A Clark County judge on Thursday denied the Clark County School District (CCSD)’s motion to dismiss a class action lawsuit over a 2023 cybersecurity breach — an unexpected development considering the judge previously said she leaned toward dismissing the case.
The lawsuit, filed Oct. 31, said the breach led to the compromise and public release of highly sensitive information belonging to the district’s teachers, students and graduates, as well as their families. It asks the district to promptly identify and notify all affected parties, train personnel on how to identify and contain a cyberattack, and compensate victims of the breach.
Clark County District Court Judge Jacqueline Bluth said during Thursday’s hearing it would be premature to grant the district’s motion to dismiss the lawsuit before going into the discovery phase of the case to find out how cybersecurity policy decisions are made at the district.
It’s unclear how many individuals were caught up in the cyberattack, but reports estimate between 200,000 to 300,000 district students had their personal data leaked online. The district first notified families of the breach Oct. 16, saying it became aware of the issue around Oct. 5.
It was the second time in the last three years that the district reported experiencing a major cybersecurity breach.
Thursday’s ruling came after Bluth previously stated she leaned toward granting the motion to dismiss after an attorney for the district argued that the district had immunity in the case.
During the hearing, April Strauss, one of the attorneys representing parents of CCSD students, argued that the district had a duty to protect sensitive student data under federal privacy laws such as the Health Insurance Portability and Accountability Act and Family Educational Rights and Privacy Act that restrict release of medical information and protect student educational records.
Strauss criticized the district’s use of students’ birth dates to form their default passwords.
The hackers, who claimed to be responsible for the cyberattack, have said they were able to use social media and posts in an online forum going back to 2016 to figure out the password configuration used by the district.
“If personal data were a car, they left the keys in the ignition,” Strauss said, adding that the district’s password setup is known by current and former students and employees, likening it to leaving a sign on the windshield of the car letting everyone know where the keys are. She said that constituted willful and intentional conduct.
Strauss also pushed back on the argument that the district has “discretionary-function immunity” — that law states no action may be brought against a state agency that is based upon the exercise or performance of, or the failure to exercise or perform, a discretionary function, whether or not the discretion involved is abused. She added that in Nevada, immunity for government entities is the exception, not the rule.
“Government agencies don’t have carte blanche here,” she said.
The district has said its data privacy and cybersecurity policies are discretionary and made based on judgments about their expense and impact on students and employees. During the Thursday hearing, Justin Holmes, one of the attorneys representing the district, said the only bad actors in this case are the hackers.
“There’s no intentional conduct here,” he said. “The intentionality, if anything, is from a cyber criminal [who] hacked into the Clark County School District system and made them a victim in addition to the rest of the individuals who are potentially impacted.”
In addition, Holmes argued that none of the laws, which he called directives, cited by Strauss constitute a mandate.
Bluth said her ruling was based on Strauss’ argument on Nevada’s stance on immunity for government entities and plaintiffs’ claim that the district’s conduct on cybersecurity issues has been wilful and intentional.
“We really need to be able to go into discovery to understand … how decisions were made, who made these decisions, what information they had in regards to possible threats when they made these decisions,” she said.
