Scribd
Upload
117 views89 pages

Morales V Rob Bonta

Rob Bonta and CA DOJ sued for monetary damages under CA Information Practices Act for leaking private confidential data of CCW permit holders.

Uploaded by

bghesq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
117 views89 pages

Morales V Rob Bonta

Rob Bonta and CA DOJ sued for monetary damages under CA Information Practices Act for leaking private confidential data of CCW permit holders.

Uploaded by

bghesq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
‘SUM.100 SUMMONS PRR ol EES EE Reber (CITACION JUDICIAL) NOTICE TO DEFENDANT: ueeniok tte, EB, iSO WANDAD' 3 aT Qeeat =auate COUNTY GF SAN BESWARONG ROBERT BONTA, in his official capacity as Attorney Goneral of the SAN RERIARDINO CVIL DVISION State of California, Additional Parties Attachment Form Attached = : YOU ARE BEING SUED BY PLAINTIFF: FEB 03 2023 (LO ESTA DEMANDANDO EL DEMANDANTE): ROBERT C. MORALES; KEITH KNIPSCHILD; DUSTIN ROBERTSON; D:T. SNAWDER; ROBERT HILLS; BRANDON KRONER ARGO, DEPUTY -HOTICET You Fave Baan sued. The cout may acide apalal you wihoul your bog Peardwress you respond win 30 days, Raa te noration "YoU have 0 CALENDAR DAYS alter this summons and lgal papers are served on you to fe awfen response atti court and have @ copy sawed on the plaPUft Aelia or phone cal wl not protact you, Your willen response must be In proper logal form you want the court to Rea your ase. Tere may boa curt form tha you can uso fer your response. You can find ese cou forms and more informa at the Calfomia Cours Stn Seltlp Gester (wer court ca gowsethep), your county law brary, of be courthouse nearest you. you cannot pay te fing fee ask {ho court clrk ora fee waiver form I you donate yur response on time, you may lose the case by defi, and yourweges, money, and propery ‘may be laken wihout futher waring fom the cou. "there ae ole egal requirements, You ray want call an atioy ight away. I you do not know an attorney, you may want ocala attomey ‘eferal sore, you cannot afford anatomy, you may be eligible for fee logl serces from a nonproft legal services program. You can locato {hese nonproft group a the Calforia Logel Sewvieos Web so (wn lewholpcalfoia org), the Calforia Courts Onine Se-Help Center (rim: cour 2 gowsolMelp), or by contacting your local court or caunt bar assovation, NOTE: Ta court has a statutory Ban fr waived fees and Slaton any setloment or ablation award of $10,000 or more Ina cv cate, The cours Bon must be paid before the cout wl iss the case {24S Lg hn camaro, Sir spond drt de 9s, a cae ued econ yconta er eciha Sur, Lea iomacin ‘iene 30 DIAS DE CALENDARIO desputs do quo le enreguon esa ctacion y papel gales para presenta una rospusta por escrito on ost corey hacer que se entrogue una copa al demandane, Una cate o una lamada tlef6nics no le protegon. Su respuesta par excitation que estar ‘on formato log comerto a desea que pracesen su caso on le crt. Es posible que haya un fermulario qué usted puoda usar para su respuost. ‘Puede encontrar esos formulerizs do econ y mas nformacisn on ol Contr de Ajuza do as Cotes do Camis (ww. sucorteca gov) ‘odd qutar su suoks, dnaroybioes sn més adverts! “Hay ates requstos gales. Es recomendable que lame a un ebogadoinmedtatamente. SI ro condce aun abogsdo, puede Kamara un servicio de remigén'a sboyados Sino puedo pagar a un abogado, vs posible quo cumpia cones requistos para oblener servic gales gratutos do un [rograma de senices legates si ines do lure. Puede encontrar estas grupos sin Aros Go luc en el so wod do Calfomis Legal Serios, fron iaw/eipcalfomia.ig), en el Cento de Ayuda de as Cotes do Cafomia, (www. sucorte.ca.go) 0 poniéndose en contact con fa corto o 1 iegece abogads locales. AVISO: Por oy, la corto Hane dorecio a eclamar fas cuotas ys costes exentos per imponer un gravamen sobre ‘ualquerrecuperecién de $70,000 6 més de valor rocblda medante un acuerdo 0 una concosin do abirae en un caso ce derecho cl. Tene que ‘age elGravemon do corte antes do que fa corto pueda dasecha o caso Tho namo and adore ore cour: Foe eos San Bemardino Central justice Center [ESB 2300528 247 West Third Street, San Bemardino, CA 92415 ‘The name, address, and telephone number of plains attomey, or plaintiff without an attorney, is (Elnomtrs, la dreccion y el nlmaro do telefono del abogado del demandants, o del demandante que no tiene abogaco, es): Brian Hannemann, Hannemann Law Firm, 1042 N. Mountain Ave., B-222, Upland, CA 91786, 909.980.7878 DATE: FEB 03 2023 Clerk, by ‘SY LMIA GUAJARDO . Deputy Fecha) (Svoretae) eacunto) {Far proof of serves of Wis summons use root of Seni af Sammons fom POS OO.) {Para proba ce entrega de sta olan use el farmularo Proof of Service of Summons, (POS-010), NOTICE TO THE PERSON SERVED: You ao saved wear 4. Lo) 2s an individual defendant 2. asthe person sued under the feftious name of (speci Co py |? enter tect under [cc 416.10 (corporation) coe ats.60 (mina) [cep 416.20 dehinc corperaton) [=] CCP-416.70 (consarvatoo) 5) ccP 416.40 (association or partnership) [—] CCP 416.90 (authorized person) 1 other (specity): Fp ‘SUMMONS ‘anata Penang e E sie Rev aar samara ‘SUM-200(A) ‘SHORT TITLE: |_ MORALES, et al. v. ROBERT BONTA, et al. INSTRUCTIONS FOR USE > This form may be used as an attachment fo any summons if space does not permit the listing of all parties on the summons. > If this attachments used, insert the following statement in the plant or defendant box on the summons: "Additional Parties ‘Attachment form is attached." List additional parties (Check ony one bor. Use a separate page for each typeof party): (1 Plaintit [2] Detendant [] crose-Complsinant [] Gross-Detendant DOES 1-50 Page o Paget FudinGaoedt eters ‘ADDITIONAL PARTIES ATTACHMENT "ua Cove cata ‘sit 209) Soe 207 ‘Attachment to Summons cm-o10 [Bran G. Hannemann, esa, (180108) “ [email protected] 7042 N. Mountain Ave, Suite 8-222, Upland, CA 81786 seismoneno (808) 880-7878 FoxN Oncre srtoner fon mana! Plaintifs, ROBERT C. MORALES, et a. [SUPERIOR COURT OF CALIFORNIA, COUNTY OF SAN BERNAROINO SrREET aconess. 247 West Third Street wun cones. same as above lor moze coce San Bernardino 92615 FILED SUPERIO# COURT OF CALIFORNIA ‘COUNTY OF SAN BERNARDINO ‘SAN BERNARDINO CIVIL DIVISION FEB 03 2023 cements. San Bernardino Cental ustice Center ‘ 8 eden bh gferio len Evin GUNJARA EPL MORALES, et al. v. ROBERT BONTA, et a. Mi JAF ‘DEPUTY CIVIL CASE COVER SHEET Complex Case Designation | [>= Unies Stems Colcaner Co} senae §| CIVSB 2300528 mount, noun eae (fovourt | ried wn tat appearance by cotendant PERE en (Cal. Rules of Court, rule 3.402) Tams 1=6 below must Be completed (5 [1 Gheck one box below forthe case type thet best describes this case: ‘exceeds $25,000) Truatons on age OO Atte 22) [1 Breach of contracthvarraniy (05) (Cal. Rules of Court, rules 3.400-3.403) Uninsured motorist (46) J Ruse 3.740 collections (09) [ Aatitrusttrade regulation (03) eprom Fy onwr ete co ST censtneencse Sonoran Fey otercteina mie ec) Oo seentes (08) Prosuetsabity (20) netics malpractice 45) [otter pupowo a3) Nen-PUPDIWD (Other) Tort [1 besiness tartar business practice 07) secures wigation 28) [ EnwronmentavToxe tr (30) [insurance coverage claims asing om he above sted prowsionally complex case types 41) Enforcement of Judgment Enorcement of judgment 20) otter contract (37) Real Proparty 1 Erinent domaininverse condemnation (14) J Mrengit evion (33) (Sone ea property (26) BH cites 08) Unfwrha tai ‘iseetianeous Civil Complaint [J Otamaten 13) Commerc on) recoen CS Frew 16) Ca) Resident 22) otner compiain (not spectied above) (42) [intact propery 18) TS bags 8 tvonanaove Coa Pon TS Protesona nepioencs (2) Judicial Review 1 Parnersip and