Covington & Burling was hacked, SEC is now suing the D.C. law firm

Covington & Burling has more than 700 lawyers in Washington, D.C., where the international firm has built a reputation of working with regulators rather than fighting them.

But in recent weeks, Covington has found itself mired in an unprecedented courtroom battle with the Securities and Exchange Commission in a case that’s rattled Capitol Hill’s legal industry and threatened to upend one of the most sacred concepts in American jurisprudence: attorney-client privilege.

It started with a hack of Covington’s systems beginning in 2020. After disclosing the breach to the FBI, the firm and law enforcement concluded that a Chinese state-sponsored actor was responsible and was looking for information “about policy issues of specific interest to China in light of the incoming Biden Administration,” a court filing said.

Last year, the SEC issued a subpoena demanding Covington provide the names of impacted clients, the amount of information compromised and the nature of Covington’s communications with those clients. After Covington refused to comply, the SEC sued the firm in January, trying to force it to reveal the names of nearly 300 clients, all U.S.-listed companies or investment advisors.

“The SEC’s subpoena turns advocate into informant, conscripting Covington as a source for investigative leads against its own clients,” the firm said in a filing.

An SEC spokesperson declined to comment beyond public filings. A Covington spokesperson pointed CNBC to the firm’s filings in federal court but also declined to comment further.

Covington remains unyielding in its opposition, and the firm is getting a hefty dose of support from its legal peers. Last week, more than 80 of the most influential law firms in the country filed a brief defending Covington, arguing that the SEC’s attempts to subvert attorney-client privilege would fracture “one of the oldest and most inviolate principles in American law.”

In a filing on Feb. 14, Covington said that handing over the names of its clients would breach client confidentiality and have a chilling effect across the industry, with institutions no longer certain they could trust their lawyers with sensitive information. Covington not only represents large corporations, but has one of the most active pro bono practices in the U.S., representing small businesses, nonprofits and veterans.

Now, a Washington federal judge will determine the fate of a case that’s pitted pressing national security interests against historical legal standards.

In the wake of high-profile attacks on the country’s critical energy, financial, and legal infrastructure, protecting U.S. institutions from foreign cyber intrusion has become a top priority for the government and the FBI. Officials have said cooperation and support from the private sector, ranging from small businesses to top law firms, is a critical part of law enforcement’s efforts to protect U.S. interests.

Anything involving China is particularly sensitive, as trade and diplomatic tensions continue to escalate between the world’s two largest economies.

But Covington said in a filing that, with “very few exceptions,” no clients were targeted specifically by the Chinese state-sponsored hacker. Covington that if the SEC succeeded in forcing it to disclose the names of its potentially impacted clients, the move would undermine the “cooperative relationship between the public and private sector.”

The hack, which began in November 2020, involved a sophisticated actor exploiting a vulnerability in Microsoft’s Exchange Server software, the technology that powers email and calendar solutions for many businesses. It was a zero-day exploit, which meant Microsoft didn’t know about the problem and couldn’t warn users until the breach was discovered in March 2021. By that time, the hacker had already compromised Covington’s systems.

Covington didn’t disclose to the FBI the names of clients whose information was impacted, nor did it tell the SEC. A source familiar with the matter said it still isn’t clear how the SEC became aware of the hack, which ultimately led the regulator to issue a subpoena a year ago.

The SEC has justified its efforts by saying it seeks to ensure that no illegal trades were made as a result of the cybersecurity breach, and that no material nonpublic information was used for profit. The SEC pursued an enforcement action in 2016 against a pair of Chinese hackers who earned more than $3 million trading off material nonpublic information they obtained by hacking law firms.

Covington said it had already engaged in an “extensive internal review,” court filings show, and devoted nearly 500 hours of attorney time in an effort to comply with the SEC’s requests for information. The review involved nine Covington attorneys, including a former SEC associate director, and concluded that the compromised data of only seven of the 298 impacted clients “might possibly contain MNPI.”

The litigation and associated work could force Covington and its outside law firm, Gibson Dunn, to commit hundreds of billable hours fighting the SEC action, a source familiar with the matter suggested.

Covington shared its findings with the SEC, but the agency refused to accept the limited data, according to a filing from the firm, and demanded the names of all of unidentified clients. Covington described itself as an “innocent third party,” and said the SEC’s attempts to access client information were unprecedented.

“An attorney is supposed to stand between his client and the power of the government,” Covington’s opposition filing reads.

“Despite all of this, the SEC is again demanding to invade a sacred precinct of trust and confidence,” Covington’s filing said. “This Court should bar the door.”

WATCH: U.S. Select Committee on China wants emphasis on public communications