Electronic Access to Court Filings Potentially Exposing Sensitive, Personal Information

In an April 2009 press release (.pdf), the Public Access to Court Electronic Records system (“PACER") announced that 99% of all federal courts nationwide have implemented electronic systems allowing litigants to file and review documents online. The near-complete implementation of these online systems marks an important technological and environmental milestone for the legal profession; however, it comes with considerable risks to individuals’ privacy and security: potentially limitless filings that inadvertently contain individuals’ sensitive information, including financial account numbers and Social Security numbers, may be available to anyone with an Internet connection for the small price of $0.08 cents per page.

On February 27, 2009, Senator Joe Lieberman (I-CT), issued a news release (.pdf) strongly criticizing the Judicial Conference (charged with formulating privacy protections for all federal court practice) in part for allowing thousands of federal filings that contain sensitive, unredacted information, including Social Security numbers, to be made publicly available online through the PACER service).  These infractions were documented by Carl Malamud, the president of Public.Resource.org, a non-profit organization whose general mission is to “Mak[e] Government Information More Accessible.”  Significantly, Malamud only reviewed a portion of all filings publicly available on PACER; the full scope of the number and nature of these infractions remains unknown.  Malamud’s exposé of PACER has been documented by the New York Times.  

The problem can originally be traced to the E-Government Act of 2002 (.pdf) (P.L. 107-347, Title II, § 205). This federal statute requires all federal courts to make their electronic filings available to the general public online. Since nearly every federal court implements an electronic filing service, this provision applies to virtually all documents filed in federal court — greatly increasing the risk that sensitive information is inadvertently published. 

To safeguard against the publication of individuals’ sensitive information, the E-Government Act broadly directed the federal judiciary to adopt uniform rules to protect sensitive information contained in court filings. These rules eventually culminated into amendments, effective December 1, 2007, to the Federal Rules of Appellate Procedure (Rule 25), Civil Procedure (Rule 5.2), Criminal Procedure (Rule 49.1), and new Bankruptcy Rule 9037. These new rules require parties to redact specific categories of information from all filings, including Social Security and taxpayer identification numbers (except for the last four digits), all names of minor children (except for initials), all financial account numbers (except for the last four digits), all dates of births for persons (except for the year of birth), and in criminal cases, all home addresses (except for the city and state).

A weakness in these privacy provisions, however, is that they depend solely on the conscientiousness of whomever is filing the documents to identify, and then redact, the sensitive information. This holds true whether the filer is an attorney, or a layperson with no legal background. Courts are not required to review these filings before publishing them online, and in some instances, courts explicitly state that they will not review filings for any redaction. (See, for example, the press release from the District Court for the Southern District of West Virginia (.pdf) on compliance with the E-Government Act and the notice from the Distict Court for the District of Rhode Island (.pdf).)  Therefore, at present, there is absolutely no filter or other protection that prevents a person from filing sensitive personal information in federal court and publishing this information for the general public to access. 

As cases grow more and more document-intensive, it is unsurprising that people filing documents in court may overlook redacting sensitive information.  This is particularly true where the sensitive information is not the client’s, but instead relate to a non-party that has no reason to be policing the court docket.  For example, where an employer is sued, sensitive information of its employees may be included in the employer’s financial spreadsheets and filed in court as an exhibit during motion practice.  With courts’ hands-off approach to filings, we are all in danger of having our sensitive information published online for cases that we may not even know exist.  

The Judicial Conference recently issued a response to Sen. Lieberman’s letter. In its response, dated March 26, 2009 (.pdf), the Judicial Conference squarely blames litigants, and not courts, for the infractions arising from the publication of non-redacted sensitive information online,  asserting that litigants alone are responsible for redacting materials under the relevant privacy rules; courts are only charged with publishing those materials.  The Judicial Conference defended this policy: “[t]he litigants and lawyers are in the best position to know if such [sensitive] information is in the filings and, if so, where…Moreover, requiring court staff unilaterally to modify … documents that are filed in court was seen to be impractical and potentially compromising the neutral role the court must play.”  The letter did not explain how instructing court clerks to assist in the ministerial task of redacting sensitive information, even of non-parties unrelated to the case, would "compromis[e] the neutral role the court must play."

However, the Judicial Conference did acknowledge that the reported instances of electronic filings containing sensitive information is “disturbing and must be addressed,” and insisted that its Privacy Subcommittee is continuing to assess whether any additional privacy rules should be implemented to safeguard that information. Moreover, the Judicial Conference explained that while it continues to assess the issue more carefully (including by exploring empirical data on the number of infractions), it has encouraged all clerks of court to remind all parties about their obligations to redact sensitive information, and has encouraged all courts to submit privacy recommendations for possible national adoption.

In the meanwhile, the safekeeping of our sensitive information in federal court filings, available to the public online, remains solely in the hands of whomever is filing those materials. 

Links

3 thoughts on “Electronic Access to Court Filings Potentially Exposing Sensitive, Personal Information

  1. A small correction. The problem of increasing electronic disclosure of private information in court filings cannot “originally be traced to the E-Government Act of 2002” but rather to the inception of various electronic access mechanisms that were well underway by the 2002 Act. PACER existed for 15 years before the Act, and court web sites had been publishing various documents on their local sites for a long time. The dilemma is created by the overall shift toward digitization of the public record. I would not characterize this as an inherent problem, or blame a particular statute, so much as I would emphasize the need for technology-appropriate information management policy. In that sense, the 2002 Act and the subsequent Judicial Conference rules are the first set of answers to that dilemma (albeit perhaps insufficient).

  2. The privacy issues surrounding user-generated content in the context of PACER and federal court filings is especially interesting. For instance, does the litigation privilege that immunizes a filing from claims of defamation also protect against privacy claims? I generally agree with Steve that there is nothing innately wrong with a law that requires public documents filed in court to be accessible to the public online. But, from our perspective in 2009, it seems shortsighted to make any volume of information publicly available without considering and planning for the potential the impact. Government regulators have started imposing higher standards on businesses, so it seems high time that the court system spent some time updating its own information management policies.
    Lest anyone think that the federal court system is indifferent to the privacy issues, I have found the clerk’s office in the District of Massachusetts and at other federal courts to be extremely sensitive to these issues, even before the change in the rules. In one case a few years ago, an opposing party submitted several exhibits containing an individual’s name, address and Social Security number and mentioning this to the clerk’s office resulted in the material being removed immediately. In the absence of automatic tools, I would think that lawyers and court staff have a duty to be monitoring and policing the matters they are overseeing. This may not a perfect system, but I can think of few security measures that would be.

Leave a Reply to Steve Cancel reply

Your email address will not be published. Required fields are marked *