Judges get with the times on information security

Originally published in Lawyers Weekly

Lawyers strive to protect the confidential information they gather when litigating a case. And courts across Canada continuously work to ensure that any information lawyers submit to them stays confidential.

This year, the Canadian Judicial Council (CJC) is updating its Blueprint for the Security of Judicial Information, prepared by the Computer Security Subcommittee of the CJC’s Judges Technology Advisory Committee (JTAC). This blueprint serves as a guide for members of Canada’s judiciary community, helping them protect the information they generate.

In fact, according to Martin Felsky, “Courts now take more leadership in information security than many law firms or individual lawyers do. The kind of project we’re doing for the court is the kind of project many lawyers need to undertake in their own practices.”

“The blueprint is an educational tool not just for judges but for lawyers and everybody in the judicial community,” adds the founder of e-discovery service provider Felsky Consulting.

Security concerns, of course, are nothing new. As judges increased their reliance on computers at work, they wondered about things like how their information is stored and who has access to that information.

Litigants, in turn, may fret over whether the information they submit to the judiciary is safe from prying eyes.

Complicating the situation is the judiciary’s independence from government, itself a frequent litigant. The idea of using the same IT support resources as a litigant raises several spectres. “Is it appropriate for a government IT person to log into a judge’s computer?” Felsky asks rhetorically. “What happens to data he’s working on? Is it intermingled with data from other government departments?”

Concerns like these prompted JTAC to form the aforementioned subcommittee earlier this decade, which surveyed the judiciary across Canada on the security of their electronic information. It turned out that security was lacking in most courts.

“Ten years ago, the security-minded in the judiciary were in the minority,” Felsky says. “Most judges assumed their judicial information was secure.”

Many judges also balked at measures like changing passwords every 30 days, encrypting email and performing backups.

Times have changed. Ten years ago, the committee sent unsolicited memos on how to secure information. Today, judges ask the committee for security tips and guidelines.

“Today we know we have to take responsibility for the security of our own information,” says Manitoba’s Honourable Madam Justice Laurie Allen, a JTAC co-chair and chair of the security subcommittee.

“Judges don’t get into the nitty-gritty of the technical stuff in the blueprint,” she adds. “It’s just great to know our work is looked after properly.”

Felsky credits educational efforts for part of this change in attitude. “I’ve demonstrated password cracking to judges, and they’re astonished,” he says. “Some thought that using their dog’s name as a password was safe.”

People like David Williams, the acting lead for Ontario’s Judicial Information Technology Office, can also claim kudos. Officers like Williams improve a judiciary’s information security using the blueprint’s guidelines.

This attitude shift hasn’t arrived a moment too soon, given what Williams calls an “explosion” in new devices and portable media. “You could put a judge’s lifetime work on a device the size of your pinkie nail,” says Williams. “They can work from places they never could before.”

Nothing in the blueprint is mandatory, according to Felsky, but it doesn’t need to be. “No judge wants to explain security lapses to the media,” he explains. “We.”

The blueprint works. “Every jurisdiction has been using it since the first version in 2004,” Felsky claims.

The committee also updates the blueprint every few years. Version two emerged in 2006, while version three awaits consideration at the next committee meeting this September.

Two major themes drive blueprint changes this year: increased consistency with international standards; and a focus on mobile technology.

The first theme ought to relieve judicial personnel who seek to reduce the burden of compliance. “If you already comply with current ISO standards,” Felsky says, “you comply with 90 percent of the blueprint.”

Mobile technology, while hardly new, wasn’t on the radar when the committee first set to work. Things such as wireless networks and Blackberries did not figure prominently in the work of the judiciary.

For most judges, smartphones would be personal purchases, but Allen doesn’t see that deterring adoption of handsets among her colleagues. “Two of my three children have iPhones, and I’m green with envy,” she says of the technology that she may one day acquire.

“I notice more and more netbooks at (judicial) conferences,” Allen adds.

As much as the blueprint has smoothed the way for members of the judiciary to incorporate technology into their workdays, barriers to technology persist. “Governments don’t move overnight,” Allen says. She also perceives financial realities in some provinces where decision-makers need to funnel required changes through the bottleneck of budgetary cycles.

Such barriers, though, stand little chance should the flames of data loss horror stories heat up the media. One all-too-common horror story goes like this: “culprit” loses a laptop; laptop contains sensitive information; hard drive was not encrypted; privacy worries skyrocket.

To keep Ontario’s judiciary “out of the news,” its members are receiving new laptops featuring encrypted hard drives. Another price for security: “There’s a ten-second hit on startup and shutdown,” Williams admits.

Even though Blueprint 2009 is on the cusp of publication, the committee continues to guide its evolution.

For instance, social networking and other Web 2.0 phenomena have caught the committee’s attention. Felsky presumes judges may want to experiment with sites like Facebook and Linkedin, and the committee will deal with any attendant privacy and security issues if that happens.

Another trend to watch: Microsoft will soon trumpet the arrival of Office 2010 online, one of the latest “cloud computing” systems that users access via web browsers (the software, and the documents and data it produces, all reside on the Internet, outside an organization’s firewalls).

IT managers may tout cost efficiencies from cloud computing, but the committee may take a dim view of storing user data and documents anywhere but the judiciary’s own servers.

To Williams, it’s a matter of trust. “If we use cloud computing, we’d have to analyze the services and we would need the ability to monitor the system to make sure nobody noses in from the back end,” he says.

The technological sophistication the blueprint calls for has courts asking for help in understanding it.. In response, the National Judicial Institute is translating key components into course material, and JTAC offers what Felsky calls the “road show,” sending knowledgeable representatives (such as Felsky himself) to any court that asks for help educating judges about the blueprint.

All these measures inspire Allen’s confidence. “Lawyers work so hard to accumulate evidence, make it searchable,” says Allen. “The courthouse is not a weak link. It’s a very strong link.”

For a PDF of this article, click Information_security_judiciary.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.