People exit the headquarters of the U.S. Securities and Exchange Commission (SEC) in Washington, D.C.
People exit the headquarters of the U.S. Securities and Exchange Commission (SEC) in Washington, D.C., U.S., May 12, 2021. Picture taken May 12, 2021. Reuters

Law firm Covington & Burling fired back at a lawsuit from the U.S. Securities and Exchange Commission on Tuesday, arguing the agency overstepped by asking it to identify clients affected by a 2020 cyberattack on the firm.

Covington said an SEC subpoena for the names of nearly 300 publicly traded companies whose information was accessed or stolen during the hack threatened to expose confidential client information that the firm is required to protect.

"The SEC's effort to compel Covington to help the agency investigate the firm's clients, without any evidence whatsoever of wrongdoing by Covington or those clients, is an assault on the sanctity and confidentiality of the attorney-client relationship," Covington told the Washington, D.C., federal court hearing the case.

The SEC sued Covington last month to force the powerful D.C.-based firm to identify the clients as part of an investigation into potential securities law violations associated with the hack. The agency said the hack was carried out by the Chinese-linked Hafnium cyber-espionage group.

The SEC has argued that its subpoena was narrowly targeted and did not seek information covered by attorney-client privilege. It said its request was necessary to determine whether the hack resulted in insider trading and if the companies made all required disclosures to investors about the breach.

Covington accused the SEC of engaging in a "fishing expedition" and attempting to force the firm to turn over information that could lead to scrutiny of its own clients without evidence of misconduct.

The firm pointed to legal ethics rules that require law firms to keep the confidences of their clients and protect potentially embarrassing information.

It said the SEC's demand could chill cooperation between law firms and the government following future cyberattacks and cause a "cascading series of dilemmas" for firms caught between reporting breaches and protecting their clients.

Covington's legal team at Gibson, Dunn & Crutcher has said the 2020 hack was aimed at a small group of lawyers and advisors to glean information about the incoming Biden administration's policies on China.

Covington said it worked with the FBI to investigate the cyberattack and notified all clients whose information was potentially compromised.

The case is Securities and Exchange Commission v. Covington & Burling, U.S. District Court for the District of Columbia, No. 23-mc-00002

For the SEC: Dean Conway of the SEC

For Covington: Kevin Rosen of Gibson, Dunn & Crutcher