California’s state bar association, which is responsible for licensing and regulating more than 250,000 lawyers in the most populous US state, is itself under scrutiny for a data leak that allowed confidential client complaint and attorney disciplinary record data to be captured by a free court records website.
As many as 322,500 such documents were vacuumed up by JudyRecords.com between October 2021 and February 2022, according to a proposed class action filed against the California bar by two lawyers, a former judge, and three people with attorney grievances, all of whom are proceeding anonymously.
When a state bar experiences a data breach, confidential information stored in disciplinary files could be a target, and releasing those files could potentially lead to doxing, extortion, or identity theft, as well as to litigation against the bar, according to attorneys who spoke to Bloomberg Law about the matter.
Accusing the State Bar of California of invasion of privacy, negligence, and violation of the state’s Information Practices Act, those suing it are seeking money damages and injunctive relief. Also named as defendants in the case are the vendor that supplied the CalBar case management software and bar’s interim information technology director.
The Bar has since moved for dismissal, arguing among other things that the Information Practices Act doesn’t apply to it. It also maintains that JudyRecords.com captured “only Docket Data, not complaints or other case documents from underlying disciplinary proceedings.”
But just months after the California incursion, the State Bar of Georgia’s website was limited in response to unauthorized access. The Georgia Bar announced May 20 that it had a new temporary website and that it was continuing to “work through” the unauthorized access to its site.
Breach of disciplinary files is a “nightmare scenario” in terms of confidential information, and the possible negative implications could go “well beyond” a traditional data breach, said Fredric D. Bellamy, a member of Dickinson Wright PLLC with experience in data privacy and cybersecurity law.
“How badly this trend accelerates could depend on whether the hackers were able to steal data from the bars that have already been attacked that can be sold on the black market,” he told Bloomberg Law. “That kind of financial success would encourage more hackers to target bar organizations.”
Responsibility for attorney registration and discipline varies from state to state. In some places, such as New York, the courts handle that responsibility, while in others, such as California, it’s the state bar, and in Illinois, its the Attorney Registration and Disciplinary Committee.
Regardless of where they are stored, those disciplinary files likely include sensitive client data, including banking and financial information, social security numbers, medical records, and disclosures lawyers were likely required to turn over in the course of an investigation, said Maryam Meseha, a partner in FisherBroyles LLP’s growing Cyber-Risk, Privacy & Data Security practice group.
While cyber attackers’ motives are often unclear just after a breach, it’s known that some individuals want to gain access to confidential attorney disciplinary files or client information, as was the case in California, according to David Opderbeck, a professor of law and co-director of the Institute for Privacy Protection at Seton Hall Law.
The legal profession has a “strong interest in assuring the public that their personal information will not be publicly disclosed if it is not otherwise available in a public court or tribunal’s public docket,” Opderbeck told Bloomberg Law.
It is “hard to imagine” how an attorney who submitted that confidential information to the state bar could be held responsible for a bar’s data breach, but the issues are not so clear cut for the organizations, Meseha said.
Litigation surrounding leaked information and/or breaches usually hinge on plaintiffs’ proof that actual misuse of that information has occurred, which ultimately led to a tangible harm, Meseha said. It will be up to the fact finder in this case to determine whether there was reputational harm, as alleged in the complaint, and whether that harm meets the legal standard of each cause of action.
For a California litigant claiming invasion of privacy, that means proving both a reasonable expectation of privacy and that the release of information would be highly offensive to a reasonable person.
“That’s a pretty high bar to jump over,” Meseha said. “Damages, of course, are an entirely separate issue. How much is your reputation worth? It depends.”
Meseha said she doubted a resultant judgment would bankrupt the California bar. “They likely have robust insurance coverage policies that are covering this,” she said. “The damages finding would have to be well over the coverage limits to pose any real threat to the CA Bar’s financial footing.”
Opderbeck countered it’s “conceivable that a particularly egregious breach of PII from a State Bar data base could result in the kind of liability that might threaten the viability of the organization.”
“But such a catastrophic liability might be unlikely because there are enormous questions about the legal theory of harm, causation, and how to measure damages,” the professor told Bloomberg Law via email. “Still, like any other organization that handles PII, a State Bar should have a comprehensive cyber risk management policy in place.”
He added, “Outside the context of attorney discipline, the activities of most state bar associations are pretty boring from a hacker’s perspective.”
What’s at Stake
In a state such as New York, where attorney regulation, admissions, and discipline are handled through the court system and not through the bar, hacks into the state bar association system would “have no impact upon attorneys who are being investigated or have been disciplined for ethical violations,” according to Chris McDonough, a special counsel to Foley Griffin LLP who frequently represents lawyers facing grievances or disciplinary proceedings in New York.
McDonough said that, if there were a breach of disciplinary files, bank account info could be jeopardized. That is because a “large majority of complaints” that result in sanctions are based upon errors in managing escrow accounts, and those files would likely include unredacted bank records submitted by the attorney, he said.
“The acquisition of these bank account numbers, and other details could lead to significant fraudulent activities that would harm both the lawyers and their clients for whom they’re holding escrow,” he told Bloomberg Law.
Seton Hall’s Opderbeck emphasized the risk to confidentiality, which he said relates to the heart of the attorney-client relationship.
“Clients must know that they are free to tell their attorneys the truth without fear of public disclosure absent the client’s authorization to make a disclosure (for example, in a public court docket),” he said. “And clients who have complaints about their attorneys’ conduct likewise should know that there are at least some aspects of the attorney disciplinary process that do not require full disclosure of the confidences previously exchanged between the attorney and client.”
The California State Bar declined to comment on its privacy duties under state law, citing ongoing litigation. Its motion to dismiss is scheduled to be argued on Aug. 8.