corpo [1 oer getton not specified above) (43) governance (21) Aste tertonure (05) [Preto re sebation award (11) wii ofmancte (02) [otter non-PuPoIWO to (35) Employment 2 wrong terinaton (36) Footer emptyment (15) Torre jst even (30) 2, This ease [—] © C]lsnot _ complex under rule 3.400 of te Calfornia Rules of Cour. fhe case Is complex, mark the factors requiring exceptional jusical management 2. (] Latge number of separately represented parties . [5] Extensive motion practice raising aifcut or novel ‘sues that wll be time-consuming to resolve 6. (J Large number of witnesses ce. EJ Coordination with related actions pending in one or more ‘courts in oer counties, states, or countries, orn afeder court £,_[7) Substantial posjudgment judicial supervision 3. Remedies sought (check all that appiyi:a. [EC] monetary b. [x] honmonetary: Geciaratory onjuncve reli? c. [3C) punitive 44 Number of causes of ation spect: One (1) 5. Thisease (J is [iJisnot a dlassacton suit 6._ there are any known relate cases, fle and serve a notice of related case. (You may use form CW-015) Sot se hee thet al Brian Hannemann, Esa, 5] Substantial amount of documentary evidence NOTICE + Picintif must fe this cover sheet with tha frst papor fled inthe action or proceading (except small claims cases or cases fled Under the Probate Code, Family Code, or Welfare and institutions Code). (Cal. Rules of Court, rule 3.220.) Failure to fle may resut| in sanctions. |+ File this cover sheet in addition to any cover sheet required by local court ru. | this case is complex under rue 3.400 et seq of the Celfornia Rules of Court, you must serve a copy ofthis cover sheet onal ‘ther parties tothe action or proceeding |+ Uniess ths isa cotections case under rule 3.740 ora complex case, this cover sheet willbe used for statistical purposes only. CIVIL CASE COVER SHEET HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 10121N, MOUNTAN AVE, SUITE B-222 1b, CALAFOANIA 91786 ui “Teugrvion (908) 980-7878 > FACSIAILE (909) 912-8999 ‘SUPERIOR COURT OF CALIFORNIA COUNTY OF SAN BERNARDINO ‘SAN BERNARDINO CIVIL DIVISION OAM SoH sreorenenns comeaenne asa rian G. Hannemann, Esq., State Bar No. - 166109 Fl 1042'N. Mountain Ave. Suite B:2 Upland, California 91786 Tel: (909) 980-7878 }Fax: (909) 912-8999 [bahesa/@amail.com |Attomneys for Plaintiffs, ROBERT C. MORALES, KEITH KNIPSCHILD, DUSTIN ROBERTSON, D.T. SNAWDER, ROBERT HILLS, BRANDON KRONER [ADDITIONAL COUNSEL ON LAST PAGE] SUPERIOR COURT OF CALIFORNIA COUNTY OF SAN BERNARDINO - CENTRAL JUSTICE CENTER, ROBERT C. MORALES; KEITH KNIPSCHILD; DUSTIN ROBERTSON; ID.T. SNAWDER; ROBERT HILLS; IBRANDON KRONER; CASE NO: bo: =CIVSB 2300528 COMPLAINT FOR DAMAGES AND Plaintiffs, INJUNCTIVE RELIEF FOR: 1. VIOLATION OF CALIFORNIA INFORMATION PRACTICES ACT OF 1977 vs. (Cal.Civ.Code §§ 1798-1798.78); DEMAND FOR JURY TRIAL [ROBERT BONTA, in his official capacity las Attorney General of the State of ) ) ) ) ) ) ) ) ) ) ) ) ) ) } |California, and DOES 1-50; ) ) ) Defendants. ) ) ) Plaintiffs ROBERT C. MORALES, KEITH KNIPSCHILD, DUSTIN ROBERTSON, D.T ISNAWDER, ROBERT HILLS, BRANDON KRONER (jointly, "Plaintiffs"), through their counsel, bring this action against Defendant Robert Bonta, in his official capacity as Attorney General of the ‘State of California and Does 1-50, and allege as follows: INTRODUCTION <1. COMPLAINT FOR DAMIAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 1042.N, Mounratn Ave, Sure B222 UPLAND, CALIFORNIA 91786 ‘TELEPHONE (909) 980-7878 © FacsiNaLe (908) 912-8999 1. Before June 27, 2022, Defendant ROBERT BONTA (hereinafter “Bonta”), through the State of California's firearms laws and regulations, including, specifically, DOJ Administrative Manual, Chapter 15, Information Technology, had among his critical responsibilities and mandates, ighly sensit the obligation to “manage multiple data repositories that contai ve and regulated |ctiminal justice. . . and personally identifiable data. The confidentiality of this data must be [protected at all times to ensure the DOJ continues to meet its responsibilities as custodians and providers of this data.” Bonta acquired sensitive, private information of law-abiding individuals who chose to lawdully exercise their Second Amendment rights to keep and bear arms as guaranteed by the United States Constitution, by, among other things, acquiring or attempting to acquire firearms or a concealed weapons permit. 3. Before June 27, 2022, Bonta, collected, organized, and created an electronic, searchable registry, which the California Department of Justice refers to as its "Firearms Dashboard Portal," and which computerized registry cons (ed of, among other things, the sensitive, private information such as names, addresses, and dates of birth, of California gun owners, concealed carry permit holders, and others whose information was in the State of Californi possession because of its firearms laws and regulations [hereinafter the "Regi ry."]. 4. On June 27, 2022, Bonta wrongfully disclosed the Registry to the public and onto the world wide web, thus exposing the sensitive, private information of everyone on Registry. [Bonta stated soon after the data leak in a publicly available webpage that "the California [Department of Justice learned that personal information was disclosed in connection with the June 127th release of the DOJ's Firearms Dashboard Portal." ‘The Registry included information collected from the Assault Weapon Registry, Dealer Record of Sale, Firearm Safety Certification, and Gun Violence Restraining Order information process and compilation: "As of now, the exposed data lappears to include: full name, date of birth, address, gender, race, CCW [Concealed Carry Weapon] license number, California information Index number... . other government-issued identifiers . [and] driver's license number." (https://www.oag.ca,gov/dataexposure). Dealer Record of Sale ldocuments contain an individual's Social Security number as well as make, model and serial 2- SAND INTUNCTVE RELIEF COMPLAINT FOR Dain HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 1042.N. MOUNTAIN AVE, SUITEB-222 ‘UPLAND, CALIFORNIA 91786 TELEPHONE (909) 980-7878 o FacsiMite (909) 912-8999 ee 10 it 12 13 14 15 16 17 18 19 20 2 2 23 24 25 26 27 28 number of firearms. 5. Bonta also confirmed that the Registry disclosure was not immediately discovered for nearly 24 hours, thus permitting countless persons worldwide to have accessed the Registry information for nefarious purposes. 6. OnNovember 30, 2022, private law firm Morrison Foerster, retained by Bonta to investigate the data leak (“California Department of Justice OpenJustice Firearms Dashboard June 27-28, 2022 Exposure of Confidential Personal Data’, issued its “Report of Investigative Findings land Recommendations,” [hereinafter “Report” a true and correct copy of which is ettached hereto land incorporated by reference fully herein as Exhibit A. 7. The Report confirmed that “from June 27-28, 2022, confidential firearms-related |data managed by DOJ was publicly exposed on OpenJustice, a DOJ website intended to provide the public with aggregated, anonymized criminal justice data. Specifically, for a period of less than 124 hours, public visitors to OpenJustice were able to access confidential personal information related to concealed carry weapon permit applicants and holders and other firearms-related data that could be associated with or used to identify individuals.” Report, at page 1. 