July 11, 2020

Volume X, Number 193

July 10, 2020

Subscribe to Latest Legal News and Analysis

July 09, 2020

Subscribe to Latest Legal News and Analysis

Rolling the Dice: How Not to Protect Privacy

This post is part three in a series examining privacy and transparency issues in the context of public access to digital court records, building on my essay “Digital Court Records Access, Social Justice and Judicial Balancing:  What Judge Coffin Can Teach Us.”

Maine state courts plan to start rolling out a new electronic filing and case management system by year’s end.  When it’s fully operational, approximately 85% of the electronic documents submitted by filers will be immediately accessible for public inspection upon acceptance by the court.  With a few exceptions (e.g., certain adoption, child protection, juvenile, and mental health civil commitment records), all criminal, civil, and traffic infractions records would be publicly available. Some records would be accessible only at the courthouse, while others would be accessible to the public both remotely (via the internet) and at the courthouse.

Foolhardy as it seems, the SJC plans to leave it to filers to serve as the chief privacy gatekeepers at the courthouse door, a role ordinarily assumed by the court and judges.  To protect the privacy rights of Maine citizens, the SJC’s proposed rules for its new electronic system require the sealing or impounding of certain court records and the redaction and/or special designation of nonpublic cases, documents, and information.  But, critically, the SJC intends to rely almost entirely on individual filers to ensure compliance with those new rules.

By doing so, the SJC has proposed turning protection of Maine citizens’ privacy into a game of chance.  The odds for Maine citizens are not good.

Under the SJC’s proposed rules, “[n]onpublic” means “access is restricted or prohibited by law.”  “By law” is defined to mean “by federal or state law or regulation, court rule . . . or administrative order.”  And 18 specific categories of data, documents, and information are listed as nonpublic, including “any other information or court record to which public access is prohibited by law.”

The SJC’s proposed rules instruct filers that “[f]or all cases designated as sealed, impounded, or nonpublic, every filing must be clearly and conspicuously marked, ‘NONPUBLIC.’” The rules further warn filers that “[i]f a filed document does not comply with the requirements of these [redaction and marking] rules, a court may, upon motion or its own initiative, order the filed document returned, and that document may be deemed not to have been filed.  A court may impose sanctions on any party or person filing a noncompliant document.”  The risks of noncompliance are real and substantial.  An individual may lose rights to a claim forever if a statute of limitations is missed because a filing was deemed not to have been filed correctly or a person may lose a lawsuit or pay a fine.

According to a 2013 report from the Family Division Task Force to the justices of the SJC, approximately 75% of the litigants in family-related cases are unrepresented; and approximately 86% of cases coming before family law magistrates (in 2012) had one or fewer attorneys.  Although they are not published, the numbers are similar in other district court case types.  There are hundreds of  Maine laws and regulations in existence that treat certain information as confidential.  And the volume of new laws enacted each year is likely to continue to grow, given the increasing recognition of the need for stronger consumer data protection laws and regulations.  Finding and keeping track of these laws, not to mention reading and understanding them, will be a major undertaking for Maine lawyers and an impossible hurdle for unrepresented litigants.  In addition, it is highly unlikely that unrepresented litigants will be able to conduct the proper assessment of – and determine the best way to protect – their privacy rights.  In any event, the privacy interests of nonparties are at risk too and should not be entrusted solely to the care of one of the parties.

Even assuming full compliance, however, it is not difficult to imagine mistakes happening.

In its latest draft rules, the SJC itself seems to have missed the fact that birth certificates are nonpublic under Maine law.  While its draft rules designate “death certificates” as nonpublic, they make no reference to “birth certificates.”  Yet the latter document contains precious “place of birth” and “mother’s maiden name” information.

Determining the nonpublic status of birth certificates in Maine requires a bit of legal research.  Like many states, Maine is a “closed state” as it relates to vital records, making such records available for inspection by the public (that is, open to anyone) only after passage of a long period of time: birth records more than 75 years from the date of the event; marriage records more than 50 years from the date of the event; and death records more than 25 years from the date of the event.

The Maine statute permits access to vital records only to those applicants who can demonstrate to the satisfaction of the Department of Health and Human Services that they have “a direct and legitimate interest in the matter recorded.”  The statute defines the specific categories of applicants who may qualify, which include the person named on the record and their spouse, registered domestic partner, descendants, parents or guardians, or duly designated agent or attorney.

Prior to 2010, for at least more than half a century, Maine had been an “open state,” permitting inspection by anyone of vital records.  In 2010, however, the legislature enacted “An Act To Allow Electronic Filing of Vital Records and Closing of Records To Guard Against Fraud and Make Other Changes to the Vital Records Laws.”

Interestingly, the impetus for the legislation, as is evident from its title, was the implementation of a centralized electronic death registration system for Maine.  As state government transitioned from paper to electronic records, Maine decided that restricting access to vital records only to those with “a direct and legitimate interest in the matter recorded” was necessary to protect Maine citizens from fraud and identity theft. It did so, even in the face of knowledge that much of the vital records information would be otherwise readily available to the public through newspapers, the U.S. Social Security Death Index, and cemetery gravestones.

If the SJC can miss an obvious category of documents that is nonpublic under Maine law, what are the odds that unrepresented litigants at the time of filing may likewise miss something that is nonpublic under federal or state law or regulation, court rule, or administrative order?  What about those who do not speak English, cannot read well, do not have access to a law library, are going through a divorce, seeking help for their children, or fearing for their lives at the time of filing?

Why isn’t the SJC demanding more from its technology vendor and requiring it to assist the court in performing its traditional privacy gatekeeping function?  Judging by a quick look at the search solutions presently available from Tyler Technologies, it seems that functionality and technological filters already exist or could be built to help ensure that data has been sufficiently de-identified and that all nonpublic cases, documents, and information have been correctly identified and properly marked.  No technology is foolproof.  But if it is used in conjunction with other measures (e.g., user training, manual review, and judicial oversight), technology should at least help to increase Maine citizens’ odds.

Maine citizens’ privacy rights should not be dependent on the chance success or failure of filers to fully comply with the SJC’s rules.  Relying on filers to serve the privacy gatekeeping function is fraught with peril and not good public policy.  It will only serve to erode the public’s trust in the Maine court system.

For additional info on digital access to court records,  click here to read part one regarding redaction and re-identification risk, and here to read part two about the data de-identification spectrum.

©2020 Pierce Atwood LLP. All rights reserved.National Law Review, Volume X, Number 156

TRENDING LEGAL ANALYSIS


About this Author

Peter J. Guffin data and privacy lawyer Pierce Atwood
Partner

As chair of Pierce Atwood’s Privacy & Data Security practice, Peter Guffin combines extensive experience in intellectual property, information technology, privacy and data protection law, with a practical appreciation of the business and legal imperatives that can determine a client's success.

Areas of focus include:

  • Information Privacy and Cybersecurity
  • Breach Preparedness, Response, Investigation, and Communication
  • Risk Management, Governance, and Compliance

Peter represents businesses and organizations across a...

(207) 791-1199