A Clark County judge said she’s leaning toward granting the Clark County School District’s (CCSD) motion to dismiss a class action lawsuit filed on behalf of parents whose children’s data was leaked in a 2023 cyberattack, but is giving attorneys representing both sides time to prepare arguments on whether the district should be granted immunity.
The district first notified families of the breach on Oct. 16, saying it became aware of the issue around Oct. 5.
The lawsuit, filed Oct. 31, said the breach led to the compromise and public release of highly sensitive information belonging to the district’s teachers, students and graduates, as well as their families. It asks the district to promptly identify and notify all affected parties, train personnel on how to identify and contain a cyberattack, and compensate victims of the breach.
A group that identified itself as SingularityMD claimed to have leaked personal information from 200,000 students, including the students’ pictures and household contact information, medical information and behavior incident reports, and later shared files with a blog called DataBreaches.net that reports on cybersecurity issues, including a spreadsheet with information from more than 300,000 CCSD students.
It was the second time the district reported experiencing a major cybersecurity breach in the last three years.
The lawsuit blames the breach on the district’s “negligent and/or reckless failure” to “adequately protect” the personal information of students, families and employees affiliated with the district. It accuses the district of failing to implement adequate security procedures to protect its data, such as updating software licenses and requiring multi-factor authentication as part of the login process.
A Nov. 13 statement from the district stated that it continues to work with the FBI to investigate the cybersecurity threat and identify those affected by the breach, and additional safeguards have been implemented to further secure data for all students and staff. The district said it’s also working with a third party to review and evaluate the data and determine which individuals may have been affected, but hasn’t said how many people have received such a notification.
During a Thursday hearing on the case, an attorney representing the district, Justin Homes, argued that the plaintiffs have no standing because they haven’t received official confirmation that they or their students’ information was compromised, and instead “jumped the gun and ran to the courthouse before waiting to see if they were actually impacted.”
But an attorney for the plaintiffs, April Strauss, said those filing the lawsuit were among the parents that received emails from the hackers. Strauss argued that if victims can’t bring legal action before getting that verification, it provides an incentive for not properly notifying victims that their data was compromised.
Holmes argued that under state law, the school district has discretionary-function immunity from liability for an allegedly negligent decision. The law states no action may be brought against a state agency that is based upon the exercise or performance of, or the failure to exercise or perform, a discretionary function, whether or not the discretion involved is abused.
The district says its data privacy and cybersecurity policies are discretionary and made based on judgments about their expense and impact on students and employees.
Clark County District Court Judge Jacqueline Bluth agreed with the argument that the district may have immunity in the case and said she leaned toward granting the district’s motion to dismiss. She cited situations where immunity didn’t apply — where government entities did something intentionally or acted in a criminal nature, rather than being negligent.
“I could be completely wrong, but I need you to show me that I’m wrong,” Bluth said.
The next hearing in the case is set for June 27.
This story was updated at 11:20 a.m. on 4/12/24 to correct the name of the attorney for the district. His name is Justin Holmes.