8. According to the Report, “The underlying dataset for the Firearms Dashboard that was publicly accessible contained confidential personal data associated with CCW [Concealed \Carry Weapon], FSC [Firearms Safety Certificate], DROS [Dealer Record of Sale}, and AWR [Assault Weapon Registry}-related data ... In total, drawing from the CCW-related data, confidential personal data was exposed on the Firearms Dashboard for approximately 192,000 individuals. ....The exposed underlying dataset with confidential personal data wes viewed by Imembers of the public and downloaded, in full or in part, approximately 2,734 times across 507 lunique IP addresses.” Report, page 50. 9. The Report confirms and admits that “the CCW-related data included data for the lyears 2012 to 2021 and included the following fields: name, date of birth, street address associated lwith the permit, gender, race, county, CCW License Number, status of CCW applications, and |California's Criminal Identification and Information/State Identification number (also referred to as |“lI”) [FN # 46: A Cll number, which is automatically generated during a fingerprint check and Se “COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 1042.N. MOUNTAIN AVE, SUITEB-222 ‘UPLAND, CALIFORNIA 91786 ‘TELEPHONE (908) 980-7878 o FACSIMILE (908) 912-8999 wok ON ew ra 10 u 12 13 14 15 16 7 18 19 20 a 22 23 24 25 26 27 28 lused to identify individuals in recordkeeping, is a unique identifier of a person.] The CCW-related |data contained approximately 192,000 unique CII numbers, which corresponds generally to the lnumber of individuals for whom CCW-related data (including confidential personal data) was lexposed.” Report, page 51. 10, “This CCW-related data containing confidential personal data was downloaded either in full or partially approximately 1,467 times across approximately 341 unique IP addresses. | Approximately 160 of the approximately 1,467 downloads of the CCW-related data were the full or Inearly full sets of the underlying dataset, with approximately 152 of these downloads occurring later the server was restored. The majority of the 1,467 CCW-related data downloads — lapproximately 1,399 occurred in the evening of June 27 to the early morning of June 28 after the [Tableau server had been restored and the Firearms Dashboard was live again. As previously noted, Data Analyst-1 replaced the CCW-related data on June 28 at 6:30 a.m., therefore, confidential lpersonal data associated with the CCW-related data was not available for public download from that point forward.” Report, page 52. 11, The Report also confirms and admits the disclosure of the FSC, DROS and AWR- related data [“the FSC, DROS, and AWR-related data included fields containing confidential [personal data] as follows: + “The FSC-related data covered the years 2015 to 2021 and included approximately more than 2 million driver’s license numbers, issue dates, and dates of birth . . Report, page 51; + “The DROS-related data covered the years 2012 to 2021 and contained information on approximately more than 8.7 million gun sale transactions, which included fields of information for individuals involved in such transactions, including date of birth, gender, and county of the sale, as well as weapon details, transaction date and time, transaction type, transaction status, originating agency identifier (or ORI) number (which identifies the law enforcement agency with jurisdiction over the location where the sale takes place), dealer’s identification number, dealer’s street address(es), license status, and license type.” Report, page ve COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 1042N, MOUNTAIN AVE, SUITE B-222 UPLAND, CALIFORNIA9I786 ‘TELEPHONE (909) 980-7878 o FacsinaLt (909) 912-8999 51; + “The AWR-related data covered the years 2012 to 2021 and included dates of birth, gender, county, weapon type (including make and model), registration type, AWR number, and application status . .. [including expos{ing] more than 31,000 unique AWR Numbers.” |Cross-referencing the various data fields revealed that doing so could enrich that information known about an individual identified in the CCW-related data field. Report, page 52. 12. The Report confirms and admits that “the underlying dataset that included confidential personal data (associated with CCW, FSC, DROS, and AWR-telated data) was Jdownloaded either partially (e.g,, a single or partial selection of counties or years on the Firearms Dashboard) or in full (ic., all years and geographies available on the Firearms Dashboard) lapproximately 2,734 times across approximately 507 unique IP addresses on June 27-28, 2022.” Report, page 52. 13, The Report admits that the confidential data migrated onto the open world wide |web: “During the investigation, FTI identified and implemented various monitoring measures to identify potential sharing or misuse of the exposed confidential personal data, Searches on websites including Twitter, Facebook, Reddit, 4chan, and other sites revealed public discussion regarding Ithe data exposure. From June 27-28 and on subsequent days, some of the confidential personal |data obtained from the Firearms Dashboard was shared online but most of the links containing such data were removed or deleted by the time FTI conducted its investigation. For example, ICCW-related data containing names, dates of birth, and addresses of approximately 900 individuals lwas posted on a specific site on June 28. As of July 25, the post had been viewed 7! times. This lpost was reported to the site on July 25, and the post was removed.” Report, pages 53-54. 14, The Report attempts to diminish the severity of the data breach, by dissembling: Based on these searches, there is no evidence of significant or continuing dissemination of the confidential personal data that was publicly accessible on the Firearms Dashboard on June 27-28.” IReport, page 53. The Report makes zero mention what steps were taken to retrieve the data that Iwas downloaded, or where it may have migrated to, Instead, the DOJ rests it conclusions of Se ‘COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 1042.N. MOUNTAIN Ave, SurTe B-222 "UPLAND, CALIFORNIA 91786 ‘TELEPHONE (909) 980-7878 o FACSDMILE (009) 912-8999 ewe aan eon 10 u 12 B 14 15 16 17 18 19 20 2 22 23 24 25 26 27 28 Incbulous “searches” of unknown parameters, terms or methodology. The claim of limited “continuing dissemination” is farcical on its face, and calls into question the sincerity of the DOJ’s lattempts to protect the individuals whose data the DOJ leaked. It further confirms that the data leak lwas impliedly intended to chill individuals Second Amendment rights, by the DOJ’s attitude of basically: “We leaked your confidential data, we did a few “searches,” and oh well, we have |concluded without basis that it is unlikely that your private, confidential data is disseminated!?” What a complete load of horse manure. 15. Further, equally unsurprisingly, the Report, commissioned by Bonta, does not admit that the data exposure occurred purposefully, or with reckless disregard, that the data disclosure lwas ordered to be disclosed, leaked, or otherwise encouraged or allowed persons or vendors access Ho the Registry for purposes of disclosing or leaking the Registry onto the world wide web, with lpurpose, desire or knowledge of substantial certainty that disclosure of the Registry onto the world lwide web would have negative chilling effects upon all Californians’ law-abiding gun owners. 16. Instead, the Report attempts to foist off accountability for what certainly appears to |be an intentional disclosure done for the purpose to harm law-abiding CCW holders, onto nameless lothers for such things “lack of DOJ personnel training, requisite technical expertise, and professional rigor; insufficiently documented and implemented DOJ policies and procedures; and jinadequate oversight by certain supervisors. This combination of factors resulted in errors, poor judgment, and missed opportunities by certain DOJ personnel, and ultimately, in DOJ’s failure to Imeet the responsibilities with which it was entrusted as the custodian of confidential personal information.” Report, page 1. 