Protecting Sensitive Court Filings After Recent Cyber Breach

Recent cyberattacks targeting federal and state court filing systems have raised serious concerns about the security of highly sensitive materials filed under seal in civil litigation matters.

Beginning in July, at least a dozen district courts across several U.S. states are believed to have been directly affected by the ongoing compromise of the federal digital case filing system, known as Case Management/Electronic Case Files, or CM/ECF.  These attacks, which the federal judiciary disclosed in August, potentially exposed confidential data, including sealed filings and informant identities.

They laid bare an uncomfortable truth: Parties cannot always assume that documents properly filed under seal in the CM/ECF system will remain nonpublic, and parties must apply additional mitigating controls to minimize exposure when a breach occurs. 

Malicious actors have continued to target federal and state courts with increasingly sophisticated and successful cyberattacks.  Multiple state courts have reported successful attacks from hackers in recent years, ranging from denial of service to ransomware.[1]

In certain cases, court systems have taken months to get back online.  At the federal level, the recent sophisticated and persistent cyberattack announced by the Administrative Office of the U.S. Courts this summer stands as the most serious reported threat to the CM/ECF system since hackers exploited the SolarWinds Orion products in 2020.  That also led to an "apparent compromise of the confidentiality of the CM/ECF system," according to an Administrative Office press release at the time.[2]

Consequently, organizations must view the security and confidentiality controls of these courts with increased skepticism. 

The 2020 SolarWinds attack led to the creation of new procedures by the Administrative Office of the U.S. Courts in January 2021 regarding the treatment of highly sensitive court documents, or HSDs.  These HSDs represent a subset of documents filed under seal that require an even higher level of protection.  Under the updated HSD protocol, HSD documents would be accepted only in paper form or on a secure electronic device — e.g., a thumb drive with password-encrypted data — and would not be uploaded to CM/ECF, but rather uploaded to a secure, stand-alone system.

The HSD protocol created a new patchwork of local rules for protecting HSDs filed under seal, but they generally have remained limited to national security related documents, and they are not accessible to most civil litigants.  For example, the U.S. District Court for the District of Delaware's standing order lists documents implicating national security, cyber investigations and public corruption investigations that are especially sensitive as HSDs.[3]

But there are other situations where similarly enhanced protection is warranted for sensitive materials filed under seal, such that civil litigants should consider their options for minimizing the risk of unauthorized exposure.

Key Implications

The most recent attack on the CM/ECF system will have lasting impacts, both immediate and long term.

Changes to Filing Procedures

The 2025 CM/ECF incident prompted emergency security measures and procedural updates across multiple jurisdictions.  More than a dozen federal district courts have already announced updated procedures that require paper copy filings of sealed documents and do not allow parties to upload sealed documents electronically.

For example, the U.S. District Court for the Western District of Oklahoma requires that "[t]o better ensure the security of information in sealed filings, effective August 11, 2025, sealed documents must be filed conventionally over the counter at the Court Clerk's Office."[4]

The number of courts that are returning to paper copies will likely only increase.  For parties, it is a throwback alternative that should not be overlooked.

Increase in Court Filing Cybersecurity Risk Levels

This summer's attacks — believed to be linked to nation-state actors or organized crime networks — underscore the vulnerability of court infrastructure and the potential risks to corporate litigants.

Indeed, the breach only serves to validate congressional testimony provided in late June by U.S. Circuit Judge Michael Scudder, the chair of the Committee of Information Technology, on behalf of the Judicial Conference of the U.S.  He testified that "[b]ased on extensive internal and external analyses, we have concluded that CM/ECF and PACER are outdated, unsustainable due to cyber risks, and require replacement."[5]

Organizations should reassess cyber risk levels applicable to sensitive court filings and what mitigating controls are required to meet standards of reasonable data security. 

Reassessment of Litigation and Filing Strategies

In-house counsel should reassess their litigation strategies in tandem with internal security and privacy teams, particularly when filing documents under seal. 

Mitigating controls can include: robust encryption; filing only relevant excerpts from larger sensitive documents; conventional, hard-copy filing under seal; employing cybersecurity-enhanced protective orders; use of limited-access protocols; and proactively addressing incident response plans and responsibility should a breach occur. 

