Federal Courts Issue Orders Modifying Procedures for Highly Sensitive Documents

Cyber security breaches have been widespread recently, prompting business and government agencies alike to implement new rules, regulations and protocols to protect confidential personal information. Most recently, the federal Judiciary announced new protocols for filing court documents containing “highly sensitive material.” These new protocols come in the wake of the SolarWinds data breach, which compromised, among other things, the federal Judiciary’s Case Management/Electronic Case Files (CM/ECF) system.

In response to this data breach, the federal Judiciary announced it is conducting a security audit of vulnerabilities in CM/ECF, and that it had discovered an apparent vulnerably in CM/ECF which put at risk sensitive non-public documents saved on CM/ECF, in particular documents that are filed under seal. In light of this vulnerability, the federal Judiciary announced that it will require “highly sensitive material” to be filed either in paper form or via a secure electronic device, such as a thumb drive, which will then be stored in a secure standalone computer system.

While the federal Judiciary did not define the scope of “highly sensitive material,” it clarified that not all documents typically filed under seal would qualify, indicating that documents such as pre-sentence reports, pre-trial release reports, Social Security records, administrative immigration records and many sealed filings in civil cases likely would not be sufficiently sensitive to require treatment as “highly sensitive material” and could continue to be sealed in CM/ECF as previously done.

The Judiciary advised that the federal courts will be issuing standing or general orders regarding these new procedures, including how each court defines “highly sensitive material” and how such documents are to be filed in that particular court. The absence of a uniform definition from the federal Judiciary will likely result in courts differing on what constitutes “highly sensitive material” and how such documents should be filed in each court. In New York alone, each federal court has issued an order defining “highly sensitive material” in a different way.

For example, the District Court for the Southern District of New York issued a standing order identifying “highly sensitive documents” as “a limited group of documents that (1) contain classified information or information that could harm national security; or (2) by their disclosure could reasonably be expected to cause exceptionally grave damage or injury to any person, entity or institution.”

On the other hand, the Western District of New York issued a general order that contains a substantially more expansive definition of what is and may be considered “highly sensitive documents,” including:

1. applications for electronic surveillance;
2. partial reports of grand jury proceedings;
3. documents that contain information that would present clear and present danger to life and safety;
4. documents in highly sensitive criminal matters;
5. documents discussing matters of national security;
6. documents raising highly sensitive domestic or international issues;
7. documents involving intellectual property, trade secrets or other highly sensitive commercial issues; and
8. documents discussing the reputational interest of the United States.

And the Northern District of New York issued its own general order defining “highly sensitive information” in yet another way, including applications for search warrants, applications for electronic surveillance under 18 U.S.C. § 2518, sealed grand jury indictments, sealed complaints, pen registers, grand jury target letters, grand jury non-disclosure orders, applications for 18 U.S.C. § 2703-d disclosures and qui tam actions.

The Second Circuit Court of Appeals issued a notice stating that it would be adhering to its current practices, which requires that all sealed documents – whether they contain highly sensitive information or not – be delivered directly to the clerk’s office. The Second Circuit does not permit filing of any sealed documents in its CM/ECF system and therefore does not need to update its procedures in response to the Judiciary’s new protocols.

The Eastern District of New York has yet to issue any orders or directives with respect to “highly sensitive documents,” though it is expected to do so in the near future.

Each of the court orders provides specific details about how documents with “highly sensitive material” should be filed in their particular court (which in large part appears to be by hard copy only), the procedures for having a document deemed “highly sensitive,” and the procedure for having a document that was previously filed in CM/ECF that contains “highly sensitive material” removed from the CM/ECF system.

As is evident from review of the orders issued just in the New York federal courts, the Judiciary’s ambiguous designation of “highly sensitive material” has left this term open for interpretation and resulted in differing definitions across the federal courts nationwide. Practitioners should pay careful attention to each court’s individual orders and rules when filing documents on CM/ECF to ensure compliance with these updated security procedures and protocols.

While New York State Courts have yet to issue any statement or order addressing similar security concerns with their own electronic filing system (New York State Courts Electronic Filing system), we can anticipate that, in light of widespread data breaches and cyber security concerns, the New York State Courts will review their data and privacy practices and enact additional protections as is necessary.

Regardless of any additional rules, orders or legislation on this subject, practitioners should be aware of these cybersecurity issues in the court system and keep them in mind when determining whether to electronically file documents containing personal, confidential or “highly sensitive” information with the court. Practitioners who regularly obtain and file “highly sensitive” documents should also review their own security policies and practices to determine whether any changes are necessary in light of increased data security breaches.