Federal courts throughout the country have rushed to update guidelines governing the filing and maintenance of sensitive court records in response to “a known compromise” of the widely-used SolarWinds Orion IT monitoring and management platform. While the new guidelines are expected to be temporary, there has been little agreement about their contours and their necessity highlights the constant data security threat faced by courts, counsel, and clients.
Last December, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to all federal civilian agencies regarding the SolarWinds cyberattack known as Solarigate. The Administrative Office of the U.S. Courts (AO) thereafter notified courts of the directive and the Judiciary swiftly suspended all national and local use of the SolarWinds platform. The attack may have compromised highly sensitive, non-public documents stored in the Case Management/Electronic Case Files system (CM/ECF) used by all federal courts. Although the extent of the attack and the specific documents and information that may have been compromised remain unknown, the Judiciary has instructed that courts adopt new procedures regarding the filing and maintenance of Highly Sensitive Documents (HSDs).
In accordance with the Judiciary’s requirement, all federal courts must now accept HSDs filed in paper form (or on a secure electronic device) in lieu of standard sealed submission via the CM/ECF system. The Judiciary has further required courts issue standing or general orders regarding the new procedures. Such orders must specifically address “the types of filings [the court] does and does not consider to be HSDs.” While many courts have yet to act, the orders promulgated to this point reveal a divide regarding how HSDs will be defined and determined in federal courts across the country.
What Is Highly Sensitive? Disagreement Regarding HSDs
Consistent with the Judiciary’s general guidance, not all sealed filings are to be considered HSDs, but the specific boundary between HSDs and a normal, sealed filings—which will still be submitted via CM/ECF—have been left up to the individual courts. Especially in the context of civil cases, this freedom has led to a number of potentially significant variations. Examples of such variation include:
- Some courts, including the Northern District of California, steadfastly refusing HSD status for any court-filed documents aside from a subset of sealed documents filed by the criminal division of the U.S. Attorney’s Office;
- Certain districts, like the Eastern District of Virginia and the Northern District of Illinois, applying a restrictive civil case definition of HSDs extending only to materials whose disclosure could jeopardize national security, place human life or safety at risk, or would substantially assist a foreign power in the development competing commercial products or products with military applications;
- Other courts, including the District of Columbia, expanding HSD status to also encompass documents containing “closely-held trade secrets” and “similar sensitive information”;
- A few districts, including the Eastern and Western Districts of Texas, extending the definition to “information likely to adversely affect” the ability of an entity to maintain cybersecurity, nonpublic intellectual property, trade secrets, or highly confidential commercial information; and
- Still other courts, such as the Central District of California, awaiting Circuit-level guidance prior to promulgating a definition of HSDs.
As many courts have yet to weigh in on the debate, further variation could still emerge. And as the investigation into the scope and content of the CM/ECF data breach continues, the Administrative Office and Judiciary may issue additional guidance to the courts.
Despite such uncertainty, a few points of clarity exist. The federal courts’ document filing and storage system—even after the present security audit and upgrades are complete—will remain a target for hackers and system vulnerabilities will continue to exist. The Judiciary must remain vigilant in its fight to protect the confidentiality of nonpublic documents necessary to the administration of justice. Counsel and clients are not, however, spared from this burden. They too should continue review, revise, and test their own security plans and protocols surrounding the storage and transmission of confidential information of all sorts including HSDs—regardless of how courts interpret the term.