Judge denies motion to dismiss cybersecurity lawsuit against Clark County schools The Nevada Independent

pA Clark County judge on Thursday denied the Clark County School District CCSDs motion to dismiss a class action lawsuit over a 2023 cybersecurity breach an unexpected development considering the judge previously said she leaned toward dismissing the caseppThe lawsuit filed Oct 31 said the breach led to the compromise and public release of highly sensitive information belonging to the districts teachers students and graduates as well as their families It asks the district to promptly identify and notify all affected parties train personnel on how to identify and contain a cyberattack and compensate victims of the breach ppClark County District Court Judge Jacqueline Bluth said during Thursdays hearing it would be premature to grant the districts motion to dismiss the lawsuit before going into the discovery phase of the case to find out how cybersecurity policy decisions are made at the district ppIts unclear how many individuals were caught up in the cyberattack but reports estimate between 200000 to 300000 district students had their personal data leaked online The district first notified families of the breach Oct 16 saying it became aware of the issue around Oct 5 ppIt was the second time in the last three years that the district reported experiencing a major cybersecurity breach ppThursdays ruling came after Bluth previously stated she leaned toward granting the motion to dismiss after an attorney for the district argued that the district had immunity in the case ppDuring the hearing April Strauss one of the attorneys representing parents of CCSD students argued that the district had a duty to protect sensitive student data under federal privacy laws such as the Health Insurance Portability and Accountability Act and Family Educational Rights and Privacy Act that restrict release of medical information and protect student educational records  ppStrauss criticized the districts use of students birth dates to form their default passwordsppThe hackers who claimed to be responsible for the cyberattack have said they were able to use social media and posts in an online forum going back to 2016 to figure out the password configuration used by the district ppIf personal data were a car they left the keys in the ignition Strauss said adding that the districts password setup is known by current and former students and employees likening it to leaving a sign on the windshield of the car letting everyone know where the keys are She said that constituted willful and intentional conductppStrauss also pushed back on the argument that the district has discretionaryfunction immunity that law states no action may be brought against a state agency that is based upon the exercise or performance of or the failure to exercise or perform a discretionary function whether or not the discretion involved is abused She added that in Nevada immunity for government entities is the exception not the rule ppGovernment agencies dont have carte blanche here she said ppThe district has said its data privacy and cybersecurity policies are discretionary and made based on judgments about their expense and impact on students and employees During the Thursday hearing Justin Holmes one of the attorneys representing the district said the only bad actors in this case are the hackers ppTheres no intentional conduct here he said The intentionality if anything is from a cyber criminal who hacked into the Clark County School District system and made them a victim in addition to the rest of the individuals who are potentially impactedppIn addition Holmes argued that none of the laws which he called directives cited by Strauss  constitute a mandate ppBluth said her ruling was based on Strauss argument on Nevadas stance on immunity for government entities and plaintiffs claim that the districts conduct on cybersecurity issues has been wilful and intentional ppWe really need to be able to go into discovery to understand how decisions were made who made these decisions what information they had in regards to possible threats when they made these decisions she said p