17. The Report provides detailed “factual findings regarding the circumstances of the data exposure . .. recommendations to improve DOJ’s handling of [confidential CCW data] to lavoid improper exposure in the future.” Report, page 1. Despite these platitudes, the admitted facts of the data exposure and basis proves beyond the shadow of a doubt that the DOJ cannot be lentrusted to possess such confidential CCW data and the only appropriate remedy to prevent ladditional data leaks is the wholesale dismantling of the entire OpenJustice website, Firearms [Dashboard and Registry. 6: ‘COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION a6 “TELEPHONE (609) 980-7878 o Facsiate (909) 912-8999 ‘UPLAND, CALIFOR 1042.N. MOUNTAIN AVE, SUITE B-222 18. This unlawful disclosure of law-abiding Californians’ sensitive private information to the public in violation of California and federal law provides anyone, including anti-Second |Amendment persons, political operatives, and criminals with an easy means to among other things, ldox, harass, intimidate and commit criminal acts upon anyone whose information was on the IRegistry, including gun owners. The unlawful disclosure also pinpointed precisely by individual laddress the make, model, serial number and physical location of where hundreds of thousands of firearms are located. 19, The Report admits and conclusively establishes the wrongful disclosure of the IRegistry's sensitive private information has caused great harm to Plaintifis, which is immediate, longoing, and not at all likely to be abated given that the wrongful disclosure happened at the highest law enforcement office in the State and itis this same Department of Justice which is Ipromising to take "strong corrective measures where necessary.” What measures can possibly be taken now, after the proverbial horse has left the ban? Notably missing from the Report is lconfirmation of the IP addresses from where the information was accessed or downloaded, the storage means of such data, whether the data was retrieved by the DOJ or otherwise, whether the ldownloaded or accessed data was thereafter shared or transmitted by electronic means or otherwise lbeyond the IP address accessing the data, or what steps were taken or will be taken to retrieve the |downloaded CCW data to prevent future harm to Plaintiffs. 20. The harm has only just now begun, as the private confidential information has been released to the world, Plaintiffs are currently at risk, and continue to be at risk, and no conceivable laction by the California Department of Justice can remove the risk whatsoever. This action and judgment in favor of Plaintiffs can ameliorate the risk, to some extent, by a remedy including lordering the State of California to cease the illegal collection of information, to destroy all information collected, remove all such information from the internet, and amend its Concealed |Carry Weapon permitting oversight system to allow Plaintiffs to provide a P.O. Box or other Inon-residential address and reissue Plaintiffs’ CCW permits without residential address information [stored or maintained anywhere within the State's database or possession or control. 21. All of this risk could have and should have been eliminated entirely, had the -7- ‘COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION "UPLAND, CALIFORNIA 91786 ‘TELEPHONE (908) 980-7878 o FACSIMILE (908) 912-8999 11042 N. MOUNTAIN AVE, SUITEB-222 Sean] su ewn i Le 14 15 16 17 18 19 20 2 22 23 24 25 26 27 28 [Department of Justice NOT illegally collected, organized and disclosed the Registry. There is no Constitutional basis at all for the State to have collected, orgenized, and created the "DOJ Firearm [Dashboard Portal,” let alone further possess or use for any reason at all the Registry information on law abiding gun owners. The State's possession of this information is an infringement on the right to keep and bear arms as protected by the Second and Fourteenth Amendments to the United States Constitution and is unconstitutional under New York State Rifle & Pistol Ass'n, Inc. v. Bruen (2022) 1597 U.S. __, No, 20-843, 2022 WL 2251305 (June 23, 2022). JURISDICTION AND VENUE 22. Venue is properly laid in this Court pursuant to Civil Code section 1798.49, which provides that a complaining party may bring an action for damages, et al., in any court of competent jurisdiction in the county where the complainant resides. At least one Plaintiff resides in San [Bernardino County. 23. The Court has personal jurisdiction over Bonta because Bonta, as the Attorney |General of the State of California, is within the State of California, PARTIES 24. Plaintiff Robert C. Morales is a resident of San Bernardino County. He holds a |Concealed Carry Weapons Permit issued by the Sheriff of San Bernardino County. His personal sensitive information was publicly wrongfully disclosed by the California Office of the Attorney |General in the June 27, 2022 Registry data leak. As a result of the Attorney General's disclosure, IMr. Morales is concerned for his safety and the security of the firearms in his home, criminal largeting, as well as the negative attention or retaliation the doxing and disclosure may draw from. lmembers of the public who are hostile to gun owners. 25. Plaintiff Keith Knipschild is a resident of San Bernardino County. He holds a |Concealed Carry Weapons Permit issued by the Sheriff of San Bernardino County. His personal sensitive information was publicly wrongfully disclosed by the Califomia Office of the Attorney |General in the June 27, 2022 Registry data leak. As a result of the Attomey General's disclosure, IMr. Knipschild is concerned for his safety and the security of the firearms in his home, criminal targeting, as well as the negative attention or retaliation the doxing and disclosure may draw from oS: ‘COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 1042.N. MOUNTAIN AVE, SUITE B-222 ‘UPLAND, CALIFORNIA 91786 “TELEPHONE (909) 980-7878 o Facstatz (909) 912-8999 Cea aw eon 10 ul 12 13 14 15 16 7 18 19 20 2 22 23 24 25 26 27 28 Imembers of the public who are hostile to gun owners. 26. Plaintiff Dustin Robertson is a resident of San Bernardino County. He holds a |Concealed Carry Weapons Permit issued by the Sheriff of San Bernardino County. His personal sensitive information was publicly wrongfully disclosed by the California Office of the Attomey |General in the June 27, 2022 Registry data leak. As a result of the Attorney General's disclosure, IMr. Robertson is concerned for his safety and the security of the firearms in his home, criminal targeting, as well as the negative attention or retaliation the doxing and disclosure may draw from Imembers of the public who are hosti to gun owners. 27. Plaintiff D.T. Snawder is a resident of San Bernardino County. He holds a Concealed Carry Weapons Permit issued by the Sheriff of San Bernardino County. His personal sensitive information was publicly wrongfully disclosed by the California Office of the Attorney |General in the June 27, 2022 Registry data leak. As a result of the Attomey General's disclosure, IMr. Snawder is concerned for his safety and the security of the firearms in his home, criminal largeting, as well as the negative attention or retaliation the doxing and disclosure may draw from lmembers of the public who are hostile to gun owners. 