Utah Bar Journal

Managing Pandora's Box: Recognizing and Handling the Privacy Risks Associated with Electronic Access to Court Records

by Cameron L. Sabin & Kenneth B. Black

Introduction
The Internet is rapidly changing the ways in which federal courts handle records. While these changes offer advantages to courts and practitioners alike, they also open a potential Pandora's Box with respect to the privacy of client information. In 2001, the Judicial Conference Committee on Court Administration and Case Management on Privacy and Public Access to Electronic Case Files (the "Judicial Conference Committee") first recommended a policy for federal courts to begin making court records available over the Internet through the Public Access to Court Electronic Records system ("PACER").1 Consistent with that policy, the United States District Court for the District of Utah has, for several years now, made certain court filings available electronically over the Internet through PACER. While not all documents filed in Utah federal court are currently available through PACER (for instance, exhibits and affidavits are not currently being scanned), those that are available can be obtained easily with a password and the click of a mouse. The document images currently available from the court are created by scanning documents delivered to the court for filing in paper form. In addition, beginning in 2005, practitioners will be able to file most court documents in Utah federal district court electronically through the Case Management Electronic Case Files filing system ("CM/ECF"). Electronic filing through CM/ECF will become mandatory for almost all court documents. This means that many more court documents will be available electronically to anyone willing to pay seven cents per page to view, save, and/or print them.

The transition to the PACER and CM/ECF systems is part of an effort within the federal court system to provide greater and more convenient access to court records by making them available over the Internet.2 Electronic access to and filing of court documents offers practitioners a number of advantages over traditional paper filing systems. For instance, electronic access and filing systems afford attorneys the convenience of filing and obtaining documents remotely. They also reduce costs associated with manual filing, such as copying, postage, and courier costs. In addition, electronic filing provides instantaneous service of pleadings on the parties to an action.

Even so, electronic case management systems also present risks, particularly with respect to the potential disclosure or misuse of confidential client information. Although court documents have always been available to the public, traditional filing systems have required an individual to obtain physical records from a courthouse and manually review them for information. The attendant inconvenience has reduced the likelihood that private information contained in court records would be the subject of public misuse. However, on-line case management and filing systems make accessing court information simple and convenient, increasing the likelihood that confidential information will be available to a larger audience. After all, electronic filing systems are not restricted to legal professionals. While the extent to which electronic court records are misused is unknown, maintenance of court records in electronic, searchable databases raises the specter that misuse may become common - that electronic access will facilitate identity theft, corporate espionage, or other improper activities.

Documents filed under CM/ECF will almost all be in "text PDF" form, in which the text of the document is embedded in the PDF (i.e., "portable document format") image filed with the court. Text PDF documents can be created from any word processor, in a process similar to printing. It is possible to search text in a text PDF document and copy and paste text from such a document. These operations are not possible with a PDF document created by scanning, which is only an image with no embedded text.

The change in the type of PDF file - from a scanned PDF to a text PDF - enhances the possibilities for data miners' use of court files. Information harvesters can set up automated routines to search all filed documents (if they are willing to pay the per-page fee) and load them onto their own servers, or more critically, glean sensitive information, such as home addresses, social security numbers, and financial information.

Given that many court records filed in Utah federal district and bankruptcy courts are now available over the Internet, and that many more soon will be, in an even more accessible format for information harvesters, practitioners should be aware of (1) the privacy concerns associated with PACER and CM/ECF; (2) the potential liability they may face for failing to protect client information; and (3) the ways in which they can protect sensitive client information.

Privacy Concerns Associated with Electronic Access & Filing
Certain types of cases (for instance, bankruptcy, intellectual property, criminal and some commercial cases) inherently involve confidential client information. Such information may include: social security numbers; dates of birth; addresses; bank account numbers or other financial information; information about individuals' credit, medical or work histories; proprietary, trade secret or other business information; the names of minors; or an individual's criminal background. In other cases, a client may wish to protect specific, compromising or embarrassing information. Clients plainly have a legitimate interest in protecting their confidential information from disclosure.

