Back in late June 2022, the California Attorney General’s office and Department of Justice landed themselves in some trouble when they leaked the personal data of over 192,000 concealed carry permit holders and applicants from 2011-2021.
This information included names, races, home addresses, dates of birth, dates of permit issuance (if applicable), types of permits issued, criminal histories, and whether applicants were members of certain groups like judges or law enforcement.
The DOJ did not even initially realize that this information was available on its online Firearms Dashboard, which was started with the goal of providing transparency about all things firearms sales and permit applications in California.
After Attorney General Rob Bonta received a direct message on Twitter with sensitive information in it, the leak was investigated and the information taken down, but not before a large number of people got their hands on it.
In the roughly 12-hour period that the personal information was live on the California DOJ’s website, it was downloaded 2,734 times by 507 unique IP addresses. The site actually crashed because of how many people were trying to download the sensitive information.
Picking Up the Pieces
Following the massive data release, an investigation was immediately launched to trace the cause. The DOJ tapped Morrison Foerster law firm to lead the independent investigation with the help of outside cybersecurity expert FTI. Now, nearly six months later, that investigation has concluded.
The investigation reported that it found no malicious intent behind the data leak. However, it did uncover what it called a “number of deficiencies” within the DOJ, including “lack of training, expertise, and professional rigor; insufficient documentation, policies, and procedures; and inadequate oversight.”
In response to the findings, Attorney General Bonta thanked the experts involved in the investigation and apologized to those affected on behalf of the DOJ, saying he was “deeply angered that this incident occurred.”
Not everyone was satisfied with his response though. Assemblyman Jim Patterson of Fresno stated, “Saying you’re sorry and it won’t happen again isn’t good enough. It should have never happened in the first place.”
What are the next steps in California?
The DOJ has agreed to conduct a thorough review of all its current policies and procedures related to the handling of sensitive information. It will also be implementing some new policies, including:
- Providing enhanced trainings regarding handling of confidential personal data
- Evaluating security risks for IT solutions
- Centralizing and improving the overall organizational structure of the DOJ to ensure a safer, more efficient flow
- Developing a detailed data incident action plan
- Reviewing and revising its approval process for any projects involving confidential data
On the civilian side, the California Rifle & Pistol Association is preparing a lawsuit against the state. Chuck Michel, attorney and president of this organization, is encouraging affected individuals to talk to their own attorneys about potentially filing their own lawsuits.