The time for the parties and the court to confer regarding such measures is early in litigation involving relevant sensitive information, not when they may be pressed to meet filing deadlines or after an incident occurs. 

Key Considerations: What Parties Should Be Doing Proactively

Organizations should consider several controls to help safeguard sensitive data in filings.

These considerations generally fall into three categories: (1) addressing the security of sensitive documents filed with the court; (2) minimizing the sensitive content included in documents filed with the court; and (3) continuing to leverage protective orders to address the security and confidentiality of sensitive litigation data stored within the organization, at law firms, at vendors and with opposing parties.  

Addressing Security and Confidentiality of Sensitive Documents Filed With the Court

Know the court's requirements and procedures for filing documents under seal or as HSDs.  For law firms and organizations that are filing sensitive documents, the best approach will depend on the court, and the local rules and procedures that it has adopted. 

If you are filing a document under seal in a court that has adopted new sealing protocols, follow the new protocols.  If you are filing a document under seal in a court that has not adopted new sealing protocols, explore an opportunity to classify sealed filings, or at least treat them electronically, as an HSD. 

Courts have typically hesitated to classify most types of documents in civil cases as HSDs.  But given the most recent data security incident, coupled with the public congressional testimony regarding the state of CM/ECF, consider requesting that sealed filings be provided the same protections as HSDs.  This would align with the recent procedures outlined by a number of federal courts since the 2025 CM/ECF breach.

If you cannot have the document classified as an HSD, explore the opportunity to file it under seal in paper form or with encryption applied.  Parties filing documents under seal in districts that have not modified sealing protocols should consider asking the court's permission to file documents that do not rise to the level of HSDs under seal in encrypted form, as a hard copy or otherwise saved in a location separate from CM/ECF. 

Minimizing Sensitive Information Included in Court Filings

Given these developments, law firms, government entities and organizations should take steps to avoid or minimize including sensitive information in court filings and follow these best practices.  

Identify and classify sensitive data early.

During discovery and prefiling review, inventory documents for national security information; trade secrets; nonpublic intellectual property; personally identifying information, especially sensitive personally identifying information and information about minors; or data, the disclosure of which could cause catastrophic harm.  

These materials may require HSD treatment or special, cybersecurity-enhanced protective orders.  Documents that are merely proprietary or confidential — e.g., most sealed civil filings — may be filed under existing sealing procedures.  But they usually still require justification — following the court's procedures for filing materials under seal — to do so.

Limit confidential material in court filings.

Draft pleadings, briefs and other submissions to minimize the inclusion of sensitive data.  Where possible, employ the use of redaction, pseudonymization or generic descriptions.

For matters involving minors or sensitive personal data, request sealing under applicable rules — e.g., North Carolina Appellate Rule 42 — and ensure that confidential records are sealed at the trial level.

Additionally, parties should negotiate sealing orders or agreements that allow only relevant excerpts of a sensitive, relevant document to be filed under seal, not the entire document.

Including Robust Data Privacy and Cybersecurity Measures in Protective Orders

Traditionally, parties and courts have relied upon protective orders as a primary method of limiting who can access or use materials produced in the course of discovery.  Because the Federal Rules of Civil Procedure do not provide particularized guidelines for courts to consider when issuing protective orders, the approaches to doing so can vary significantly. 

Therefore, if not approached mindfully, protective orders may not contain sufficient guidance, proscriptive detail or defined remedies to adequately minimize the risk that a responding party might have its confidential, sensitive, or protected information later involuntarily disclosed to or accessed by unauthorized parties.

As the U.S. Court of Appeals for the Federal Circuit recognized in its 2010 decision in In re: Deutsche Bank Trust Co. Americas, "there may be circumstances in which even the most rigorous efforts of the recipient of such [sensitive] information to preserve confidentiality in compliance with ... a protective order may not prevent inadvertent compromise."[6]

Indeed, media headlines in recent years tell us that law firms have become attractive targets for hackers and cyberattacks, due to a combination of lagging security and a reputation for housing high-value data.  Similarly, service providers, court reporters, and testifying and consulting experts engaged by litigants and their counsel can often stand in the same bull's-eye drawn by malicious threat actors who seek to access and exploit nonpublic information.