28. Plaintiff Robert Hills is a resident of San Bernardino County. He holds a Concealed |Carry Weapons Permit issued by the Sheriff of San Bernardino County. His personal sensitive information was publicly wrongfully disclosed by the California Office of the Attomey General in the June 27, 2022 Registry data leak. As a result of the Attorney General's disclosure, Mr. Hills is |concerned for his safety and the security of the firearms in his home, criminal targeting, as well as the negative attention or retaliation the doxing and disclosure may draw from members of the public who are hostile to gun owners. 29. Plaintiff Brandon Kroner is a resident of San Bernardino County. He holds a IConcealed Carry Weapons Permit issued by the Sheriff of San Bernardino County. His personal sensitive information was publicly wrongfully disclosed by the California Office of the Attorney |General in the June 27, 2022 Registry data leak. As a result of the Attorney General's disclosure, IMr. Kroner is concerned for his safety and the security of the firearms in his home, criminal targeting, as well as the negative attention or retaliation the doxing and disclosure may draw from oo. COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 1042 N. MOUNTAIN AVE, SUITE B-222 ‘UPLAND, CALIFORNIA 91786 ‘TRLEPHONE (909) 980-7878 o FacsinaLe (908) 912-8999 wea aueon 10 n 12 13 14 15 16 7 18 19 20 21 23 24 25 26 27 28 lmembers of the public who are hostile to gun owners. 30. Bonta is the State of California's Attomey General. In that capacity, he is the state's, chief law enforcement officer and Article V, section 13, of the California Constitution imposes on Ihim the duty to enforce the state's laws. As Attorney General, Bonta leads the California [Department of Justice ("Department") and is responsible for the actions of the DOJ. Plaintiffs are suing Bonta in his official capacity. 31. _Atthis time, Plaintiffs do not know the true names or capacities of defendant DOES 1-50 but will amend this Complaint when they are identified. Plaintiffs allege that Bonta and DOES 1-25, and each of them, are and acted as the agents of each other with respect to the actions alleged herein, 32. Plaintiffs have exhausted their administrative remedies by each Plaintiff separately, timely filing a government claim, which individual claims were all separately denied by letters |dated December 8, 2022. FACTS The 2022 Firearms Dashboard Portal 33. On Thursday, June 23, 2022, the United States Supreme Court decision in New York State Rifle & Pistol Association v. Bruen struck down a New York gun law that placed restrictions on the concealed carry of guns. 34. That same day, Attomey General Bonta released a statement following the decision that his office and the Governor of California were working with the legislature to advance new gun legislation, 35. Four days later, on Monday, June 27, 2022, the Department launched the "2022 Firearms Dashboard Portal.” 36. Ina press release, entitled "Attomey General Bonta Releases New Firearms Data to lincrease Transparency and Information Sharing," Attorney General Bonta was quoted as saying, "One of my continued priorities is to better provide information needed to help advance efforts that strengthen California's commonsense gun laws. Today's announcement puts power and information into the hands of our communities by helping them better understand the role and potential dangers -10- ‘COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 10421N. MOUNTAIN AVE, SUITEB-222 1786 ‘UPLAND, CALIFOR “TeLEPHONE (909) 980-7878 o Facsina.e (908) 912-8999 of firearms within our state." [Available here: ttps://oag.ca.gov/news/press-releases/attomey-general-bonta-releases-new-firearms-data-increase-t ransparency-and#:~:text=The%20announcement%420will%20improve%20transparency,and%20Gu In%20Violence%20Restraining%200rders%20]. 37. The press release contained two separate references to a hyper link to access the 2022 Firearms Dashboard Portal.” Indeed, the closing sentence on the press release openly directed the reader to the hyperlink: “The 2022 Firearms Dashboard Portal can be viewed here.” |As of this moment, the link is broken, returning an error code of “404 - That Page cannot be Hound.” [https://openjustice.doj.ca.gov/data-stories/firearms-data-portal]. Four months later, the lhypertink returns an error code, demonstrating that the hyperlink was intended to function exactly las it did function, namely, to disclose and leak private data in violation of law abiding gun owners’ rights. 38. The press release also emphasized the mission of the portal by professing that {whith today’s announcement, Attorney General Bonta is improving accessibility and functionality lof the existing firearms database with expanded information in a comprehensive data dashboard" land by “[i}mproving transparency by expanding gun violence-related data the California [Department of Justice releases to researchers." 39. Further, "[tJhe dashboard also provides links to a variety of supplemental resources Isuch as reports, applications, legal information .. . The release of the expanded data and information continues Attomey General Bonta's commitment to make the data more accessible to the public." 40. The dashboard included data from the past decade on the following subjects: Dealer [Record of Sales, Gun Violence Restraining Orders, Carry Concealed Weapons Permits, Firearms Safety Certificates, Assault Weapons, and Roster of Certified Handguns. Release of CCW Permit Holders and Others' Sensitive Personal Information 41. The 2022 Firearms Dashboard Portal included sensitive personal information, including the California resident's full name, gender, date of birth, race, home address, driver's license number, permit issue date, and criminal history [the "Registry"]. -l- ‘COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 1042 N. Mona AVE, SUITE B-222 UPLAND, CALIFORNIA 91786 ‘TELEPHONE (909) 980-7878 o FAcsiMILE (909) 912-8999 Socaernrauneon n 12 13 14 15 16 7 18 19 20 21 2B 24 25 26 2 28 42. The Registry information was available on a publicly accessible spreadsheet on the lworld wide web for nearly 24 hours until the Department of Justice claims to have shut down the lwebsite on Tuesday, June 28, 2022, and admittedly during which time the Registry information was lopen to public view ["After DOJ learned of the data exposure, the Department took steps to remove the information from public view and shut down the Firearms Dashboard. The dashboard and data lwere available for less than 24 hours."] (Letter from State of California Office of the Attomey |General, Rob Bonta, Attorney General, dated July 8, 2022, mailed to Plaintiffs, hereinafter "Bonta Letter"). 43. Visitors to the Firearm Dashboard Portal could download and store this sensitive personal information via a button on the website's mapping feature. Bonta has not informed Plaintiffs about to whom the Registry information has been disclosed, and instead has offered bureaucratic platitudes demonstrating no real effort to protect Plaintiffs but instead to self-investigate its own malfeasance, including that the DOJ is "working to improve security, mitigate risk, launch{ing] an investigation . . . conducting a review of our policies and procedures land working to implement additional security measures. ..." (Bonta Letter, paragraph 4). 44, Asa result of the leak, law-abiding, gun-owning Californians have had their lpersonal information compromised and wrongfully exposed. 