Cyber Security of Court Records: An Introduction to Principles and Policy

By Jorge Basto, Division Director, Information Technology and Christopher Hansard, Assistant Director for Research and Regulatory

Today’s business environment requires constant internet connectivity, and many companies now store, access, and manage huge quantities of records via in-house or third-party internet based solutions. Hardly a month goes by without news of a cyber-attack that often results in the theft of sensitive records. Courts, with their ever-increasing adoption of electronic services (mail, filing, access, etc.), are often managing millions of electronic records and are subject to the same security concerns and vulnerabilities as any Fortune 500 company.

With the expansion of courts into specialized business and treatment functions, courts often store medical records, trade secrets, and data with other sensitive or personally identifiable information. In an age of almost continual cyber-attacks, no entity is ever one hundred percent safe from records theft, and later this article will discuss specific vulnerabilities and types of attack.

Courts should know the measures that can be taken to protect their shared information. In his paper, To Protect and Preserve: Standards for Maintaining and Managing 21st Century Court Records, National Center for State Courts records expert Nial Raaen identifies six core principles courts should establish for records governance.

Each principle, if considered with cyber security in mind, will provide a foundation upon which larger cyber security measures can be taken:

·       Governance – Establishing who is responsible for maintaining records created by court creates a governance structure for that court. Records can become vulnerable to theft if parties do not clearly understand who is accountable for them. Without the accountability that comes with a clear governance structure, records may become neglected, forgotten, or stuck in limbo, eliminating any protection they might have received.

·       Compliance – Many federal and state statutes exist to protect court records, and ensuring compliance reduces the risk of records falling into the wrong hands. Courts can adopt records and data policies that adhere to appropriate statutes like HIPPA and other laws that seek to protect records with personally identifiable information.

·       Integrity – Authenticity is maintained through rigorous records controls and audits to verify integrity. Not only do audits guard against internal records corruption and misuse, but they also can prevent unauthorized third parties from gaining access to records. If proper integrity procedures are followed, courts will know quickly when  court records are compromised.

·       Access – By carefully defining appropriate records access, accessing records becomes more efficient for authorized parties. At the same time, limiting access appropriately allows the court to construct a well-guarded fortress around all records to prevent unauthorized access.

·       Preservation – Focusing on preservation requires that courts create backups and disaster plans, which are critical if records are stolen or otherwise removed by cyber attackers. Having adequate preservation principles can give courts peace of mind if they are ever victims of an attack.  
·       Disposition – Disposition principles are key to ensuring records reaching the end of their useful life are either stored long term or destroyed. Courts must have provisions for destroying records as soon as they are no longer required to be kept. Criminals cannot steal records that do not exist. Delaying destruction of records leaves courts vulnerable to theft. Disposition principles also force courts to properly destroy records in accordance with appropriate standards.[1]

Protecting courts from cyber-attacks is a complex issue.  Courts can lay a foundation of protection from cyber threats by carefully reviewing and adopting general records management principles as described. Doing so will not only protect against theft but will also improve the quality of service to all court stakeholders.

Securing court records has also become increasingly more difficult for court managers because identifying, categorizing, and classifying ‘data’ covers a large span of traditional courts records, operational, system, and financial data. Courts today have the same intricacies that many businesses deal with every day. Court managers should approach their data management policies as they would any other business asset.  

Understanding that complex records, the intent of hackers, and the vulnerability that “open” systems create can help court managers work toward more secure data.
1.     Complexity of records. If one or more of the above noted principles is not followed, courts may be unaware they have been attacked or compromised. Data normalization allows for more efficient methods of storing and reporting of information but it does create complex structures that require specialized IT assets to manage. The more elaborate the data models become, the more resources are required to manage, back-up, replicate, report and parse information into useful formats. Because of the added tools, staff and connectivity requirements, there are new points of failure or exposure to the information.  
To combat this problem, courts need to have a strong understanding of their vendors, contractors, or internal staff policies for managing data.
2.     Sophistication / Intent of criminals. Opportunities for hacking systems have always existed and has not subsided simply because of education and intrusion protection. Criminals are finding new ways every day to illegally access, copy, alter, destroy or block systems. Sometimes, these criminals are the same ones supplying the “solutions” being marketed to their victims. Court Managers should regularly perform testing of their systems and keep intrusion methods up to date as much as possible.
Reasons for an attack are not always obvious. Court data dealing with sensitive information is at risk
but criminals have several motivations for their activity:

·       Financial – the most common reason is to gain some compensation for stolen passwords, credit cards, secure data, etc.

·       Bragging – Much of the early reported hacking was simply for “fun” or entertainment. Hackers wanted to see if they could “do it.”

·       Malicious – A very common type of attack in the government sector is a “Denial of Service” (DoS). Chances are nothing is stolen but systems do become non-functional.

·       Incompetence – With the enormous list of possible issues that can occur with any system, data can be exposed because someone is unsure of what they are doing.

·       Bot Client – Some hacks use the attacked system as a “bot” to infect or steal from other systems.
3.     Openness - The courts are under pressure to become more “open.” This means many different things to different people but the expectation is that data is shared and made more available to ancillary entities and the public. It may not be considered hacking, but screen- or data-scraping has become a common way of extracting human-readable data output. As courts make more records public and accessible on-line, more attempts to acquire restricted information will occur.
This article is too brief to cover thoroughly a discussion on appropriate court data policy and management. There is a wide variety of assistance available, including Georgia’s Judicial Council/Administrative Office of the Courts, the National Center for State Courts, and other non-profit groups dedicated to data management and security.

By dedicating themselves to core principles and establishing sound policy, courts can focus more on the criminal in courthouse rather than worry about the ones attempting to break into their network.

[1] To Protect and Preserve: Standards for Maintaining and Managing 21st Century Court Records. Access on April 2, 2015.

Contact AOC

Administrative Office of the Courts 244 Washington Street, SW Suite 300 Atlanta, GA  30334

Pop Quiz

Can you name the Georgia judge who officiates college football games?
Find the answer on our Facebook and Twitter accounts: @GACourts!


Let us know what you think about the Georgia Courts Journal. Send your feedback, corrections, suggestions, and submissions to

Social Media

Follow the AOC on Facebook! Like us at today.

Receive Tweets from the AOC! Follow us at