The State Bar of California’s plan to notify attorneys whose names were exposed in a data breach of disciplinary records may spur litigation from lawyers who feel their reputations have been tarnished.
The California bar said it will send notices to complainants, witnesses, and respondents whose names appeared in the over 320,000 confidential records that were posted on a third-party site and available from October 2021 to February 2022. It said it wasn’t legally required to provide the notifications, but would do so regardless.
“We are taking these steps because we believe it’s the right thing to do,” said Leah Wilson, the executive director of the California bar, in a statement. “The State Bar is committed to transparency, and maintaining the public’s trust in our agency is paramount.”
Notices are expected to reach approximately 1,300 people whose names appeared in confidential records that showed evidence of a page view on the third-party site, including people tied to six records that contained a case type signaling mental illness or substance abuse.
Attorneys who receive these notifications and experience negative impacts on their career could bring negligence or emotional distress claims against the California bar, lawyers said.
“Litigation is a real possibility for people if they suffer reputational harm and it affects their ability to practice,” said Lucie Huger, an attorney at Greensfelder, Hemker & Gale P.C. in St. Louis. “Those who have experienced the breach are going to say: This should never have happened.”
Attorneys from Cooley LLP, who are advising the California bar, didn’t respond to a request for comment.
The California bar’s May 6 notification announcement comes after the organization discovered in February a leak affecting attorney discipline case data. The information was posted on a third-party site, judyrecords, after a flaw in the State Bar’s case management portal allowed nonpublic records to be swept up by the aggregator.
In the consumer data breach context, harm is often conceptualized as identity theft or fraud as the result of compromised Social Security numbers or credit card information, Huger said. But having one’s name tied to a disciplinary record can harm an attorney’s reputation and career prospects, even if the proceeding ultimately finds that lawyer didn’t do anything wrong, she said.
The fact that the nature of the breach concerns attorney records and sensitive information such as potential misconduct or mental health sets it up for a high likelihood of litigation, said Jeff Dennis, a partner at Newmeyer Dillion in Newport Beach, Calif.
Potential plaintiffs will likely face the challenge of proving they have standing and alleging injury-in-fact, Dennis said. Data incident cases such as these are factually intensive, he noted, making it difficult to ascertain whether plaintiffs’ claims will ultimately be successful.
Notification, Security Obligations
Despite litigation risk, businesses should consider sending notifications after a data breach even if it’s not legally required, attorneys said.
Companies will often notify an entire population of people affected by a breach, not just those they are obligated to reach out to under breach reporting laws and other statutes, said Tom Zych, a partner at Thompson Hine in Cleveland.
Not only do businesses and organizations want to do the right thing and alert people who’ve potentially been impacted, but it can be difficult to “slice and dice” who was impacted by a breach and who wasn’t, often making broader disclosures more practicable, Zych said.
“If the group of people you didn’t notify later suffers an identity breach or something along those lines as a result, they may have a strong legal case against you,” he added.
The California bar’s case management portal was powered by a third party, Tyler Technologies, whose previously unknown security vulnerability allowed the nonpublic records to be unintentionally swept up by judyrecords when it attempted to access public records, the State Bar said.
A Tyler Technologies spokeswoman told Bloomberg Law that the issue had been remediated with 100% of impacted clients through updates and additional security measures.
“We have addressed the unique situation in which a data harvesting process accessed some nonpublic information via Odyssey Portal,” the spokeswoman said in a statement. “This access only affected certain public-facing versions of Odyssey Portal and does not apply to any other Odyssey applications.”
Judyrecords declined to comment.
The incident underscores organizations’ need to assess the security posture of third-party vendors, Dennis said. Having an independent auditor stress test systems, especially those that host sensitive information, is one way of beefing up security, he said.
Getting another set of eyes on technical systems can help pinpoint any vulnerabilities that can then be patched before it’s too late, he added.
“It’s a reminder that you have to be ensuring that these third parties you’re entrusting this info to are protecting it as if it’s their own,” Dennis said.