Three Key Takeaways
- Despite affirming the SEC’s broad investigative authority, the court limited the SEC’s requests to information directly connected to its stated investigative objectives. This decision reflects that courts increasingly view the SEC’s power much more narrowly than does the agency itself.
- The outcome in this case may embolden the SEC to seek similar information in the future from law firms that experience a cyberattack, since it largely prevailed on its legal arguments against the law firm. But the agency received significant external criticism for seeking this information and the court ultimately exercised discretion to hold the SEC to a tighter standard of relevancy than is typical in subpoena enforcement actions, suggesting that the court was unsympathetic toward the agency’s actions. Under future SEC administrations, it would not be surprising to see the agency adopt tighter internal standards for subpoenaing law firms akin to those the agency has for subpoenaing the press.
- SEC investigations are but one of the many legal challenges companies may face in the wake of a cybersecurity incident. Companies should not be deterred by this case from seeking legal counsel to help identify, navigate, and mitigate those risks, especially when involved early in the incident response.
Source: SEC Gains Access to Identities of Law Firm Clients | Jones Day