LAS VEGAS, NV – A judge in Clark County is leaning toward granting the motion to dismiss a class action lawsuit filed against the Clark County School District (CCSD) in response to a cyberattack in 2023 that leaked students’ data. However, the judge wants both sides to prepare arguments regarding the district’s potential immunity. CCSD initially informed families about the breach on October 16, after discovering the issue around October 5.
The lawsuit, filed on October 31, alleges that the breach led to the exposure of highly sensitive information belonging to teachers, students, graduates, and their families. It demands that the district promptly identify and notify all affected parties, provide cybersecurity training to staff, and compensate victims. The group claiming responsibility for the breach, SingularityMD, leaked personal information from 200,000 students, including photos, contact details, medical information, and incident reports. They later shared over 300,000 CCSD students’ information in a spreadsheet with the cybersecurity blog, DataBreaches.net.
This is the second major cyberattack on the district within three years. The lawsuit accuses the district of negligence in protecting personal data. It alleges that the district failed to implement adequate security measures, such as updating software licenses and enforcing multi-factor authentication for logins.
A statement from CCSD on November 13 confirmed ongoing collaboration with the FBI to investigate the cyber threat and identify affected individuals. The district has implemented additional safeguards to enhance data security for all students and staff. To determine the extent of the breach, CCSD is working with a third party to evaluate the compromised data, but the number of affected individuals remains undisclosed.
During a recent hearing, Stephen Hackett, an attorney for the district, argued that the plaintiffs lacked standing since they had not received official confirmation of their data being compromised. Hackett claimed that the plaintiffs rushed to file the lawsuit without verifying the impact on their information. However, April Strauss, representing the plaintiffs, argued that the parents who filed the suit had received emails from the hackers. She contended that if victims cannot seek legal action without confirmation, there would be no incentive to properly notify individuals of data breaches.
Hackett further defended the district by citing state law granting discretionary-function immunity, stating that no action can be brought against a state agency for allegedly negligent decisions. CCSD argues that its data privacy and cybersecurity policies are discretionary and based on careful considerations of cost and impact on students and staff.
Judge Jacqueline Bluth from the Clark County District Court acknowledged the potential for immunity, expressing a leaning toward granting the district’s motion to dismiss. However, she emphasized that immunity would not apply if the district had acted intentionally or criminally. Bluth challenged the parties to present compelling arguments to change her perspective. The case will be revisited on June 27.
In the face of this cyberattack fallout, the Clark County School District awaits a resolution that may have broader implications for data protection and accountability in the educational sector.