Nevertheless, in practice, confidential client information is frequently disclosed for various reasons. Disclosure may be required in some cases by statute, case law, or court rule. Counsel may also need to disclose sensitive information to strengthen a client's position or to make an argument more compelling. Finally, client information may be mistakenly disclosed in court filings. Regardless of the reason for disclosure, in light of the transition to PACER and CM/ECF, counsel should consider the privacy concerns associated with such systems in assessing whether disclosure - or disclosure in a particular manner - is indeed prudent. In particular, counsel need to be aware of privacy concerns related to inadvertent disclosure and intentional misuse of client information.

Inadvertent Disclosure
In this context, "inadvertent disclosure" may refer to two separate concerns. First, as one might assume, inadvertent disclosure may simply refer to the unintended disclosure of confidential information. However, it may also refer to the disclosure of information beyond its intended audience or for an unexpected purpose. For instance, information that a client expected only to be used for purposes of a motion may, to the client's surprise, be discovered and revealed to the public. Electronic access and filing systems accentuate both of these concerns.

While the unintentional disclosure of confidential client information may occur whether a document is being filed electronically or through paper filing, electronic filing creates new risks. For example, documents filed in the CM/ECF system must be converted into PDF files prior to filing. PDF files are generally considered to be safer than Word or WordPerfect files because they do not contain "metadata," or data fragments that can be reconstructed by a recipient to reveal edits or changes made to a document. Nevertheless, it has been shown that certain methods of redacting information using PDF software are ineffective or actually disclose information that was intended to be maintained in confidence.3 Thus, an attorney filing an electronically redacted document may unwittingly reveal client information she intended to keep confidential.

Electronic access and filing systems also create risks that client information disclosed for purposes of litigation may be unexpectedly used for other purposes. As noted above, under traditional filing systems, the difficulty and inconvenience of obtaining court records reduced the likelihood that client information would be obtained and used for unintended purposes. However, documents made available electronically through PACER are accessible to anyone with a password to the system, and obtaining a PACER password is simple. An individual need only create a PACER account using a credit card and wait a few weeks to receive the password. Moreover, PACER is a searchable database, making it possible to locate cases by merely entering a party's first or last name. Thus, an individual interested in learning about his neighbor's bankruptcy, financial status, past criminal behavior, or other embarrassing information, may do so by entering his neighbor's last name into PACER and accessing documents linked to the case file. Given the ease with which information can be obtained through PACER, private investigators, collection agencies, the media, and others are highly likely to access it.

Intentional Misuse
Potentially more serious than concerns associated with inadvertent disclosure are those related to the intentional misuse of electronic court records. Information in court records may be used to facilitate identity theft, corporate espionage, unfair competition, unwanted solicitations, or other commercial activities.

Identity Theft
One of the greatest potential problems associated with on-line access to court records is that information disclosed in court filings may be used to perpetrate identity theft. As more personal information is maintained in the public domain, identity theft has become one of the fastest growing crimes in the United States.4 It is not difficult to obtain the information necessary to perpetrate identity theft. The Federal Trade Commission has warned that, in order to steal an individual's identity or open a fraudulent credit account, a thief may need only a victim's name, social security number, and date of birth.5 Given that this personal information is often contained in a case file, many have expressed reservations about the courts' decision to make records available over the Internet. These concerns are heightened due to the existence of the U.S. Party Case Index.

The U.S. Party Case Index is a national database that functions in conjunction with PACER. It contains a subset of information from cases filed in U.S. district, bankruptcy, and appellate courts and was created to facilitate the rapid retrieval of case information across multiple jurisdictions.6 The U.S. Party Case Index serves as a "locator index" for cases available on PACER.7 By accessing the Index, an individual can search for cases by name, social security number (for bankruptcy cases), or by the nature of the suit.8 Once the desired cases are identified, the individual can then access PACER to obtain more particular information about them.9 Cases available in the Index often contain a link directly to PACER.

