TheCorporateCounsel.net

Public companies aren’t the only ones grappling with cybersecurity right now. Your law firm may need to revisit how to respond to cyber-breaches and government requests for client info, in light of a recent court order.

I’ve blogged a couple of times about the SEC’s efforts to compel cooperation from a law firm whose clients may have had information accessed or stolen in a big cyber breach. The SEC wanted the firm to turn over the names of nearly 300 clients. The firm – along with 83 other big firms – pushed back.

As reported by Reuters, in late July, a court ordered the law firm to give the SEC the names of 7 clients. The firm identified those clients in an internal review that assessed whether any material non-public information may have been improperly accessed – and for those 7, the firm couldn’t rule out that possibility.

The SEC wants to use the info to probe for securities law violations relating to the attack. Specifically:

(1) to determine whether a threat actor or others engaged in illegal trading based upon access to material nonpublic information; and

(2) to evaluate whether any publicly traded issuers failed to disclose material cybersecurity events in connection with the attack.

The firm plans to appeal. In the meantime, law firms that discover a cyber breach will continue to face complex decisions about whether to notify law enforcement and what data to provide during an investigation.

– Liz Dunshee