The Administrative Office of the U.S. Courts (the “AO”) recently disclosed that it has initiated an investigation into an apparent compromise in security of the Judiciary’s Case Management/Electronic Case Files System (“CM/ECF”) as a result of vulnerabilities associated with SolarWinds Orion products. The AO noted that it is currently working with the Department of Homeland Security on an audit of security vulnerabilities that may pose a confidentiality risk for non-public documents stored on CM/ECF. In other words, the AO is auditing whether sealed filings in federal cases have been compromised.
As background, SolarWinds is a vendor that works with the federal government and a range of companies to monitor their IT networks. On December 31, 2020, SolarWinds issued a security advisory noting that it was a victim of a cyberattack that exploited vulnerabilities with products utilizing its Orion software. After SolarWinds’ announcement, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an emergency directive which calls on all federal civil agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.
According to public reporting, the SolarWinds hack may have included unauthorized access to the federal court’s electronic filing system, meaning that the hackers may have had access to documents filed under seal. As a result, the compromise has put “at risk a range of highly sensitive competitive and financial information and trade secrets, including companies’ sales figures, contracts, and product plans” that companies have filed with the courts in connection with litigation.
The Judiciary has now suspended all national and local use of its Orion IT networking monitoring and management tool. In addition, under newly announced procedures, highly sensitive documents (“HSDs”) filed with federal courts will now be accepted in paper form or via a secure electronic device, such as a thumb drive, and stored in a secure stand-alone computer system, rather than uploaded to CM/ECF.
The AO anticipates each court will issue a standing order to address the types of filings that it does and does not consider to be HSDs. The AO memorandum suggests most documents similar to and including presentence reports, pretrial release reports, pleadings related to cooperation in most criminal cases, Social Security records, and administrative immigration records will likely not be sufficiently sensitive to require HSD treatment and can continue to be sealed in CM/EFC as necessary.
In the meantime, companies and firms should start taking inventory of what sensitive information has been filed under seal, whether as part of a civil or criminal federal case, and consider whether any preventive or protective measures may be possible to mitigate harms in the event that the information was compromised.