The judge’s decision to deny the Clark County School District’s motion to dismiss a class action lawsuit over a cybersecurity breach in 2023 came as a surprise, especially since she had previously indicated a leaning towards dismissal. The lawsuit was filed on October 31 and alleged that the breach resulted in the exposure of highly sensitive information of teachers, students, graduates, and their families. The plaintiffs are seeking prompt identification and notification of affected parties, cybersecurity training for personnel, and compensation for victims.
During the recent hearing, Clark County District Court Judge Jacqueline Bluth emphasized the need to delve into the district’s cybersecurity measures before making a decision on dismissal. The exact number of individuals affected by the cyberattack remains uncertain, with reports estimating that between 200,000 to 300,000 district students had their personal data compromised. This incident marks the second major cybersecurity breach experienced by the district in the last three years.
Attorneys representing the plaintiffs argued that the district had a responsibility to safeguard sensitive student data under federal laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA). They criticized the district’s use of students’ birth dates as default passwords, which may have facilitated the breach.
The hackers responsible for the cyberattack claimed that they were able to exploit information from social media and online forums dating back to 2016 to decipher the district’s password configuration. This raised concerns about the district’s cybersecurity practices and their vulnerability to such attacks. The attorneys also challenged the district’s claim of “discretionary-function immunity,” arguing that government entities should not have blanket immunity and should be held accountable for their actions.
The district, on the other hand, maintained that their cybersecurity policies were discretionary and based on cost-benefit analyses to minimize the impact on students and employees. They asserted that the true perpetrators of wrongdoing were the hackers and that there was no intentional misconduct on their part. The district’s attorneys emphasized that the laws cited by the plaintiffs did not constitute mandates but rather directives.
Judge Bluth’s ruling to deny the motion to dismiss was influenced by the arguments presented regarding Nevada’s stance on immunity for government entities and the allegations of intentional conduct by the district regarding cybersecurity. She stressed the importance of proceeding to the discovery phase to gain insights into decision-making processes, individuals involved, and awareness of potential threats within the district.
The outcome of this lawsuit will likely have significant implications for how school districts handle cybersecurity and data privacy moving forward. It underscores the importance of robust cybersecurity measures to protect sensitive information and prevent breaches that can expose individuals to risks of identity theft and privacy violations. As technology continues to advance, educational institutions must prioritize cybersecurity to safeguard their students, staff, and families from malicious cyber threats.
