A Clark County judge on Thursday denied the Clark County School District’s (CCSD) motion to dismiss a class action lawsuit over a 2023 cybersecurity breach, an unexpected development considering the judge had previously said he was leaning toward dismissing the case.
The lawsuit, filed Oct. 31, alleges that the breach exposed and made publicly available highly confidential information of the district’s teachers, students, alumni, and their families. The lawsuit asks the district to promptly identify and notify all affected parties, train staff on how to identify and contain cyberattacks, and compensate victims of the breach.
Clark County District Court Judge Jacqueline Bruce said during a hearing Thursday that it would be premature to grant the district’s motion to dismiss the case before the discovery phase begins, which is looking into how cybersecurity policy decisions are made within the district.
It’s unclear how many people were affected by the cyberattack, but reports estimate that the personal information of between 200,000 and 300,000 students in the school district was leaked online. The school district first notified families about the breach on October 16, and said it became aware of the problem around October 5.
This is the second time in the past three years that the school district has reported experiencing a major cybersecurity breach.
Thursday’s ruling came after Judge Bruce previously said he was leaning toward granting a motion to dismiss after the district’s lawyers argued the district had immunity in the case.
During the hearing, April Strauss, one of the attorneys representing parents of CCSD students, cited the Health Insurance Portability and Accountability Act and Family Educational Rights and Privacy Act One that limits the release of medical information and protects students’ education records.
Strauss criticized the district for using students’ birth dates to create default passwords.
The hackers Investigators who claim to be responsible for the cyberattack say they were able to uncover password settings used by the school district using social media and online forum posts dating back to 2016.
“If you think of personal information as a car, they left the keys in the ignition,” Strauss said, adding that the district’s password settings were known to current and former students and staff and were like leaving a sign on a car’s windshield telling people where the keys are. She said this was a willful and intentional act.
Strauss also disputed the argument that the District has “discretionary immunity,” which is a law that says state agencies can’t be sued for the exercise or failure to exercise discretionary power, regardless of whether the power was abused. He added that immunity for government agencies is the exception in Nevada, not the rule.
“Government agencies don’t have blanket authority here,” she said.
The district has said its data privacy and cybersecurity policies are discretionary and based on judgments about costs and the impact on students and staff. At Thursday’s hearing, Justin Holmes, one of the attorneys representing the district, said the only bad actors in this case were the hackers.
“There is no intentionality here,” he said. “If there is, it’s by cybercriminals.” [who] The Clark County School District’s systems were hacked, making them victims in addition to other individuals who may be affected.”
Moreover, Holmes argued that none of the laws Strauss cited that he called directives constituted orders.
Bruce said his ruling was based on Strauss’ arguments regarding Nevada’s immunity status for government agencies and the plaintiffs’ arguments that the District’s conduct regarding cybersecurity issues was willful and deliberate.
“We need to go into discovery to understand how the decision was made, who made the decision, what information they had about possible threats when they made the decision,” she said.