Federal Court Limits SEC's Access to Client Identities in Law Firm Cyberattack Case
After a law firm fell victim to a cyberattack, the U.S. Securities and Exchange Commission (SEC) issued a subpoena demanding various pieces of information, including the identities of clients potentially affected by the breach. The law firm resisted, prompting the SEC to initiate legal proceedings to enforce its subpoena.
The Verdict
On July 24, 2023, the court granted the SEC partial relief, recognizing the agency's expansive investigatory powers but also limiting its access to only seven out of the 298 client names it had originally requested. The court dismissed the law firm's claims of attorney-client privilege and Fourth Amendment violations.
The Implications
While the SEC is unlikely to be dissuaded from issuing subpoenas in similar future cases, the court's decision and the ensuing public criticism may make the agency more cautious about encroaching upon the sanctity of the attorney-client relationship.
The Case Unveiled: SEC v. Covington & Burling, LLP
The case originated from a cyberattack that plagued the law firm for a period of four months starting in the fall of 2020. Although the firm collaborated with the FBI in its investigation, the FBI did not request any client-related information.
In early 2021, the SEC launched its own inquiry after a software company disclosed security flaws that had been exploited to compromise various systems. A year later, the SEC served a subpoena on the law firm, seeking details about the cyberattack and the identities of clients who might have been affected. Despite narrowing its request to focus solely on client identities, the SEC and the law firm reached a stalemate, leading the SEC to file a lawsuit to compel compliance with the subpoena.
The Legal Arguments
In court, the SEC contended that it required the identities of the clients to ascertain whether insider trading had occurred based on material nonpublic information (MNPI) accessed during the cyberattack. The agency also aimed to evaluate whether any publicly traded clients had neglected to disclose pertinent information about the cyberattack.
The law firm countered with two primary defenses: 1. The identities of the clients were shielded by attorney-client privilege. 2. The SEC's request constituted an "unjustified fishing expedition" in violation of the Fourth Amendment.
The Court's Ruling
The court overruled the law firm's objections, stating that client identities are generally not protected by attorney-client privilege unless special circumstances exist. It also dismissed the Fourth Amendment concerns, noting that the SEC's civil investigative powers, although extensive, are not without bounds.
However, the court did place limitations on the SEC's request. It allowed the agency access to only seven client identities, as these were the only clients whose MNPI might have been compromised according to the law firm's internal investigation.
Key Takeaways
- Scope of SEC's Authority: The court's decision underscores that while the SEC has broad investigatory powers, those powers are not unlimited and must align with the agency's stated objectives.
- Future SEC Actions: The SEC may feel empowered to continue its practice of subpoenaing law firms in similar situations, although it may face stricter scrutiny and public criticism.
- Legal Challenges Post-Cyberattack: Companies should not hesitate to seek legal advice following a cyber incident, as the legal landscape continues to evolve and pose new challenges.
This case serves as a crucial reminder of the delicate balance between regulatory oversight and the preservation of confidential attorney-client relationships. It also highlights the importance for companies to proactively engage legal counsel in navigating the complex regulatory and legal challenges that can arise in the aftermath of a cyber incident. SEC Enforcement Spotlight: Financial Reporting and Disclosure Trends in 2023
August 21, 2023
Under Chair Gary Gensler, the Securities and Exchange Commission (SEC) continues to vigorously pursue enforcement cases related to financial reporting and disclosure violations. The SEC's 2023 actions to date suggest the agency remains fully committed to several enforcement priorities evident last year:
Scrutiny of Non-GAAP Financial Metrics
A major SEC focus that has carried into 2023 is the potential for misleading use of non-GAAP financial metrics that paint a more favorable picture of financial performance. In December 2022, the SEC's Division of Corporation Finance issued new compliance guidance on proper non-GAAP reporting.
Then in March 2023, the SEC charged an information technology company with negligence-based antifraud violations for incorrectly classifying regular operating expenses as nonrecurring, thus excluded from non-GAAP earnings. This inflated the company's non-GAAP performance over three years. Without admitting wrongdoing, the company paid an $8 million penalty and agreed to implement enhanced non-GAAP controls and procedures.