45. According to the San Bemardino County Sun, in an article published on June 29, 12022, by Jason Green [available here: lnttps://www. sbsun.com/2022/06/29/california-exposes-names-addresses-of-potentially-hundreds-of -thousands-of-concealed-weapon-permit-applicants/]: “The personal information of California residents who received or were denied concealed carry weapons permits between 2011 and 2021 was mistakenly exposed this week, according to the California Attorney General’s Office. The data exposure, which could involve hundreds of thousands of gun owners, occurred during an update to the state Department of Justice’s 2022 Firearms Dashboard Portal, the office -12- "COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 1042.N. MOUNTAIN AVE, SUITE B-222, 1785 ‘TELEPHONE (09) 980-7878 o FacsinaLe (908) 912-8999 ‘UPLAND, CALIFORNI said in a statement Wednesday. The information included names, birthdates, addresses, driver’s license numbers and criminal histories, the agency said, but added that Social Security numbers and financial information were not disclosed. Five other state-operated databases were also affected. They included the Assault Weapon Registry, Firearm Safety Certificate and Domestic Violence Restraining Order dashboards. “This unauthorized release of personal information is unacceptable and falls far short of my expectations for this department,” Attorney General Rob Bonta said in a statement, The office said the DOJ was “investigating the extent to which any personally identifiable information could have been exposed from those dashboards and will report additional information as soon as confirmed.” After making the updates on Monday afternoon, the DOJ learned that the personal information was accessible in a spreadsheet ‘on the portal, according to the office. The DOJ said it took steps to remove the information from public view and shut down the dashboard Tuesday morning. The office said the dashboard and data were openly available for “less than 24 hours.” The office did not immediately respond to a message seeking an estimate of the number of people affected by the data exposure. The Associated Press reported that the breakdown could involve as many as hundreds of thousands of gun owners who applied for CCW permits. {emphasis added] Roughly 40,000 CCW permits were issued last year, down from more than 100,000 during the peak year of 2016, according to the DOJ’s website. ise "COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 10421N, MOUNTAIN Ave, SUITE B-222 ‘UPLAND, CALIFORNI TELEPHONE (909) 980-7878 o FACSIMILE (909) 912-6999 wa wD So waa MW 12 1B 14 15 16 17 18 19 20 21 23 24 25 26 27 28 Personal information from the errant disclosure may have been posted on social media websites, the Fresno County Sheriff's Office said in a statement Tuesday afternoon. The sheriff's office said it learned about the vulnerability from the California State Sheriffs’ Association. ‘The California Rifle and Pistol Association noted that the data ‘exposure came days after the U.S. Supreme Court threw out New ‘York’s requirement that those seeking to carry concealed weapons demonstrate an extraordinary need. That ruling also derailed similar standards in several California counties, though state lawmakers and Bonta are working to reinforce and codify remaining permit requirements. Bonta said he immediately launched an investigation into how the data exposure occurred at the DOJ, adding that he plans to “take strong corrective measures where necessary.” “The California Department of Justice is entrusted to protect Californians and their data,” he said. “We acknowledge the stress this may cause those individuals whose information was exposed. I am deeply disturbed and angered.” The state sheriffs association on Wednesday issued its own alert to CCW permit holders about the security blunder. “It is infuriating that people who have been complying with the law have been put at risk by this breach,” CSSA President and Butte County Sheriff Kory Honea said in a statement, “California's sheriffs are very concemed about this data breach and the tisk it poses to California’s CCW permit holders.” The exposure included information on law enforcement officials including judges, as well as others who had sought CCW ore COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION ‘UPLAND, CALIFORNIA 91786 ‘TELEPHONE (909) 980-7878 ¢ FACSIMILE (909) 912-8999 1042.N. MOUNTAIN AVE, SUITE B-222 wee wan een 10 u 12 13 4 15 16 7 18 19 20 21 2 B 24 25 26 ey 28 permits “like rape and domestic violence victims,” according to the rifle and pistol association. (emphasis added]. ‘The Attorney General’s Office said the DOJ will notify people whose data was exposed and provide additional information and resources as required by state law. The agency added that people can also protect themselves by monitoring their credit and placing free credit freeze and fraud alerts on their credit reports.” 46. Despite Bonta’s expressed feelings of being “deeply disturbed and angered” along lwith Bonta’s promise to “take strong corrective measures where necessary,” exactly nothing has been done by Bonta to ameliorate the data breach, leaving law abiding gun owners to live ina |constant state of fear, wondering when a criminal burglary, robbery or worse will take place. 47. Bonta’s data breach, totally indefensible, and an admitted violation of his duty under the law, naturally triggered an onslaught of media reporting, including print, radio and television, | According to published reports, in Los Angeles county alone, 2,891 individuals with standard licenses had their information leaked including 420 reserve officer permits, 244 judge permits, sixty-three employment permits, and seven custodial officer permits. 48. State and federal judges and prosecutors are among the more than 200,000 people that had their sensitive, private information publicly disclosed. [See here: Inttps://www.govtech.com/public-safety/california-doj-gun-data-leak-exposes-judges-prosecutors]. |Further, the information disclosed was not limited to the CCW database: “The information that was exposed included name, date of birth, gender, race, driver's license number, home address and criminal history. And it was not limited to the concealed weapons database, Ina statement issued Wednesday, the office said that information from the Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Safety Certificate, and Gun Violence Restraining Order databases were also "impacted." 49, Bonta later indicated that the Department was "investigating an exposure of 158 ‘COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 1042.N, MOUNTAIN AVE, SUITE B-222, UPLAND, CALIFORNIA 91786 ‘TELEPHONE (909) 980-7878 o Facsiva.z (908) 912-8999 individuals’ personal information connected to the DOJ Firearms Dashboard" and "[ajny Junauthorized release of personal information is unacceptable. We are working swiftly to address 3 |[this situation and will provide additional information as soon as possible.” To date, no one from ew u awa 10 u 12 13 14 15 16 17 18 19 20 21 22 24 25 26 27 28 Ithe CA DOS has alerted any of the CCW holders of any investigation that is occurring, let alone that any real corrective action to address the egregious data leak is taking place or will ever take place. 50. On Wednesday, June 29, 2022, the Department issued a press release admitting that based on its current investigation, "the incident exposed the personal information of individuals lwho were granted or denied a concealed and carry weapons (CCW) permit between 2011-2021. . | Additionally, data from the following dashboards were also impacted: Assault Weapon Registry, [Handguns Certified for Sale, Dealer Record of Sale, Firearm Safety Certificate, and Gun Violence [Restraining Order dashboards.” 