State Bar of Calif. Data Breach Caused Confidential Disciplinary Records to Show Up on Third-Party Website, Class Action Says

New to ClassAction.org? Read our Newswire Disclaimer

The State Bar of California faces a proposed class action over what four pseudonymous plaintiffs allege was the unauthorized disclosure of hundreds of thousands of confidential disciplinary records that were ultimately obtained and published by a third-party website.

The 17-page lawsuit alleges that the actions of both the California Bar and the owner of Judyrecords.com have caused the details of roughly 260,000 confidential disciplinary records or other private information belonging to Bar members and individuals who submit complaints about them to be exposed on the website for “about four months.” 

The suit says that although a third-party complainant informed the California Bar in late-February 2022 that confidential records were being published on search-by-name site Judyrecords.com, the state bar, as of the lawsuit’s initial filing in March 2022, had not notified members or complainants of the apparent “breach” or what information in particular was obtained, “leaving them to guess if they should do something or what they should do next.” A May 6, 2022 update on the California Bar’s official website states that the Bar is “implementing a notification plan for complainants, witnesses, and respondents whose names appeared in the approximately 322,525 confidential records” that were available on Judyrecords.com between October 15, 2021 and February 26, 2022. 

According to the lawsuit, the California Bar’s delay in providing victims of the data breach with specific details has prevented the individuals from taking any steps to mitigate the potential fallout from their information being published. The case relays that the State Bar of California is required to keep disciplinary records confidential until formal charges are filed “for the safety and protection of everyone involved.” From the complaint: 

“[Data breach victims] need to know what information was out there so they can mitigate harm. The State Bar could have released the members [sic] fingerprints and social security numbers along with investigation information. The State Bar could have released the Complainants [sic] home address or an investigation of a supervisor. Not knowing and not getting any specific information when requested is causing anxiety, worry, and emotional distress.”

According to the filing, the State Bar of California collects confidential information from its members and the public who file complaints against members. Per the case, the large volume of information possessed by the California Bar was recently expanded to include members’ biometric data. 

Sometime in 2019, the California Bar intentionally transferred some or all of the confidential records in its AS 400 Case Management System to a new case management system that was purchased from Tyler Technologies, a software vendor who is also named as a defendant, the lawsuit states. The suit relays that the California Bar “intentionally decided to open its port(s) and publish all of its public records concerning disciplinary proceedings online,” including dockets, disciplinary files, recommendations and review department opinions. The Bar also created a log-in portal through which members could provide confidential information. 

In or around October 2021, the individual responsible for Judyrecords.com “intentionally connected its database to the State Bar’s port” and received “an enormous amount of confidential information” without authorization, the suit goes on. The website then published “some or all” of the confidential and disciplinary data it obtained, leaving the information “free and open to the public to search,” the complaint relays. 

According to the case, Judyrecords.com was able to access the data because an employee of the State Bar of California failed to implement and maintain reasonable security procedures and practices “appropriate to the nature of the information.” 

The lawsuit says that the public disclosure of confidential disciplinary records can lead to reputational injury, job loss, emotional distresses and “in extreme cases bodily injury or loss of life.” 

Per the suit, the State Bar of California has a history of failing to safeguard the confidential information of its members and complainants. The case says there exists “two decades of complaints” by attorneys and complaining witnesses that evidence the Bar’s “reckless conduct in disclosing confidential information without recourse.”

The lawsuit looks to represent all California residents identified in the approximately 100 to 260,000 confidential California State Bar records received by the owner/operator of Judyrecords.com, including both complainants and members of the state bar. 

After its initial filing in Orange County Superior Court on March 18, the case was removed to California’s Central District Court on May 13, 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.