California State Bar Data Breach Impacts 1,300, leads to Class Action Lawsuit

The California State Bar is currently notifying the 1,300 individuals that were identified in a massive data breach that exposed more than 322,000 confidential records. These confidential attorney discipline records were published online from October 15, 2021, to February 26, 2022, on a public record aggregator site called Judyrecords.com.  

This data breach was not the result of a malicious hack, but rather a vulnerability in the State Bar’s case management system. This vulnerability exposed the confidential records in a Judyrecords.com information sweep. This is not believed to be intentional, but rather the result of a security issue with their Tyler Technologies Odyssey case management portal. 

On February 24th the State Bar learned that these nonpublic records were accessible on Judyrecords.com. Specifically, Judyrecords.com accessed and displayed case numbers, file dates, case types, case status, respondent names, and complainant names.  

“The State Bar is committed to transparency, and maintaining the public’s trust in our agency is paramount,” said Leah Wilson, State Bar Executive Director. 

 Currently, the State Bar reports that the vulnerability has been corrected. 

Class Action Lawsuit over Data Breach 

Because of the breach, both the California State Bar and Judyrecord.com were sued in March 2022. The plaintiffs, the individuals affected by the breach, are currently being represented by the law offices of Nenore Albert.  

The cause of the suit has been specified as a Violation of California Information Practices Act of 1977, invasion of privacy, Sherman Act, negligence, and negligence per se. The suit alleges the State Bar failed to notify plaintiffs of the issue in a timely manner. 

Injunctive relief in the form of disclosure, damages, loss, and attorneys’ fees is being requested for all Californians identified in the files released.  

How to Prevent Data Exposure 

This is a suit based not on a malicious hack, but rather accidental data exposure. Unintentional data exposure led to an unauthorized party accessing confidential information, without any form of cybersecurity attack. 

How can you make sure your organization’s data isn’t vulnerable to data exposure?  

First, identify all confidential data your organization holds, whether the data belongs to your organization or to clients and customers.  

Conduct a security audit of all confidential data and the security practices that are used to protect it. Consider updating: 

• Retention Practices – Delete or destroy data that isn’t needed by your business, as they add to your organization’s liability. 
• Security Practices – All firewalls, antivirus software, and other security software should be updated and checked to make sure it meets the company’s needs. 
• Employee Practices – All employees should be updated on cybersecurity threats, like malicious phishing emails, and best practices to prevent accidental data exposure. Additionally, confidential data access should be allowed on a “need to know” basis. 
• Data Backup Practices – Data should be safely backed up in case the data is lost or stolen. These backups should be stored securely, not in unprotected hard drives or flash drives that could be stolen. 
• Data Breach Practices – A quick response is needed in the case of any data breach, whether malicious or accidental. Failure to respond in a timely manner can lead to suits, like the one the California State Bar is facing. 

The California State Bar data breach is a nightmare for any organization that handles highly confidential data. Even though the incident was not malicious, the organization is facing both a lawsuit and public fallout from the data breach. It’s a great moment for the rest of us to take a critical look at our data protection practices and learn from this unfortunate data exposure example.