Late last month, we reported on a data breach in California that exposed the personal data of every CCW holder in the state.
Yesterday, Assemblymember Jim Patterson requested an audit of the California Department of Justice to investigate the data breach.
The DOJ suffered a data breach on June 27 associated with the launch of it’s “2022 Firearms Dashboard Portal.” This breach resulted in the posting of personal information of all CCW applicants over the past decade to the DOJ’s website, including the person’s name, age, address, gender, race, driver’s license number, criminal history, Criminal Identification Index (CII) number and license type (Standard, Judicial, Reserve and Custodial). It is estimated that more than 200,000 people were affected by the breach, but it could be more. It is believed that other databases were also compromised, including the assault weapon registry, handguns certified for sale, dealer record sale, firearm safety certificate and gun violence restraining order dashboards.
This data breach threatens the safety of many CCW holders, many of whom are domestic violence, stalking and rape victims, security personnel, current and retired state and federal judges, retired law enforcement, and prosecutors in both state and federal courts. Just as we would expect to do with a breach of this magnitude in any other state agency, the Legislature needs a detailed explaintion of how this happened so we can ensure that immediate reforms are implemented to restore public trust.
Because emergency audits under Rule 17 of the Joint Legislative Audit Committee are limited to a cost of $190,000, this request empowers the State Auditor to modify and decrease the scope of this audit as necessary to remain within this monetary limit. The audit’s scope should address the following questions:
- What is the total number of individuals impacted by the breach, which databases were compromised and for how long was personal information exposed, and what categories of information were released?
- Does DOJ comply with all relevant laws, rules, regulations, and best practices related to data protection?
- Has DOJ taken adequate and appropriate actions to investigate the breach and take down any personal information that may be posted on social media sites?
- What lapses resulted in the breach and what accountability measures have been taken to assign responsibility and prevent future unauthorized data releases?
- Has appropriate action been taken to prosecute any violations of law associated with the breach?
- Has DOJ taken appropriate steps to notify all individuals impacted by the breach?
- Has DOJ taken adequate and appropriate action to ensure the safety and security of impacted individuals?
- Do victims have the ability to contact DOJ, and does DOJ promptly respond?
- What steps should DOJ take to improve its data handling policies and practices?