After the California State Bar’s security was accidentally bypassed by open records site judyrecords in February, five anonymous individuals have been working on a class action lawsuit against the Bar, their software vendor and the vendor’s information technology director.
The breach allowed 322,000 confidential disciplinary records to be freely displayed on judyrecords’ site. Of these, people viewed 1,034 records on judyrecords, according to the site’s operator, Kevan Schwitzer. Schwitzer wrote on his site that the disciplinary records were open to anyone to access as long as they could guess the records’ URL. The State Bar’s website, with software provided by Tyler Technologies, did not check to see if a person accessing the records was authorized to do so with a log-in.
“The California Bar Disciplinary Records Odyssey System, designed and maintained by Tyler Tech., did not perform access control checks when the automated program directly accessed the individual records,” Schwitzer wrote in a court document.
The plaintiff’s March 18 lawsuit brings charges of violating the California Information Practices Act of 1977, two counts of invasion of privacy according to California law, two counts of invasion of privacy according to federal law and two counts of violating the Sherman Antitrust Act. The case was moved to federal court May 13.
The class action suit is for California residents identified in the confidential records, both for complainants and for members of the State Bar.
The parties reached a settlement agreement May 2 that resulted in dismissing Schwitzer. Tyler Technologies IT Director Rick Rankin is also a defendant. Both he and his company filed motions to dismiss themselves that the court has not yet ruled on.
Rankin’s motion claims the plaintiffs failed to allege duty or damages, and that they fail to allege that a serious invasion of privacy occurred.
Preliminary injunction
The plaintiffs moved for a preliminary injunction Aug. 5, requesting that the State Bar not file any notices of disciplinary actions against a member of the State Bar if the disciplinary investigation into them began more than six months ago.
The requested injunction would also restrain the State Bar from using the phrase “page views” in their notices to victims of the data breach because, the plaintiffs claim, the metric is misleading.
It also requested a restraint against the State Bar from sharing confidential information on the plaintiffs with the State Bar’s counsel.
Its last request was to force the State Bar to email notices of breach to each member of the State Bar in compliance with the California Information Practices Act.
The plaintiffs said they were afraid of the Bar retaliating against them by filing notices of disciplinary actions, which would make the confidential claims against them public.
The court denied the preliminary injunction Sept. 7, finding that the plaintiff’s arguments are unpersuasive, and that they did not explain why they feared retaliation.
“In addition to being speculative, Plaintiffs’ alleged harms—retaliation and lessened ability to seek damages in this lawsuit—can likely be compensated by money damages, which weighs “heavily against a claim of irreparable harm,” California Central District Judge Douglas McCormick wrote.
Case information
California Central District Judge Douglas McCormick presides.
Lenore Albert of the Laguna Beach Law Offices of Lenore Albert represents the plaintiffs.
Barrett Anderson, Gregory Merchant, Michael Rhodes, Tiana Demas and Chris Waidelich of multiple offices of Cooley LLP and Robert Retana, Suzanne Grandt, Vanessa Holton of in-house counsel, represent the State Bar.
Justin Anderson and Michael Gold of Los Angeles’ Jeffer Mangels Butler and Mitchell LLP represent Rankin.
Beth Petronio, Christina Goodrich and Zachary Timm of Los Angeles’ K&L Gates LLP represent Tyler Technologies.
Case number 8:22-cv-00983.
Read the complaint here.
Read the motion for preliminary injunction here.
Read the denial for the motion here.
