How do you ensure that organizations do their best to protect their employees, and in this case, students? In 2023, the Clark County School District (CCSD) was the victim of a data breach by cybersecurity attackers. A recently published article titled “Judge: Clark County schools may have immunity in lawsuit over 2023 cybersecurity breach” caught our attention.
According to the article, “...the breach led to the compromise and public release of highly sensitive information belonging to the district’s teachers, students and graduates, as well as their families.” This was quoted from a class action lawsuit filed on behalf of parents whose sensitive information, as well as sensitive information about their children, was leaked during the breach.
The lawsuit requires the school district to notify all affected parties and compensate the data breach victims. As the article states, the personal information of 200,000 students was leaked, “including the students’ pictures and household contact information, medical information and behavior incident reports …” It should also be noted that this is the second major breach of the school district in a 3-year period.
However, as expected, the school district has retained legal representation and is arguing that it is immune from this lawsuit because it has “...discretionary-function immunity from liability for an allegedly negligent decision…” Discretionary-function immunity is a legal doctrine that protects government entities and their employees from liability for specific decisions or actions that involve discretion, judgment, or policy-making. Roughly translated, the school district claims that since cybersecurity and notification rules are discretionary, it should not be held liable for its mistake.
This case reminded us of an article we posted in June of 2022 titled “Cautionary Tales: Who Defines The Level of Care for Cybersecurity?” (https://www.arcticsecurity.com/resources/cautionary-tales-who-defines-the-level-of-care-for-cybersecurity), where we touched on what happens when people make negligent decisions related to cybersecurity. The ongoing and seemingly intractable problem we are dealing with today is that, in the US, we still lack fundamental regulations regarding an acceptable standard of care for cybersecurity. In areas where regulations are in place, there is a lack of consistent enforcement and enough gray area that a competent lawyer can argue that their client is not responsible.
To put this bluntly, the costs associated with making bad or even extremely negligent decisions are, by and large, less than the costs of making excellent and proactive decisions regarding cybersecurity. Today, nobody wants to appear as if they are doing nothing. Yet, lacking any real, enforceable standards of due diligence, or worse yet, standards of due diligence that are severely lacking in substance, it is simply more straightforward and less costly to do the bare minimum or even less.
There are indeed many organizations today that spend enormous amounts of resources on cybersecurity, but those organizations are generally ones that have suffered major financial and reputational losses in the past for their previous decisions. It can also be argued that an organization may not know how much is enough until it has suffered a breach. However, in the case of the CCSD, it was the second time in three years. We'll hear later in the summer whether their immunity defense will fly.
I believe there should be a limit to playing the immunity card at some point, as people get harmed in cyberattacks.