Litigants negotiating protective orders should therefore consider including data security and privacy issues in protective orders as a matter of course.  Protective orders should address security measures reasonably required to protect information subject to personal privacy, trade secret and confidential obligations, considering that litigants and their counsel will have varying levels of resources at hand.  

At a minimum, protective orders should address: (1) security in connection with the transfer and storage of electronic information and paper records, e.g., secure transfer methods, access controls and encryption; and (2) the steps the requesting party should take in response to a data breach or other security incident involving the responding party's information, including prompt notification to the responding party.  

In defining these security measures and breach response protocols, the terms should consider the fact that technology changes rapidly, and that anything too granular or detailed will be more likely to become outdated.  

For example, as the Federal Circuit noted in its 2016 decision in Drone Technologies Inc. v. Parrot SA, "it is well recognized … that source code requires additional protections to prevent improper disclosure because it is often a company's most sensitive and most valuable property."[7]

Accordingly, courts will often impose restrictions on the inspection and production of source code, sometimes only allowing inspection on a secured computer in a secured room without internet access or network access to other computers.  Even when courts allow production of source code, they will weigh the risk of disclosure and harm to the producing party with the need for the requesting party to have the information necessary to properly prepare its case.

Protective orders or case management orders should also address the procedures to be followed when highly sensitive or confidential information needs to be submitted to the court or to the trier of fact in an evidentiary motion or proceeding.  This may include requiring that such information is only reviewed in camera by the court or, at a minimum, is filed under seal with the court.  Use and display of highly sensitive or confidential information in the courtroom should also be tightly controlled.

Conclusion

The high-value information that passes through court and legal organization systems has become an increasingly high-profile target for malicious actors, and the threats are only likely to grow over time. 

The entire legal system needs to build protections against these threats at all stages of the process to better protect litigants' sensitive information and proprietary data. 

Martin T. Tully is a partner, Kevin M. Benedicto is counsel and Michael C. Kearney is a director at Redgrave LLP.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of their employer, its clients, or Portfolio Media Inc., or any of its or their respective affiliates.  This article is for general information purposes and is not intended to be and should not be taken as legal advice.  

[1] See, David Brown, State and Local Courts Struggle to Fight Increasing Cyberattacks, State Court Report, (June 5, 2024), https://statecourtreport.org/our-work/analysis-opinion/state-and-local-courts-struggle-fight-increasing-cyberattacks

[2] Administrative Office of the US Courts, Judiciary Addresses Cybersecurity Breach: Extra Safeguards to Protect Sensitive Court Records, Jan. 6, 2021, https://www.uscourts.gov/data-news/judiciary-news/2021/01/06/judiciary-addresses-cybersecurity-breach-extra-safeguards-protect-sensitive-court-records#:~:text=%E2%80%9CThe%20federal%20Judiciary%E2%80%99s%20foremost%20concern,2021%2C%20communication%20to%20the%20courts.

[3] See, In Re Amendment to Procedures for Requesting, Filing, and Management of Highly Sensitive Documents (D. Del. S.O. Feb. 20, 2025), https://www.ded.uscourts.gov/sites/ded/files/news/HSD-Standing%20Order.pdf.

[4] See, In re: Updated Policies and Procedures for Sealed Documents, Order (W.D. Okla. S.O. Aug. 8, 2025), https://www.okwd.uscourts.gov/sites/okwd/files/GO%2025-5.pdf.

[5] See, U.S. H.R., Committee on the Judiciary Subcommittee on Courts, Intellectual Property, Artificial Intelligence and the Internet, p. 4, (June 24, 2025) (Statement of Hon. Michael Y. Scudder, Jr., Chair, Judicial Conference Committee on Information Technology) https://docs.house.gov/meetings/JU/JU03/20250624/118401/HHRG-119-JU03-Wstate-ScudderM-20250624-U2.pdf.

[6] In re Deutsche Bank Trust Co. Ams. , 605 F.3d 1373, 1378 (Fed. Cir. 2010).

[7] Drone Techs., Inc. v. Parrot S.A. , 838 F.3d 1283, 1300 n.13 (Fed. Cir. 2016) (internal citations omitted).