While the U.S. Party Case Index offers a convenient method for tracking court information nationally, it also provides identity thieves a simple means to obtain precisely the information they need to perpetrate their crimes. Since the Index allows searches to be conducted according to the type of claim, "[a] thief need only determine which type of claim would most likely require filings containing the information necessary to steal an identity and conduct the search."10 Moreover, maintaining case records in an easily searchable format raises concerns about criminals' ability to run mass, automated data searches to mine particular information from court records throughout the country. Indeed, commercial providers are already developing software to navigate PACER, download information from cases, and print filings from those cases. If such programs are available commercially, then more treacherous versions of similar software likely exist privately.

Commercial Use and Misuse of Court Information
The use and misuse of client information for commercial purposes is another potential problem associated with electronic court records. Posting court information on-line makes it possible for individuals and companies to access court filings to obtain trade secrets, insider information, or confidential financial information. It also permits solicitors to obtain the information necessary to target parties with junk-mail, spam, or other unwanted solicitations.11 In addition, court information may be gathered, repackaged, and then sold to insurance companies, "banks, realtors, investment firms, credit card companies, advertisers, landlords, retail merchants," etc.12 The information may then be used to make insurability, credit, lending or leasing decisions. As one commentator puts it, "data is gold, and buyers will pay a premium for it."13

Added to these data-gathering issues are concerns about the accuracy of the information gathered. Companies compiling customer information from court records may make mistakes. When the erroneous information is then passed along to the end-user, it will be assumed to be accurate because it was derived from court records. The incorrect information could eventually prejudice a customer's ability to obtain credit, insurance, or other services.

Suffice it to say that, as courts have made records accessible electronically, numerous risks associated with including private client information in court filings have surfaced. With the evolution of technology, new risks will undoubtedly arise. Legal practitioners must be aware of these risks as they develop and take steps to protect client information from disclosure or to limit the information that is disclosed. Otherwise, counsel may expose themselves to malpractice or other forms of liability.

The Potential for Malpractice and Other Liability
Practitioners' failure to protect confidential client information from disclosure or to limit the information that is disclosed in court filings may expose them to malpractice or other forms of liability. Indeed, some courts have held that an attorney's unauthorized disclosure of confidential client information or failure to protect confidential client information may constitute malpractice or a breach of fiduciary duty.14

To establish a claim for legal malpractice in Utah, a client must establish "(1) an attorney-client relationship; (2) breach of the attorney's fiduciary duty to the client; (3) causation, both actual and proximate; and (4) damages suffered by the client."15 A demonstrated failure to adhere to ordinary standards of professional competence is the touchstone of malpractice: "The client must show that if the attorney had adhered to the ordinary standards of professional competence and had done the act he failed to do or not done the act complained about, the client would have benefited."16

When the Judicial Conference Committee first proposed making court records electronically available in 2001, it proposed recommendations for district courts' adoption.17 These recommendations encouraged counsel and courts to take specific actions to protect client information that would be made available through PACER and to prevent its misuse. While these recommendations were perhaps intended only as guidance, some have suggested that they constitute much more - that they are evidence of standard practice and that noncompliance with them is evidence of malpractice.18 Although this view has not yet been embraced by the courts, many courts, including the Utah federal district court, have adopted the recommendations and signaled that they may be more than just guidance. In a recent mailing entitled "News from the Court," the Utah federal district court warned practitioners to observe certain filing requirements "[t]o avoid possible liability."

Balancing Disclosure with the Privacy Concerns of Clients
Given the potential for liability and the privacy concerns associated with the transition to PACER and CM/ECF, practitioners may rightly ask how they can protect themselves from being squeezed between this apparent "rock and a hard place." While there are not ready solutions to all of the dilemmas counsel will face when dealing with PACER and CM/ECF, there are discrete steps that counsel can take to reduce the risks.