51. Inthe same press release, the Department confirmed the data breach in a statement lby Attorney General Bonta admitting that "this unauthorized release of personal information is lunacceptable.” He further commented, "We acknowledge the stress this may cause those individuals whose information was exposed." Yet, the failure to initiate an immediste and appropriate investigation or to take immediate or appropriate corrective action is disturbing and further creating harm to Plaintiffs. 52. The press release also indicated that "the Department will notify those individuals lwhose data was exposed and provide additional information and resources. California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an lunauthorized person." 53. The press release provided information to those whose information was exposed and ladvised those individuals to "[m]onitor your credit," "[eJonsider placing a free credit freeze on your credit report," "[pllace a fraud alert on your credit report,” and resources if the individuals became *victim{s] of identity theft." However, the information provided about placing a credit freeze, lasked victims to further disclose even more personal information, thus incredulously asking victims -16- COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 1042 N. MOUNTAIN AVE, SUITE B-222 UPLAND, CALIFORNIA91786 ‘TELEPHONE (909) 960-7678 0 FAcsiALE (909) 912-6999 wea aware n 10 M1 12 13 14 15, 16 17 18 19 20 21 22 23 24 25 26 27 28 lof a data breach for even more personal information! The DOJ leaked personal information, yet is lasking for even more information to be provided to an outside vendor? Really? This totally |demonstrates the duplicitous conduct at best of Bonta and his minions at the DOJ. 54. The lack of disclosure in the Bonta Letter as to who accessed, or downloaded the Registry information was appalling, and is nothing more than an admission that the Registry had irreparably fallen into the public domain to such an extent that the only assistance the Department lof Justice can admittedly provide is limited to "establish{ment of] a call center to address any |question," {and] [offering complimentary access to credit monitoring services . .." (Bonta Letter, Jparagraph 5). It hardly inspires confidence that the very same governmental agency which illegally Jcollected, maintained, and wrongfully released private information of CCW holders and other [Second Amendment exercising individuals is now further targeting those very same individuals lwith more monitoring and data collection, by directing those individuals to another massive data lcollection and monitoring scheme. 55. With the release of the Report, the factual asserts and admissions prove beyond a |doubt that the DOJ has violated the California Information Practices Act with respect to hundreds lof thousands of CCW holders, and potentially 8.7 million other individuals by virtue of the DROS records similarly being leaked. 56. Nowhere in the Bonta Letter is any mention of the seriousness of the other risks {acing Plaintiffs, such as doxing, and criminal targeting, such as burglary and worse. Just how sincere is the purported regret expressed by Rob Bonta ("We sincerely regret the unacceptable disclosure of your personal date and I offer my sincerest apology on behalf of the entire Department lof Justice") when there is nothing in the Bonta Letter addressing or attempting to ameliorate the lserious doxing and criminal risks Plaintiffs now face? 57. Nowhere in the Bonta Letter, or since then, has the DOJ accurately informed the lhundreds of thousands of victims that they have expressed statutory rights to damages under the |California Information Practices Act. This is a travesty. How many victims would have come lforward had the DOS truthfully told the hundreds of thousands-at a minimum-of victims to timely lbring government claims? How many victims will initiate legal actions when given pathetic, ole ‘COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 1042.N. MOUNTAIN AVE, SUITEB-222 UPLAND, CALIFORNIAI786 ‘TELEPHONE (909) 980-7878 o FACSIMALE (909) 912-9999 ee ee) 10 ul 12 13 14 15 16 7 18 19 20 21 23 24 25 26 27 28 |shameful form rejection letter hardly addressing the simple remedy of paying damages for an. ladmitted violation of the CA IPA? Why did the DOJ shamefully reject 100% of the government claims, in a form rejection letter stating “the Government Claims Program (GCP) staff completed its investigation of your claim and rejected it for the following reason: the claim involves complex issues that are beyond the scope of analysis and legal interpretation typically undertaken by the GCP. Therefore, staff did not make a determination regarding the merit of the claim, and itis being lrejected so you can initiate court action if you choose to pursue this matter further.” This is inexcusble, and demonstrates that the remedies of injunctive relief and damages are warranted. FIRST CAUSE OF ACTION (California Information Practices Act of 1977, Cal. Civ, Code §§ 1798-1798.78 - Against All Defendants) 58. Plaintiffs hereby incorporate by reference and restate the preceding paragraphs, as if set forth herein. 59. The Information Practices Act ("IPA") "generally imposes limitations on the right of governmental agencies to disclose personal information about an individual." Bates v. Franchise Tax Bd. (2004) 124 Cal.App.4th 367, 373 (citations omitted). The IPA "was designed by the Legislature to prevent misuse of the increasing amount of information about citizens which |government agencies amass in the course of their multifarious activities, the disclosure of which could be embarrassing or otherwise prejudicial to individuals or organizations." Anti-Defamation [League of B'nai B'rith v. Superior Court (1998) 67 Cal.App.4th 1072, 1079. 60. "Under the Act, state agencies are required to limit the collection and retention of personal information to that necessary to accomplish the agency's specific purpose.” Perkey v. Dep't of Motor Vehicles (1986) 42 Cal.3d 185, 193 (citing Cal. Civ. Code § 1798.32). "fAJl disclosures of personal information are restricted (§ 1798.24), and an accounting of such disclosures must be made, including disclosures pursuant to subpoena or search warrant (§ 1798.25)." Id. [emphasis added]. 61. The California Department of Justice is a state office, department, division, or -18- COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 1042.N. MOUNTAIN AVE, SUITE B-222 UPLAND, CALIFORNIA 91786 ‘TELEPHONE (909) 980-7878 ¢ Facsini.e (909) 912-8999 Seowmyvaueon W 13 4 15 16 7 18 19 20 21 2 24 25 26 27 28 lagency and is therefore subject to the IPA. 62. Under the IPA, the California Department of Justice has a duty to not disclose [personal information in a manner that would link the information disclosed to the individual to Iwhom it pertains. 63. Under the IPA the California Department of Justice has a duty to prevent personal information from unauthorized access and extiltration, theft, or disclosure. 64, Under the IPA, the California Department of Justice has a duty to establish appropriate and reasonable administrative, technical, and physical safeguards to ensure the security land confidentiality of records, and to protect against anticipated threats or hazards to their security lor integrity which could result in any injury. 65. Under the IPA, the California Department of Justice has a duty to designate an lemployee responsible for ensuring the Department complies with the IPA. 66. Inasmuch as the California Department of Justice contracts for operation and Imaintenance of the personal information records, the Department has a duty to ensure the IPA's requirements are applied to those records. 