Confidential File Leak Leaves CalBar, Lawyers and Clients Exposed
The state bar association of California, which is responsible for licensing and regulating more than 250,000 lawyers in the most populous US state, is itself the subject of a scrutiny for a data breach that allowed the capture of confidential data on client complaints and lawyers’ disciplinary records by a free court records website. .
As many as 322,500 such records were sucked up by JudyRecords.com between October 2021 and February 2022, according to a proposed class action lawsuit filed against the California Bar by two attorneys, a former judge and three people with attorney grievances, all of whom are proceeding anonymously.
When a state bar suffers a data breach, confidential information stored in disciplinary records could be a target, and disclosure of these files could potentially lead to doxing, extortion, or identity theft, as well as lawsuits against the bar, according to lawyers who spoke to Bloomberg Law about it.
Accusing the California State Bar of invasion of privacy, negligence and violation of state information practices law, those suing it seek damages and an injunction . The vendor who provided the CalBar case management software and the bar’s acting chief information officer are also named as defendants in the case.
The bar has since sought his removal, arguing among other things that the Information Practices Act does not apply to him. He also contends that JudyRecords.com captured “only case data, not complaints or other case documents from underlying disciplinary proceedings.”
But just months after the California foray, the Georgia State Bar website was restricted in response to unauthorized access. The Law Society of Georgia announced on May 20 that it has a new temporary website and continues to “work” on unauthorized access to its site.
The breach of disciplinary records is a “nightmare scenario” in terms of confidential information, and the possible negative implications could go “far beyond” a traditional data breach, said Dickinson Wright member Fredric D. Bellamy PLLC with experience in data privacy and cybersecurity law.
“How much this trend accelerates could depend on the ability of hackers to steal data from bars that have already been attacked and can be sold on the black market,” he told Bloomberg Law. “That kind of financial success would encourage more hackers to target bar organizations.”
Responsibility for attorney registration and discipline varies from state to state. In some places, like New York, the courts have this responsibility, while in others, like California, it’s the state bar, and in Illinois, it’s the Attorney Registration and Disciplinary. Committee.
Regardless of where they are stored, these disciplinary records likely contain sensitive client data, including banking and financial information, social security numbers, medical records and disclosures that attorneys were likely required to turn over. during an investigation, said Maryam Meseha, a partner in FisherBroyles LLP’s growing Cyber-Risk, Privacy & Data Security practice group.
Although the motivations of cyber attackers are often unclear in the immediate aftermath of a breach, some people have been known to want access to attorneys’ confidential disciplinary records or client information, as was the case in California, according to David Opderbeck, Professor of Law and Co-Director of the Institute for Privacy Protection at Seton Hall Law.
The legal profession has “a strong interest in assuring the public that their personal information will not be publicly disclosed if it is not otherwise available in the public docket of a court or public tribunal,” Opderbeck told Bloomberg Law. .
It’s “hard to imagine” how an attorney who submitted such confidential information to the state bar could be held liable for a bar association’s data breach, but the issues aren’t as clear to the organizations, said said Meseha.
Disputes over leaked information and/or violations generally hinge on plaintiffs proving that an actual misuse of that information occurred, which ultimately led to tangible harm, Meseha said. It will be for the investigator in this case to determine whether there has been harm to reputation, as alleged in the complaint, and whether that harm satisfies the legal standard of each cause of action.
For a California litigant alleging a privacy breach, that means proving both a reasonable expectation of privacy and that disclosing information would be highly offensive to a reasonable person.
“It’s a pretty high bar to jump,” Meseha said. “Damage, of course, is an entirely separate matter. How much is your reputation worth? It depends.”
Meseha said she doubted a resulting judgment would bankrupt the California bar. “They probably have strong insurance policies that cover that,” she said. “The conclusion of damages would have to be well in excess of the coverage limits to pose a real threat to the CA Bar’s financial condition..”
Opderbeck countered that it is “conceivable that a particularly egregious breach of PII from a state bar database could attract the kind of liability that could threaten the viability of the organization.”
“But such catastrophic liability might be unlikely because there are huge questions about the legal theory of harm, causation and how to measure damages,” the professor told Bloomberg Law via email. “Yet, like any other organization that handles personal information, a state bar should have a comprehensive cyber risk management policy in place.”
He added, “Outside of the context of lawyer discipline, the business of most state bars is pretty boring from a hacker’s perspective.”
What’s at stake
In a state like New York, where the regulation, admissions, and discipline of attorneys are handled by the court system, not the bar, hacking the state bar association system “would have no impact on the lawyers who are the subject of an investigation or who have been sanctioned”. for ethical violations,” according to Chris McDonough, a special counsel at Foley Griffin LLP who frequently represents attorneys facing grievances or disciplinary proceedings in New York.
McDonough said that if disciplinary records are breached, bank account information could be compromised. Indeed, a “vast majority of complaints” that result in penalties are based on errors in the handling of escrow accounts, and those files would likely include unredacted bank statements submitted by the attorney, he said.
“Acquiring these bank account numbers and other details could lead to significant fraudulent activity that would harm both attorneys and their clients for whom they hold escrow,” he told Bloomberg Law. .
Seton Hall’s Opderbeck pointed to the risk to confidentiality, which he said is at the heart of the attorney-client relationship.
“Clients should know that they are free to tell their attorneys the truth without fear of public disclosure absent the client’s permission to make a disclosure (for example, in a public role),” it said. -he declares. “And clients who complain about their lawyer’s conduct should also be aware that there are at least some aspects of the lawyer’s disciplinary process that do not require full disclosure of the confidences previously exchanged between lawyer and client. “
The California State Bar declined to comment on its privacy obligations under state law, citing ongoing litigation. His motion to dismiss is due for argument on August 8.