Protecting or Minimizing the Disclosure of Client Information
Practitioners may protect client information and themselves by taking steps to prevent the disclosure of certain information or to minimize the information disclosed in court filings. Law offices may develop internal protections to ensure that attorneys do not intentionally disclose client information in court filings. Given that the Utah federal district court is moving to electronic filing, this may include ensuring that software programs function properly to protect client information from unintended disclosure. Counsel may also resort to traditional methods of protection, such as seeking protective orders or leave to file case materials under seal. And, in light of the E-Government Act of 2002, courts should be more inclined to allow parties to file documents under seal.19

Counsel may also take measures to limit the information that is disclosed in court filings. This may be done by redacting confidential information. For instance, the Utah federal district court has issued filing requirements mandating that counsel redact certain personal data identifiers from documents or, if they are required to be included, to disclose only part of the needed information. Specifically, the courtÕs policy states:

¥ For Social Security numbers, include only the last four digits;

¥ For minor children, include only the child's initials;

¥ For dates of birth, include only the year;

¥ For financial account numbers, include only the last four digits;

¥ For home addresses, include only the city and state; if foreign, only the country.20

In addition, the court has advised that parties "exercise caution" when filing documents that include driver's license or other identifying numbers; information about medical treatments, diagnoses, or care; an individual's employment history or financial information; or proprietary or trade secret information.21

Counsel may also take steps to ensure that redaction techniques are permanent and effective. As technology has developed, this has become more difficult. Some methods of redacting documents electronically may be ineffective or easily bypassed. Moreover, in recent months, researchers have developed software techniques that will identify redacted words even in hard copies of documents.22 Thus, counsel will likely have to determine the most effective way of redacting information in documents, given the type of information involved.

Finally, counsel may protect client information by limiting the information that is disclosed in court documents. This can be done by disclosing only information that is vital to the client's case. It can also be accomplished by entering into stipulations, where possible, on undisputed issues so as to avoid the need to disclose certain information.

Despite their best efforts, counsel should recognize that some private or confidential information will be disclosed and made electronically available. Under the federal court policy approving of electronic access and filing, most information filed with the court is presumed to be "public" in nature. Moreover, a court may refuse to grant a protective order or a request for leave to file documents under seal. Thus, there will be instances in which a client may have to risk that information disclosed in court filings will be made public or misused.

Client Notification
Attorneys can also provide effective representation, while protecting themselves from liability, by discussing with clients at the commencement of a case the privacy concerns associated with electronic court records. For example, counsel may want to:

¥ notify a client of the potential that information disclosed in court filings may be obtained by others and potentially misused;

¥ identify specifically the information the client is concerned about disclosing in court filings;

¥ discuss what information must or may need to be disclosed during the course of a case;

¥ inform the client that the client has a responsibility to call the attorney's attention to any sensitive information that may need protection; and

¥ discuss ways in which information that is disclosed may be protected from further disclosure or restricted to limit the client's risk.

Finally, counsel may include information regarding the risks associated with PACER and CM/ECF in an engagement letter to the client. These steps will not only help clients understand the risks, but will offer counsel protection against malpractice or other claims.

Conclusion
The District of Utah's transition to PACER and CM/ECF offers practitioners an efficient, convenient way to file and retrieve court records. It also cracks open a potential Pandora's Box of confidential client information. Enjoying the convenience of online access, while at the same time managing the lid on the Box, will require practitioners to remain vigilant. Counsel must in each case identify the information a client wants kept in confidence and must also understand the ways in which such information can be inadvertently disclosed or misused. Counsel should also stay abreast of ways in which they can avoid or limit the disclosure of confidential information. Given the rapid evolution of technology, lawyers and their firms face a continuing challenge. By staying educated on the risks associated with electronic access and filing systems and by implementing procedures to protect confidential client information, attorneys can ensure that the transition to PACER and CM/ECF does not put clients and their confidential information at undue risk and can assist the courts in developing ways to continue to protect that information.

The authors gratefully acknowledge the guidance and editorial assistance of The Honorable David O. Nuffer, United States Magistrate Judge for the District of Utah, who contributed substantially to this article.

1. See Judicial Conference Committee on Court Administration and Case Management on Privacy and Public Access to Electronic Case Files, Report of the Judicial Conference Committee on Court Administration and Case Management on Privacy and Public Access to Electronic Case Files at 1 (adopted Sept. 2001), available at www.privacy.uscourts.gov/Policy.htm (last visited October 19, 2004)[hereafter referred to as "Report of Judicial Committee"].