This enforcement action comes on the heels of the SEC expressing concern some companies may be abusing non-GAAP metrics to inappropriately manage earnings perceptions. We expect continuing SEC scrutiny of non-GAAP disclosures and charges against issuers deemed to have crossed into misleading territory.
Expanding Regulations Impose New Compliance Burdens
The SEC continues its brisk pace of promulgating new regulations that expand disclosure requirements and compliance burdens for public companies and other registrants. The SEC’s ambitious rulemaking agenda shows no signs of slowing under the Gensler administration.
In 2023, major new rules have already taken effect requiring disclosures related to insider trading plans, share repurchases, executive compensation, and auditor independence. Cybersecurity incident reporting rules adopted in July mandate an 8-K filing within 4 days of determining an incident is material.
Still in the pipeline are highly anticipated proposed rules on climate-related disclosures and special purpose acquisition companies (SPACs). The SEC plans to finalize 55 additional rules between now and April 2024 spanning a wide range of topics impacting public companies and financial sector participants.
Ongoing Vigilance over Rule 10b5-1 Plan Disclosures and Trading
In February, amended SEC rules took effect that impose new restrictions and disclosure requirements surrounding Rule 10b5-1 trading arrangements that provide an insider trading defense. On the heels of the new regulations, the Department of Justice filed what appears to be the first-ever criminal 10b5-1 plan case. The SEC simultaneously pursued civil charges based on the same facts.
The case signals regulators will continue scrutinizing 10b5-1 plan adoption and trading using data analytics to identify red flags. Tougher legal compliance obligations now exist, but expect ongoing enforcement attention toward policing potential abuses. Issuers and insiders should re-examine existing plans for adherence to enhanced regulations and overall good faith compliance.
Accounting Fraud Charges Target Misstated Revenue, Concealed Expenses and Liabilities
So far in 2023, SEC accounting fraud enforcement has continued at a vigorous pace similar to last year. Numerous financial reporting cases have been filed alleging various schemes to recognize premature or fabricated revenue as well as understate or conceal expenses and liabilities to manage earnings.
Charges have targeted improper revenue recognition practices, including fake “bill and hold” transactions and undisclosed side agreements. Other allegations involve concealing operating costs through deferred expenses, inflated assets, and understated earnout liabilities from acquisitions. Misuse of non-GAAP metrics has also facilitated reporting violations.
False or Misleading Disclosures Remain in the Crosshairs
The SEC maintains focus on disclosure violations beyond financial reporting. Recent enforcement has targeted false press releases, concealed conflicts in media articles, forged attorney opinion letters, and false statements to auditors. The SEC also continues prioritizing transparency around beneficial ownership, bringing actions for misleading reports concealing stock ownership.
Ongoing Legal Challenges to SEC's Authority
While vigorous on enforcement and rulemaking fronts, litigation developments pose potential threats to aspects of the SEC’s authority. The Supreme Court’s Axon ruling expanded court challenges to the agency's structure and procedures without first exhausting administrative review. The Justices are also currently reviewing whether SEC in-house administrative proceedings are constitutional under recent appeals court precedent.
If administrative enforcement remedies are curtailed, the SEC may be constrained to bring more contested actions in federal court rather than its Administrative Law courts. But broad SEC enforcement efforts show little indication of slowing despite these legal uncertainties.
Key Takeaways for Issuers and Registrants
The SEC's ongoing active enforcement and expansive rulemaking agenda have key implications for public companies and regulated entities:
- Ensure robust compliance with growing regulatory requirements and disclosure duties
- Emphasize sound accounting, rigorous financial reporting, and transparency to avoid fraud allegations
- Proactively review disclosure policies through critical lens to confirm accurate, non-misleading
- Assess insider trading controls, including proper use of Rule 10b5-1 plans
- Carefully adhere to non-GAAP rules and avoid potential earnings management perceptions
Contact Lucosky Brookman if you need experienced counsel on SEC regulatory compliance issues or related enforcement matters. We closely monitor developments impacting clients to help position them for success in the current environment.