A cyberhack of the U.S. federal courts filing system puts at risk a range of highly sensitive competitive and financial information and trade secrets, including companies’ sales figures, contracts, and product plans, attorneys said.
Everything from the algorithms ERISA providers use to evaluate investments to pharmaceutical companies’ formulations and chemical processes could be exposed via court documents. Whatever insider information has been improperly accessed could be used to manipulate securities markets and benefit foreign competitors.
“It’s really quite stunning to imagine this information at risk of public disclosure,” said Meaghan VerGow, an O’Melveny partner and litigator who defends large employers in ERISA class actions.
Attorneys are scrambling to determine not only what information might have been breached but also how the federal courts intend to process and safeguard sensitive information going forward.
The situation will “require litigators to look at their cases and determine whether any of them are impacted, which may be a mammoth task,” Steven Blickensderfer, an attorney at Carlton Fields in Miami, said.
If sealed filings in cases involving sensitive matters, like trade secrets disputes or confidential business dealings, were compromised, it could have “deleterious effects” on the businesses involved, Blickensderfer said.
The Administrative Office of the U.S. Courts on Wednesday disclosed the “apparent compromise” of the electronic filing and case management system, known as CM/ECF.
An AO spokesperson told Bloomberg Law the compromise is likely connected to the hack of SolarWinds’ Orion products, which affected multiple government agencies and companies. The AO said it was working with the Department of Homeland Security on an audit of the system.
Going forward, “highly sensitive documents” will have to be submitted to the courts on paper or on a secure electronic device, like a thumb drive, and stored on a “secure stand-alone computer system.” Each court will make its own determination about which documents are highly sensitive.
Pleadings “such as Title III (wiretap) applications, matters of national security, intellectual property and trade secrets” are a few types of documents that courts might consider highly sensitive, an AO spokesperson said.
“For years, we told everybody that our system is secure,” said Thomas I. Vanaskie, a former federal trial and appellate judge who was chair of the Judicial Conference’s information technology committee. “This is not good.”
Trade Secrets, Blackmail
It’s so far unclear what documents may have been exposed and the impact may vary. The AO didn’t have further details about what might have been compromised. Individual courts had authority to determine what is filed on the electronic system, and it varies by venue.
“This is going to have differential effects based on each court’s existing practices,” Mel Bostwick, a partner at Orrick in Washington, said. Some courts already required sealed or confidential filings to be submitted through means other than the electronic system, but others, including the Federal Circuit, permitted it, she said.
“It sounds like that information is now vulnerable, which is a significant concern for a company because it could include their most highly sensitive competitive and financial information,” Bostwick said.
Reuben A. Guttman, a founding partner of Guttman, Buschner & Brooks in New York, said “a big question” is how to deal with complaints filed under seal like those under the False Claims Act. There are 600 False Claims Act cases filed under seal each year, Guttman said, for the most part, they remain under seal for at least two years and as long as four years.
If some of those cases filed and kept in the electronic filing system, “you have the potential for somebody to really, really interfere with the securities market,” Guttman said. For example, if you know a big pharmaceutical company is being investigated or that their docket is filed under seal, which indicates the magnitude of the investigation, that could be inside information that’s “very useful to certain constituencies,” he said.
When it comes to trade secrets or other commercial disputes, the potential breach could jeopardize sensitive intellectual property that’s protected by trade secrets but hasn’t been patented, said Scott Frewing, a partner at Baker & McKenzie LLP who represents clients in complex civil tax matters. Such information may be under seal in a case and not available to the public, he said. “I would be concerned about client information in that context,” he said.
Frewing also represents individuals in criminal cases, where he said court documents frequently include sensitive psychiatric, financial, or medical information that may be under seal. “That information now could be in the hands of somebody who breached that system, and I think that’s really troubling,” he said.
John A. Dragseth, senior principal at Fish & Richardson, said in criminal cases information from old cases and investigations could potentially be at risk after a compromise of the filing system. “The old information could be used to blackmail people,” he said.
While there are “real secrets” in civil litigation involving the government, like information about defense systems, Dragseth said he expect courts would have already treated that information in a special way and it might not have been affected.
A data breach of court records can also be particularly problematic for patients and health-care providers that are involved in litigation, one health privacy lawyer said.
If a health-care provider turned over patient health information during litigation and it got into the hands of someone who doesn’t have a regulatory obligation to comply with federal patient privacy laws like the federal court system, they could have to go back and explain what happened to the affected individuals “and bear the brunt of it, which in my mind doesn’t seem at all fair,” said Dianne Bourque, a member at Mintz, Levin, Cohn, Ferris, Glovsky and Popeo P.C.
“That destroys the relationship of trust that’s so critical between health-care providers and their patients,” she said.
Litigants were already making greater efforts to protect patient confidentiality, health information, or personal identifiable information in court filings by redacting documents or filings things under seal, said Scott Lashway, co-leader of the privacy and cybersecurity practice group at Manatt, Phelps & Phillips, LLP.
“We’re handling that information as if it’s a company secret,” he said. The data breach is a good reminder of why it’s so important for attorneys to be careful about ensuring they’re not unnecessarily putting a litigant at risk, Lashway said.
The implementation of new filing methods for highly sensitive documents will vary among courts, which could create a patchwork of policies.
Courts will face a logistical challenge implementing new processes “particularly at the time when many courts are trying to minimize physical filings due to the Covid-19 pandemic,” said Igor Timofeyev, a partner in the litigation department at Paul Hastings in Washington.
Lawyers will similarly find it “incredibly burdensome” to implement the new policy while working from home on tight deadlines while managing remote education, said Jaime Santos, a partner at Goodwin Procter who practices appellate litigation in Washington.
Santos said large firms with more resources at their disposal will find it easier to transition to the new way of submitting these documents than “public defenders, solo practitioners, civil rights lawyers at small organizations, and those at very small firms.”
Vanaskie, the former federal judge who chaired the Judicial Conference IT committee, said the new policy also contradicts what some courts have previously told lawyers about using thumb drives, which is “problematic.”
“We told parties ‘don’t send us a thumb drive,’” Vanaskie said. The courts didn’t want to take a risk because there could be something potentially harmful on those devices, he said.
For Blickensderfer, the Carlton Fields lawyer, thumb drives and paper documents feel like “taking a step backwards,” though he said it’s “understandable and expected to be temporary until the scope of this can be ascertained and any vulnerabilities resolved.”
—With assistance from Jacklyn Wille, Julie Steinberg, Aysha Bagchi, Daniel Seiden, Holly Barker, and Ian Lopez
To contact the reporters on this story:
To contact the editors responsible for this story: