C is for CJIS

178_cookieAnd criminal justice. And compliance. Coincidence? Clearly not.

Okay, we’re done being clever. After all, criminal justice information services (CJIS) is no joke.

An Acronym I Should Know?

Do you interact with, manage, or otherwise handle criminal justice information (CJI)? Then “yes!’”

CJIS compliance was established and is currently enforced by the FBI. Compliance ensures that professionals handling CJI, including cloud vendors providing software as a service (SaaS), prosecutor’s offices, government agencies, and more, adhere to pre-established, best practices regarding information security when working remotely or on wireless networks, establishing data encryption tactics, developing authentication processes, and other workflow activities.

As you probably guessed, CJIS compliance audits are complex and uncompromising. This seems frustrating to criminal justice professionals trying to do their jobs, but it’s a necessary safeguard for protecting our nation’s justice system.

How Can I Get Started?

Step one: Take some time to read through and understand the FBI’s Security Policy Requirement Document, and accept that complying with the CJIS security policy is no easy gold star.

While we wish we could offer you a magic solution that brings organizations up to pace with every CJIS standard, we can’t. As of today, no one can. But, we can offer some insight into a few processes you’ll want to tighten up (or implement!) in your efforts to prepare for certification.

What Am I Looking At?

In a nutshell, your processes for managing and handling CJI.

From data storage and retrieval to accessibility, internal workflows and communication between law enforcement agencies, courts, prosecutors, etc., you should be able to answer where the information is (and quickly locate it), whose hands it has been in and how it’s been altered at any given time. AKA, an auditable trail.

Hand-in-hand with being able to trace your data’s history is ensuring and proving the integrity of the information entrusted to your care, which can be safeguarded by data encryption and multi-step authentication processes.

You’re Sure There’s Not an App For That?

Yup. But digitizing records, evidence, reports and other CJI material enables you to leverage digital portals that facilitate communication between all necessary parties. These portals, such as LEAP, walk you a few steps closer to meeting CJIS standards.

Implementing robust workflows do not fulfil CJIS compliance, but they do support your efforts in checking the boxes to uphold data integrity and secure confidence in your service to the public.

If you’re interested in CJIS compliance, we recommend partnering with a trusted software vendor who can assess your current processes and recommend solutions or “next steps” for optimizing information security.

Remember: partnering vendors are responsible for ensuring their solutions uphold the promised functionality, but you play a role in sustaining the leveraged technology and continuing to pursue best practices. To help you fulfil your part, ask your vendor to outline a matrix that details the implemented functionalities, and who is responsible for maintaining each aspect of the solution required to comply with the CJIS Security Policy.

We Want to Hear From You!

Are you CJIS compliant or in the process? What hurdles are you facing?

Respond in the “comments” section below or on our Court Solutions showcase page. We read and respond – promise!

Scammers in the System: Florida Enforces Stricter eFiling Security Measures

By: Katie Pusz, Copywriter, ImageSoft

156_escammerThere’s always one.

After a scammer was able to hack an attorney’s eFiling account and take off with $130,000, Florida Courts E-Filing Authority was understandably shaken. Realizing such a vulnerability in its midst, the board quickly removed all non-lawyer eFiling accounts, which included the right-hand people of many lawyers – office managers.

Office managers typically rely on the eFiling portals to assist their law firms with managing cases, tracking files and payments, and more. Rather than creating their own account, many attorneys rely on their office managers’ accounts to perform their eFilings.

While there are still secure systems in place for pro se litigants and other non-lawyers to eFile, Florida lawyers will now have to submit their electronic files through an account attached to their bar number. If an attorney wishes to create any additional accounts, they will need to undergo a more extensive inspection by portal operators.

Speaking of Security…

Prior to eFiling, paper files were literally tossed a clerk’s desk where they sat until they were processed. Anyone could have picked up the file and stolen a client’s identity or other sensitive information. Developed to be more efficient and protective than paper-reliant processes, eFiling added an extra layer of armor to the security of every file. In such a technologically advanced era, eFiling must continuously evolve to strengthen its cybersecurity tactics.

A prime example of this is TrueFiling by ImageSoft, which just released its 3.0 version. With a continued focus on scam-proofed security measures, TrueFiling’s format is now similar to that of LinkedIn: Filers can send connection requests to other clients, attorneys, office managers, and more, and an accepted request will exist as consent between the two or more users. This step ensures that users cannot slyly add another contact as a service recipient. Filers must first be connected with one another as to acknowledge them as a party on a specific case.

Another TrueFiling security measure is the use of an administrative account for a law firm. Any person who registers to eFile as a representative of a law firm must be approved by an eFiling administrator of the law firm. This extra step enables the support staff to continue doing their job under their own, approved accounts, which actually strengthens security since attorneys aren’t sharing their passwords and account information with anyone. And with TrueFiling’s full audit trail, you can track and hold accountable those who were working on a file. If an entire office’s support staff is sharing and working under one attorney’s account, all that’s known is that “someone” was working on the file. With TrueFiling, there is no gray area – only full transparency.

Stepping toward upped security, TrueFiling also requires every filer be a registered user with an e-mail address. Sure, scammers could try to fake an email address to look like an attorney, but eFiling would then take some extra steps. By integrating TrueFiling’s software with that state’s Bar, the user’s bar number would have to be validated before he or she is deemed a registered user. You could further enhance the system’s functionality to only allow one bar number per user, which would be more than sufficient since support staff would maintain their own accounts.

Avoiding Future Flubs Everywhere

The connection-request process or law firm administrative oversight demands approval and accountability through each step of the eFiling process. This empowers attorneys to better protect their clients by harnessing complete control over who is accessing their cases and files. By applying this checks-and-balances type system, every eFiling application can avoid a scammer slithering into their case in the first place. And allow assistants to file on behalf of an attorney.

What security checkpoints does your court’s, office’s, or law firm’s eFiling system use?

Cloud Gazing

A couple years ago I wrote about how I thought attitudes concerning storing critical enterprise data in “The Cloud” would have evolved five years hence. Bottom line: The prediction was that by 2019, best practices will require that information of any criticality, confidentiality, or sensitivity be stored in The Cloud, because that will be far and away the most safe and manageable place for it.

Thus at the Justice Summit in Grand Rapids this June it warmed the cockles of my heart to hear Scott Bade, President of ImageSoft, who noted that the new generation of Justice System Information Management Systems are being designed for Cloud storage, for exactly those reasons. To a room of generally skeptical judges, court managers, and court technologists, Scott acknowledged the current general negative impressions regarding the security of data in The Cloud. Confronting their skepticism head-on, he then predicted that they would soon come to understand that the very reason for moving their most sensitive data to The Cloud is that it is no longer safe anywhere else.

As Scott pointed out, courts and other justice agencies can and will continue to store data “on-site” (wherever THAT is) for as long as they wish. The larger point is that, because Cloud storage will almost certainly become the rule rather than the exception, the new Justice System Information Systems are being designed to take advantage of the opportunities such architectures provide. And those opportunities are exciting indeed, offering greater functionality and flexibility, lower total cost of ownership, and far greater management control to far finer levels of granularity (like individual litigants on their own cases).

The Justice Community doesn’t need to lead the way.  Granted, justice system information includes highly sensitive and confidential material. But so, then, do National Security information systems. And here, the Defense Department has been moving aggressively to transition to storing information in The Cloud.

For those who are interested (ATTENTION, GEEKS!), Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 2, 18 March, 2016 makes fascinatingly turgid reading. For the rest of us, the mere existence of such a document should send a powerful message. Meet some folks who are seriously interested in security, who are spelling out in excruciating detail how to store and access its most sensitive information (designated “Level 6”, for anyone who wants to know).

Just for fun, here is a chart from the Guide. Imagine how easily it could be applied to Justice System Information.

From Section 3.2, Information Impact Levels

Figure 1 provides a summary of the current information impact levels coupled with some of the distinguishing requirements and characteristics. 

109_cloud

Note that per Section 5.2.1, the information must be physically located in the US or an area under US jurisdiction (like, say , Guantanamo). Not unreasonable; and courts may very well apply in-state restrictions if they please.

All of this is to say to the justice community that 1) Cloud-based information storage is in your future, probably sooner than you expect; 2) Properly implemented, it will be far more secure than any other form of storage; and 3) The tools that bring it to you bring also some very, very exciting capabilities to improve justice community delivery of services.

 

Assuring Judicial Work Product Confidentiality in a Paper-On-Demand Court

Consider this question: In a paper-on-demand court equipped with an Electronic Content Management (ECM) system, when judges record their personal notes in the records, do those notes become subject to release under Public Disclosure laws?

There is a long and well-settled rule providing exception and privilege for personal notes and working papers, but somehow that fact does not seem to prevent a lot of anxiety when courts are considering a move to a paper-on-demand court. For argument’s sake, let’s assume that the answer is “Yes”. 

The reasoning would be that content in the system (the paper analogy would be “in the file”) is a public record which, as a rule, would be disclosable. Most jurisdictions prohibit destruction of public records without express authority to do so. 

Doubts about the legality and precedent of keeping judges’ work confidential do not withstand analysis.  If a judge tears up or deletes his/her notes to start over, would that then be destruction of a public record?   Are erasures and modifications alterations of a public record?  For a really good, recent, analysis, see “Judicial Authority to Limit Access to Court Records in North Carolina“, December, 2011, by Michael Crowell of the UNC School of Government.

This does not mean courts should not carefully review and, if required, modify rules and statutes to make certain there are no unpleasant surprises following transition to a paper-on-demand court.  Also, close attention in the design phase will minimize problems down the road.  The paper-on-demand court environment IS different than the hard-copy environment. The area of Public Records discoverability has wrinkles in the paper-on-demand environment that never arise in the paper world, as anyone who has ever faced a Freedom of Information Act demand knows all too well.

For many access questions, the loss of the effective “security” of practical inaccessibility constitutes a major challenge when moving to an electronic document management system. Modern systems provide robust and reliable ways to assure confidentiality of data and documents at the system level, and provide electronic audit trails which can be used to further enforce compliance.

However, a few more landmines lurk in the work product area. Here the technology and the legal/rule considerations start to mingle. Public Records statutes and rules typically make exceptions for confidential data (social security numbers, personal information, etc.) and documents (Secret Indictments or jury lists, for example) through specific reference. In those cases then, as long as the system can control access, no questions arise.  

Do current statutes/rules exempt court work product from disclosure? And if they do, do they define work product? More and more do, but not all.

A typical statute/rule change to support introduction of electronic records systems in courts involves stating something to the effect that “the Court Record consists of the records, data, and files in the Electronic System”. When that happens, the particular “confidential” data elements and document types will remain safe. The “work product”, though, may be less certain.

Recommended best practice: 1) Ensure that disclosure rules call out both electronic and paper work product as their own non-disclosable category of information; 2) Maintain the non-disclosable work product documents in separate document types from formal court records, with security configuration that prevents viewing by unauthorized system users; and 3) Support electronic document annotations that don’t technically alter the original document and have their own security distinct from the document (A good ECM system will provide an array of document annotation types, including sticky-notes, highlights, circles, lines, arrows, text, etc.). 

Finally, choose a technology partner with solid experience in court integrations who can help you plan thoroughly and thoughtfully to avoid unexpected surprises when transitioning to a paper-on-demand court.