San Diego Unified Waited 5 Weeks to Notify Families of Data Breach

The San Diego Unified School District (“SDUSD”) has confirmed details regarding the timeline of a previously undisclosed “cybersecurity incident” in a report it filed with the state Attorney General’s office on December 12, 2022.

The sample data breach letter filed with the Attorney General’s office confirms that the cybersecurity incident occurred October 25, 2022 – five weeks before the district’s first notification to employees and student families of this incident.

The number of individuals affected by this breach has not been fully disclosed at this time but could be in the tens of thousands of individuals.

The district “determined that the stolen data may include [a person’s] name, Social Security number, health plan information, and/or direct deposit information,” the letter adds. Medical information may be implicated, but it is not clear from the description of the breach at this time.

The letter included in SDUSD’s filing states that the district has “implemented additional security measures to enhance our existing cybersecurity protocols,” but doesn’t specify what those measures include. Also, SDUSD confirmed in the letter that it will offer a complimentary one-year membership to an identity monitoring service for victims of this breach, significantly less than what the law may require.

For a free privacy consultation fill out the form below or call us at 1-844-BREACH8 (1-844-273-2248).

San Diego Unified School District Data Breach

According to NBC San Diego, SDUSD sent the first email to its employees and student families on December 1, 2022, informing them of the breach.

SDUSD then reported the breach to the California Attorney General’s office on December 12, 2022 and sent a second email to its employees and student families regarding the breach on December 14, 2022.

According to Dennis Monahan, the District’s Executive Director of Risk Management & Captive Insurance, “while the investigation is still ongoing, that certain files stored on San Diego Unified systems were taken by an unauthorized party.”

The investigation to this point “determined that the data involved includes personal information of many current and former employees who have been employed with the district since 2020,” Monahan added.

SDUSD has released very few details about the actual incident, but only said that “critical systems” were still operational and there was no impact on their safety and emergency mechanisms at any schools or offices.

For free information on your legal right to seek compensation in a class action lawsuit, fill out the form below or call us at 1-844-BREACH8 (1-844-273-2248).

Special California Data Breach Laws Protect You

If you or your student is a California resident and received a Recent Notice of Data Breach from San Diego Unified School District, you may be entitled to up to $1,000 or your actual damages, whichever is greater, depending on the nature of the data in question.

Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that school districts have reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring. This is because California has laws that specifically protect your personal information, such as:

The Student Online Personal Information Protection Act (SOPIPA), which requires that every online service used primarily for K-12 school purposes must maintain reasonable security procedures and practices to protect student personal information from unauthorized access, destruction, or disclosure.
The California Confidentiality of Medical Information Act (CMIA), which requires that every health care provider and health care service plan who maintains medical information do so in a way that preserves its confidentiality.
The California Information Practices Act (IPA), which requires businesses to put into place and maintain reasonable security procedures and practices to protect consumer’s personal information.

If you have received a Data Breach Notice from San Diego Unified School District and are concerned about this breach and what your legal options are, fill out the form below or call us at 1-844-BREACH8 (1-844-273-2248).

The Data at Issue Can Be Vulnerable to Misuse and Abuse for Years

If certain types of personal information, like medical information and names, are left unencrypted and are accessed, stolen, or hacked because the SDUSD didn’t fulfill its duty to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the SOPIPA, CMIA and/or IPA. Medical information (which may be covered depending on the nature of the health plan information at issue) may be covered by the CMIA and if applicable provides for an award of statutory damages.

Cyber-crimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is under $20 per record, depending on the type of information, according to Privacy Affairs Dark Web Index of 2021 (Source: E. Harrell, Victims of Identity Theft, 2018. US Department of Justice, Office of Justice Programs, Bureau of Justice Statistics, 2021).

Medical records that may be related to health plan information are even more valuable, as they potentially provide access to expensive health care along with other forms of identity theft. Thieves may choose to wait years to capitalize on compromised personal data, particularly Social Security numbers.

The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities. Personal data about minor students, which may include special education information and other highly sensitive materials, should be robustly protected by school districts.

The sensitive nature of this data means that “student information is something that must be handled with great care. [. . . ] As the devices we use each day become increasingly connected, it’s critical that we implement robust safeguards for what is collected, how it is used, and with whom it is shared.” (Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016)).

We Can Help You Exercise Your Legal Rights

Every case is unique. Even when your data has been part of a breach, despite the provisions of the SOPIPA, CMIA, and IPA you may not be awarded compensation. Experienced data breach and class action attorneys can help you exercise your rights, evaluate your options, and decide whether you are entitled to compensation.

There are no out of pocket costs to you, as we only get paid if we prevail. If you have received a Data Breach Notice and are concerned about this breach and your options, please fill out the form below or call us at 1-844-BREACH8 (1-844-273-2248).