A shadowy website on Saturday removed 260,000 confidential attorney discipline records it had published after a massive data breach at the State Bar of California.
An anonymous administrator for judyrecords.com said in a note on the website that the records, as well as others it intended to publish, had been deleted in response to the State Bar’s disclosure of the breach and a subsequent Southern California News Group article.
Update: Security glitch enabled website to publish attorney discipline records, State Bar says
The administrator claims the records had been made publicly available on the State Bar’s discipline website, which is now offline. But the State Bar disputes that contention.
The State Bar first discovered the breach Friday. In addition to limited data on attorney discipline records, judyrecords.com also published about 60,000 public State Bar court cases
The website also displayed confidential court records from other jurisdictions, the State Bar said.
The State Bar Court website allows the public to search for publicly available case information. An investigation is under way to determine how judyrecords.com was able to obtain nonpublic records stored in the State Bar’s Odyssey case management system.
Under state law, all attorney disciplinary investigations are confidential until formal charges are filed and a court proceeding is initiated.
“The nonpublic case profile data from the State Bar appears to have been displayed on this public website in violation of this statute,” the State Bar said. “It includes case number, file date, case type, case status, and respondent and complaining witness names. It does not include full case records. We do not yet know how many attorney or witness names were disclosed.”
Leah Wilson, executive director of the State Bar, apologized Saturday for the data breach.
“We take our obligations to protect confidential data with the utmost seriousness, and we are doing everything we can to ensure that we resolve this issue quickly and prevent any such breaches from recurring,” Wilson said. “We intend to act quickly to provide any necessary disclosures to affected individuals.”
The State Bar has notified law enforcement of the breach and has retained a team of information technology forensics experts to assist in the investigation. It also has tasked its vendor, Tyler Technologies, with correcting any issues with its Odyssey case management software.
Former Los Angeles County District Attorney Steve Cooley questioned the State Bar’s handling of the breach.
“The State Bar claims they will do a variety of things to address the breach of confidential records,” he said Sunday. “They did not mention their legal obligation to notify those whose records may have been revealed. That might be a daunting task but is the law.”
Cooley noted that “any allegation of a misdeed that requires investigation must be kept confidential unless and until the matter is filed or closed. If not, the investigation could be compromised. Oftentimes allegations are false or grossly exaggerated. Their publication could cause unnecessary harm to an innocent party.”
The State Bar has set up a web page to provide ongoing updates and answer questions at calbar.ca.gov/data-breach.
