The SEC has managed to unite law firms to protest its treatment of cybercrime victims

Representational image of a hacker
(Image credit: Shutterstock)

Eighty-three American law firms, employing more than 50,000 attorneys, have filed an official protest backing some of their peers working on an SEC lawsuit. 

In the brief, the complainants urged the court to reign in the SEC, claiming its current demands put their associates at law firm Covington & Burling in a lose-lose situation and set a dangerous precedent for the future. 

The case concerns a mjaor cybercrime incidient which occured in late 2022 where Chinese state-sponsored hackers known as Hafnium exploited multiple zero-day vulnerabilities found in Microsoft Exchange servers to compromise countless emails and steal data from US-based defense contractors, law firms, and scientists. Among the victims was Covington & Burling, which resulted in the threat actors accessing sensitive data on its clients, including firms regulated by the Securities & Exchange Commission (SEC). 

Deeply troubled

When the SEC found out, it issued a subpoena, demanding the law firm share the names of SEC-regulated firms whose data was "viewed, copied, modified or exfiltrated during the attack". It also asked for all communications between those firms and their lawyers. When the law firm said no, as the move would breach client-attorney confidentiality, the SEC sued the firm.

Now, 83 law firms have said they are “deeply troubled” by the lawsuit.

Not only is the SEC demanding the law firm to breach confidentiality (which could result in disbarment) but it’s also doing so, the filing reads, out of pure curiosity. 

"Not only would the SEC breach well-established principles of confidentiality in the service of this fishing expedition, it would turn attorneys into witnesses against their own clients, while offering no guarantees that it will not disseminate the information to other parts of the government, the press, and the public," the filing said.

The group asked the court to deny the SEC’s application.

"This violation of confidentiality is especially troubling given that it re-victimizes the targets of a foreign nation's cyberattack — an increasingly common feature of modern life that even the most diligent businesses and governments cannot prevent," the filing reads.

What’s more, should the law firm be forced to comply, that would "fundamentally change the calculus when law firms consider how to respond to a cyberattack. They can either “fulfill their ethical obligations to their clients" and suffer legal sanctions, or comply and risk disbarment. 

"Either outcome imposes a significant and unfair burden on attorneys,” they concluded.

Via: The Register

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.