanding information from this company that they wouldn't request from a reporter. My thoughts are that the "veil" of permitted secrecy is being violated by this pressure from the government. Thanks again!
Chief Security & Trust Officer, HiddenLayer
1 年Mark Weatherford thanks for posting this ... it is indeed interesting for us all to examine what is occurring and watch it carefully. Again, like you - layperson when it comes to this from a legal perspective - but I can see great deal of issues with atty client-privileged material that could have substantial implications for organizations. On the other hand - I do believe that many organizations have not properly disclosed to investors potential cyber material risks or cyber related material events that have occurred. Not sure I have a good answer but it would be a worthwhile discussion for many of us to have to share the pros/cons that could occur to gain insights that could help us protect our organizations better and also look out for our investors and the greater public interests with respect to cyber risks