The California Department of Justice (DoJ) has released its independent investigation of the exposure of confidential personal data associated with the update of DoJ’s 2022 Firearms Dashboard. The state agency agreed to implement a list of recommendations to improve data security going forward, including hiring a chief information security officer.
In a press release, the California DoJ noted that the investigation was conducted by independent legal and forensic cyber experts. Per the investigation’s findings, the data breach exposed some confidential personal data of roughly 192,000 individuals who applied for a concealed carry weapons (CCW) permit from approximately 2012-2021. The audit noted that the data was unintentionally disclosed on June 27 and June 28, 2022.
“This unauthorized release of personal information was unacceptable. This was more than an exposure of data, it was a breach of trust that falls far short of my expectations and the expectations Californians have of our department,” said Attorney General Bonta said in a press release.
“I remain deeply angered that this incident occurred and extend my deepest apologies on behalf of the Department of Justice to those who were affected,” the AG said. “I thank the outside experts for this independent report, which is an important step in our work to build trust and transparency. While the report found no ill intent, this incident was unacceptable, and DoJ must be held to the highest standard. This failure requires immediate correction, which is why we are implementing all of the recommendations from this independent report.”
The state said that while the data exposure, while “unacceptable,” it also was unintentional, and was due to a number of deficiencies within DoJ including “a lack of training, expertise, and professional rigor; insufficient documentation, policies, and procedures; and inadequate oversight.” The DoJ said the investigation provides the public and the state agency with an overview of the incident, as well as recommendations for the department to improve its ongoing data security practices.
The independent investigators offered up a list of recommendations, and the DoJ said it has “committed to implementing” all of them. The recommendations are:
- Conduct a thorough review of all DoJ policies and procedures regarding the handling of confidential personal data and the supervision of personnel handling such data.
- Provide enhanced trainings regarding the handling of confidential personal data as appropriate, taking into account the specific roles and responsibilities of DoJ personnel.
- Evaluate security risks for IT solutions used for projects that involve personal data and provide formal training for DoJ personnel regarding the use of these solutions.
- Centralize and improve DoJ’s organizational structure to enhance oversight and supervision of organization-wide risk management, data security, and related functions. To improve its oversight over risk management, data security, and related functions, DoJ will hire a chief information security officer to lead a team of specialists and have ultimate responsibility for data security across all DoJ components.
- Develop a detailed data incident action plan for use in case of any future reports of exposure of confidential or sensitive data.
- Review and revise its approval process for any project involving confidential personal data to ensure that such review is sufficiently documented, systematic, and rigorous.