The Security of Judicial Information
On electronic discovery issues we tend to focus on the early stages – identification and preservation. But what happens at the end of the process? After all, the purpose of electronic discovery is to help the parties settle their case and ultimately prepare for trial. When cases do get to that stage, and the parties have gathered, reviewed and produced their “ESI”, can they be sure that the court will handle the evidence in a way that keeps it secure?
Because not all governments and court administrators have developed appropriate systems for e-trials, some judges have taken it upon themselves to foster and manage the use of technology in the courtroom. What happens to your client’s exhibits when they are handed to the judge on a CD? For that matter, how is the draft decision in your case – being prepared on the judge’s laptop – protected from loss, or breach of privacy? Does the court have a backup of your electronic appeal book, and if so, who has access to it?
The Judges Technology Advisory Committee (“JTAC”) of the Canadian Judicial Council is currently in the final stages of revising its landmark Blueprint for the Security of Judicial Information (“Blueprint”). Originally published in 2004 and updated in 2006, the 2009 version is a document that all judges and lawyers should be anticipating. Why?
The paperless court is a reality in a growing number of jurisdictions. But as counsel hand up CDs of scanned documents or USB drives with electronic evidence, as electronic appeal books are copied onto court networks, or as pleadings are uploaded to e-filing systems, how much thought is put into the security of all that information?
By the late 1990s some federally-appointed judges were awakening to the possibility that their increasing use of technology on and off the bench was subject to certain risks, not only due to the inherent limitations of digital technology, but to the structural design of court technology infrastructure. Some of their key concerns were:
- Do the provincial systems supporting judicial use of technology meet industry standards for security?
- Is judicial use of computers in the courthouse subject to monitoring by administrative staff?
- Do the acceptable use policies that apply to government employees apply to judges?
- Who is accountable for the security of judicial information?
To answer some of these questions, the Canadian Judicial Council (whose mandate is federal) surveyed every court with federally-appointed judges with a comprehensive questionnaire. The survey was prepared and the results compiled by JTAC. In November 2001 JTAC reported its findings to the Council, making the following recommendations among others:
That the Canadian Judicial Council consider conducting a seminar at its next mid-year meeting to review urgent security issues identified in [the report].
That the Canadian Judicial Council ask all provincially and federally appointed chief justices/judges to:
(a) Establish security of the court’s information system as a priority;
(b) Ensure that policy development takes place at an early stage before the conversion to an electronic environment;
(c) Identify and secure the necessary financial, staff and other resources that are critical to implementation of appropriate security measures;
(d) Ensure that a technology staff member who is accountable to the chief justice/chief judge be appointed to manage the court’s security operations.
To achieve uniformity, that the Canadian Judicial Council take a leadership role by authorizing the Judges Technology Advisory Committee to develop a blueprint that addresses recommended security procedures for all Canadian courts, and ensure that resources are made available to the Committee for that purpose.
The recommendations were accepted, and work began on several policies and awareness training programs. The most significant of these, the Blueprint for the Security of Judicial Information (“Blueprint”), was released in 2004 after an extensive period of consultation.
The Blueprint defines the scope of “judicial information” and establishes the principle that if judges are to be accountable in some way for the security of judicial information, they must be involved in a policy-making role. The Blueprint recognizes that judges and court administrators must work together to strengthen security, but it also focuses on three key concerns: first, there must be no content monitoring of judicial work (this is covered in detail in a separate 2002 policy); second, “Every jurisdiction must ensure that a Judicial IT Security Officer who is accountable to the judiciary be appointed to oversee the management of court information technology security operations” (Policy 1) and third, judicial information – at every stage in its lifecycle – must be segregated from non-judicial information. Policy 10 states:
The configuration of a court’s access control systems must support the principle of judicial independence. Judicial users should be provided with exclusive access to their own network resources unless it can be shown that network architecture, configuration, access controls, operational support and information classification schemes are sufficient to provide the highest level of confidence in the segregation between judicial and non-judicial information, and compliance with this Blueprint and the CJC Monitoring Guidelines.
The Blueprint has had an enormous impact on courts and judges. Since the initial Blueprint was published about five years ago, almost every court across the country has (a) assessed its security systems in relation to the Blueprint; (b) adopted a version of the Blueprint as its security policy and (c) made significant changes to the way judicial information is managed. In addition, at least four courts have now designated “Judicial Information Technology Security Officers” or the equivalent, who help develop policies and monitor compliance from a judicial point of view.
The best hardware, software and network security systems are powerless against users who refuse to follow rules, and imposing lock-downs on an independent judiciary is not always easy. Lawyers should be aware that since the turn of the century federally-appointed judges have participated in extensive information security training, organized and presented by the National Judicial Institute and by individual courts.
JTAC is committed to updating the Blueprint on a regular basis. The 2009 draft was approved by JTAC in June and will be considered by the Council at its next meeting. Once translated into French, it will be posted on the Council’s website. For more information or if you have any comments about the 2006 version, please contact me at mfelsky@felsky.com.
Comments are closed.