SEC Request No. 3(b) seeks documents sufficient to identify “[t]he nature of the suspected unauthorized activity Concerning the client,” including “when the activity took place” and “the amount of information . . . viewed.” While Covington disclosed the dates of the unauthorized activity and the number and types of files breached in response to another part of the request, Covington cannot take the further step of connecting those files to any individual client. People engage lawyers for their most serious and sensitive matters, and they expect their lawyers to hold all information provided, including the mere fact of their representation, in the strictest confidence.
That client identities are somehow considered unprotected information is perhaps the weakest of all of the SEC’s arguments. Whether Covington communicated with a client about a cyber-attack is not relevant – a client’s identity and the existence of an attorney-client relationship is every bit as privileged as the legal advice provided to that client.
Source: (10) Victimizing a Victim Twice: The SEC’s Attack on Covington & Burling | LinkedIn