Washington Watch-Sealed Filings in Federal Cases May Have Been Compromised

A cyber-attack on the electronic filing system used by the federal courts has put at risk a range of highly sensitive confidential documents previously filed with the courts by public and private litigants. Sealed filings in a range of cases—including criminal, civil, and bankruptcy filings—may have been compromised by the hack. Some Title III wiretap applications, national security matters, confidential business transactions, and trade secrets reportedly could be vulnerable. The attack has been described as one of the worst U.S. intelligence failures on record.

The revelation that a suspected Russian cyber-espionage campaign, the so-called SolarWinds Attack, caused the “apparent compromise” of the federal courts’ Case Management/Electronic Case Files system (CM/ECF) was disclosed on January 6 by the Administrative Office of the U.S. Courts (AO). As a broad federal investigation into the attack began, the judiciary swiftly suspended all national and local use of the Solar- Winds network monitoring platform within CM/ECF.

In the following weeks, as the seriousness and depth of the intrusion became better known, concerns grew that the breach was continuing in ways not yet identified. A 60 Minutes report on February 14 said that it could take years to fully learn what information was obtained and what hackers are doing with it. Technology executives told a Senate Select Committee on Intelligence hearing on February 23 that the attack was likely wider, more complex, and harder to trace than previously known.
The executives said the attack, which compromised at least nine federal agencies (including the federal courts) and numerous private companies, revealed systemic vulnerabilities in the software supply chain used by many businesses and government institutions.

The AO has called upon courts to implement new security procedures to protect highly sensitive documents (HSDs) and to require litigants to file covered HSDs on paper or via secure electronic devices to be stored at the courthouse in a stand-alone computer system and not uploaded to CM/ECF.

Courts also have begun to issue standing orders to address the filing of HSDs, resulting in a patchwork of policies over how HSDs are defined, given the decentralization of the federal court system. For example, the Northern District of California has limited HSDs to “only a subset of sealed documents filed by the criminal division of the U.S. Attorney’s Office,” while the District Court for the District of Columbia has extended HDS coverage to a wider set of sealed documents, including those containing “closely-held trade secrets” and “other sensitive information.” A few courts have extended HSD coverage to “information likely to adversely affect” the ability of an entity to maintain cybersecurity, nonpublic intellectual property, trade secrets, or highly confidential commercial information. Some courts already had required sealed or confidential filings to be submitted through means other than the electronic system, but others, including the Federal Circuit Court of Appeals, which adjudicates patent disputes, had previously permitted it.

The new HSD filing procedures have not changed federal court policies regarding public access to court \records, since sealed records are confidential and not available to the public. But the challenges of the new arrangement will test public confidence in the courts and their ability to protect highly sensitive information. It also will renew concerns over public access to court proceedings, with transparency advocates arguing that judges are unnecessarily sealing court documents and important evidence in product liability, public corruption, and other cases. Others contend that privacy is critical in certain sensitive cases, including intellectual property and whistleblower disputes, including False Claims Act matters.

Regardless of the public debate, court filing and records management systems will continue to remain a high-profile target for hacks and cyber-espionage, and the federal judiciary will need to remain vigilant to protect the confidentiality of nonpublic, highly sensitive information. Congress also will need to consider whether to create a federal entity to quickly examine major cyber breaches for systemic problems, as well as a mandatory reporting system paired with liability protection. Currently, there is no legal obligation for private organizations to report breaches of any kind to government agencies.

About the Author

Bruce Moyer is government relations counsel for the FBA.

About the FBA

Founded in 1920, the Federal Bar Association is dedicated to the advancement of the science of jurisprudence and to promoting the welfare, interests, education, and professional development of all attorneys involved in federal law. Our more than 16,000 members run the gamut of federal practice: attorneys practicing in small to large legal firms, attorneys in corporations and federal agencies, and members of the judiciary. The FBA is the catalyst for communication between the bar and the bench, as well as the private and public sectors. Visit us at fedbar.org to learn more.