2. Id.

3. See John Anderson, Maryland State Bar Association, Inc., Document Security (April 2004), available at http://www.appligent.com/news/news_articles/current_news_ pdfs/MSBA0404.pdf; Betsy Reynolds, Anticipating the Courts' Moves; Manatt Phelps Sets Up E-Filing Protocols, Law Tech. News at 31 (July 14, 2004).

4. Tony Perry, The State; 21 Indicted in Alleged Identity-Theft Scheme, L.A. Times at B6 (Nov. 19, 2003); see also FTC, FTC Releases Top 10 Consumer Complaint Categories in 2002 (January 22, 2003), available at www.ftc.gov/opa/2003/01/ top10.htm (last visited Aug. 26, 2004).

5. FTC, ID Theft: When Bad Things Happen to Your Good Name 1, 3-4 (Nov. 2003), available at www.ftc.gov/bcp/conline/pubs/credit/idtheft.pdf (last visited Oct. 19, 2004); see also Michael Caughey, Comment: Keeping Attorneys from Trashing Identities: Malpractice as Backstop Protection for Clients Under the United States Judicial ConferenceÕs Policy on Electronic Court Records, 79 Wash. L. Rev. 407, 413 (Feb. 2004).

6. Public Access to Court Electronic Records, U.S. Party Case Index Overview, available at www.pacer.psc.uscourts.gov/uspci.html (last visited Aug. 25, 2004).

7. Id.

8. Id.

9. See Kristen M. Blankley, Note: Are Public Records Too Public? Why Personally Identifying Information Should Be Removed from Both Online and Print Versions of Court Documents, 65 Ohio St. L.J. 413, 426-27 (2004).

10. Caughey, supra note 6, at 413.

11. Sharon D. Nelson & John W. Simek, American Bar Association, Going Online E-Filing Primer, 18 GPSolo 41, 44 (Dec. 2001), available at Lexis.com (last visited Aug. 28, 2004).

12. Id. at 43.

13. Id.

14. See, e.g. Johnson v. Sawyer, 680 F.2d 1490, 1499 & n.36 (5th Cir. 1992) (noting that, under Texas law, a lawyer can be held to be statutorily liable for disclosing confidential client information); Alleco, Inc. v. Harry & Jeanette Weinberg Foundation, Inc., 665 A.2d 1038, 1043 (Ct. App. Md. 1995) (holding that an attorney breaches his fiduciary duties to his client by disclosing confidential information to third parties); Gaylor v. Hobdy, No. B162110, 2003 Cal. App. Unpub. LEXIS 12184, at *14-16 (Ct. App. Ca. Dec. 30, 2003) (same); Welty v. Criscio, 2000 Conn. Super. LEXIS 1298, at *7 (Sup. Ct. Conn. May 16, 2000) (same).

15. Roderick v. Ricks, 54 P.3d 1119, 1125 (Utah 2002) (quoting Kilpatrick v. Wiley, Rein & Fielding, 909 P.2d 1283, 1290 (Ut. Ct. App. 1996)).

16. Harline v. Barker 854 P.2d 595, 600 (Utah Ct. App. 1993).

17. See Report of Judicial Committee, supra note 1.

18. See Caughey, supra note 6.

19. See E-Government Act of 2002, Pub. L. No. 107-347, ¤ 205(c)(3); 116 Stat. 2915, 2914 (codified as 44 U.S.C. ¤ 3501 (2004)).

20. Office of Clerk of the Court, U.S. District Court, District of Utah, Notice to Members of the Bar and Litigants (Updated Oct. 20, 2004), available at www.utd.uscourts.gov/documents/privacy_ntc.html (last visited Oct. 19, 2004).

21. Id.

22. See John Markoff, Illuminating Blacked-Out Words, N.Y. Times.com (May 10, 2004), available at www.nytimes.com/2004/05/10/technology/ 10crypto.html?ex=1085234968&ei=1&en=80ec08dacc3d3249.

Posted by at May 3, 2005 01:13 PM