67. The California Department of Justice breached duties owed under the IPA when it disclosed to the public at large the personal information of Plaintiffs. 68. Asaresult of the California Department of Justice’s breaches, Plaintiffs have suffered adverse effects, including, on information and belief, identify theft, harassment, fear, lanxiety, mental distress and reputational harm, both past and future. 69. Plaintiff’ therefore seek, among other things, a declaration that California's lexcessive and unwarranted collection, maintenance, and wrongful disclosure of this sensitive personal data violated the IPA, placed their identity, property, and physical safety at risk, and seek, lamong other things, an injunction prohibiting California from collecting, maintaining or disclosing such sensitive personal information in connection with any regulation of firearms pursuant to |California law. 70, Plaintiffs further seek all relief permitted under the law, including damages and injunctive or other equitable relief to ensure the California Department of Justice adequately -19- COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 1042N. MOUNTAIN AVE, SUITE B-222 UPLAND, CALIFORNIA 91786 ‘TELEPHONE (09) 980-7878 ¢ FACSIMILE (909) 912-8959 Sowa aueon W 13 14 15 16 17 18 19 20 a 2 red 24 25 26 27 28 [safeguards their personal information going forward, as well as attorneys’ fees and costs. PRAYER FOR RELIEF WHEREFORE, Plaintiffs Request judgment against all Defendants as follows: 1. For appropriate compensatory damages in an amount be determined at trial; 2. Foran injunction enjoining Defendants from collecting, maintaining, or disclosing Plaintiffs’ sensitive personal information in connection with the exercise of the right to keep and lbear arms as protected by the Second and Fourteenth Amendments to the United Stetes Constitution; 3. For appropriate declaratory relief regarding the unlawful and unconstitutional acts land practices of Defendants and entry of a judgment declaring that California's collection, Imaintenance, and/or wrongful disclosure of the Plaintiffs' sensitive personal information in lconnection with the Plaintiffs’ desire to exercise their right to keep and bear arms violated their rights under the Second, Fourth, and Fourteenth Amendments to the United States Constitution, California's Constitutional Right to Privacy (Ca. Const,, art. 1, § 1), and the California Information [Practices Act of 1977 (Cal. Civ, Code §§ 1798-1798.78);, 4, Forall remedies and an award of reasonable attorneys’ fees, costs and other expenses las permitted by applicable law; 5. For exemplary damages against Defendants named as DOES 1-50. 6. Forsuch other and further relief to which Plaintiffs may show themselves justly entitled. 7 \ Ww I wv 7 wv 7 -20- ‘COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 222 > FACSINILE (908) 912-8999 1042 N, Mounratn AVE UPLAND, Cat Dated: DEMAND FOR JURY TRIAL Plaintiffs request a trial by jury on all issues so triable. ‘ebruary 2, 2023 Respectfully Submitted, HANNEMANN LAW FIRM, APC LAW OFFICES OF MARC D. MABILE KATHLEEN DOHERTY, ESQ. ‘3 ¢i— By: Brian G, Hannemann, Esq. Mare D. Mabile, Esq, Kathleen Doherty, Esq ‘Atiomeys for Plaintifis -21- ‘COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF HANNEMANN LAW FIRM, A PROFESSIONAL CORPORATION 1042N. MOUNTAIN AVE, SUITE B-222 UPLAND, CALIFORNIA 91786 ‘TELEPHONE (909) 980-7878 o FACSIMILE (909) 912-8999 (Oe oe 10 12 13 4 15 16 7 18 19 20 a 2 23 24 25 26 27 28 |Additional Counsel for Plaintiffs |Law Offices of Mare D. Mabile, APLC |Mare D. Mabile, Esq., State Bar No. - 144799 1950 Fifth Ave., Suite 200 |San Diego, California 92101 |Tel: (619) 702-2600 Kathleen Doherty, Esq. 1042 N. Mountain Ave, Suite B-596 Upland, CA. 91786 [Tel: (909) 522-0228 Fax: (909) 912-8084 [email protected] [Complaint - fina. wpa -22- COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF EXHIBIT A MORRISON =OERSTER Report of Investigative Findings and Recommendations California Department of Justice OpenJustice Firearms Dashboard June 27-28, 2022 Exposure of Confidential Personal Data November 30, 2022 Prepared by Morrison & Foerster LLP Carrie H. Cohen Brian R. Michael Christine Y. Wong JORRISON FOERSTER Table of Contents 1. EXECUTIVE SUMMARY A. Background B. Development and Publication of the Firearms Dashboard. C. Notification of Data Exposure and DOJ Review... D. E. F. ‘Nature and Extent of Exposed Data Tableau Security Settings... Key Findings. Policies and Training for Handling Confidential Personal Dat Creation and Development of the Firearms Dashboard Publication of the Firearms Dashboard on June 27, 2022. DOJ Discovery of June 27-28 Data Exposure... Scope of Data Exposed on the Firearms Dashboard Analysis of Additional OpenJustice Dashboards G. Timeline of Key Events.. Il. SCOPE AND METHODOLOGY OF INVESTIGATION III. BACKGROUND ‘A. Overview of OpenJustice and Dashboards. B. Overview of Firearms Data on OpenJustice.. C. Overview of June 27-28, 2022 Data Exposure D. Overview of DOJ Response and Investigation . IV. DETAILS OF INVESTIGATION. A. FTIReview.. avaeenn) 1. Review of Tableau Environment 2. Analysis of Exposed Data... 3. Analysis of Additional OpenJustice Dashboards. B. Document Review. C. Interviews. V. DOJ STRUCTURE AND RELEVANT COMPONENTS. A. California Department of Justice. 1, Executive/Directorate Division .. 2. Division of Law Enforcement. 3. California Justice and Information Services Di MORRISON =OERSTER B. DOJ’s Use of Tableau 1. Background. 2. Use of Tableau to Create, Review, and Publish the Firearms Dashboard. VI. FACTUAL FINDINGS > Policies and Training for Har B. Creation and Development of the Firearms Dashboard L Background of the Firearms Dashboard. 2. Extraction and Use of Firearms-Related Data for the Firearms Dashboard. 3. Design of the Firearms Dashboard 4. Review and Approval of the Firearms Dashboard C. Publication of the Firearms Dashboard on June 27, 2022. 1. Publication to OpenJustice..... 2. Tableau Security Settings D. DOJ Discovery of June 27-28 Data Exposure .. 1. DOJ Alerted of Potential Exposure of Confidential Personal Data. 2. DOJ Review of the Firearms Dashboard Upon Notification. 3. Confirmation of Data Exposure and Firearms Dashboard Taken Down. E, Scope of Data Exposed on the Firearms Dashboard 1, Data That Was Publicly Accessible and Cross-Referencing Analysis.. 2. Data Identified as Downloaded .. F, Analysis of Additional OpenJustice Dashboard VII. POST-INCIDENT MONITORING.. VIIILRECOMMENDATIONS... IX. APPENDIX - KEY TERMS DEFINED. MORRISON FOERSTER Among its critical responsibilities and mandates, the California Department of Justice (DOJ): manages] multiple data repositories that contain highly sensitive and regulated criminal justice... and personally identifiable data. The confidentiality of this data must be protected at all times to ensure the DOJ continues to meet its responsibilities as custodians and providers of this data. (DOJ Administrative Manual, Chapter 15, Information Technology). Despite this directive, from June 27-28, 2022, confidential firearms-related data managed by DOJ was publicly exposed on OpenJustice, a DOJ website intended to provide the public with aggregated, anonymized criminal justice data. Specifically, for a period of less than 24 hours, public visitors to OpenJustice were able to access confidential personal information related to ‘concealed carry weapon permit applicants and holders and other firearms-related data that could be associated with or used to identify individuals. As detailed further in this Report of Investigative Findings and Recommendations (Report), the improper exposure of confidential personal data by DOJ, while unacceptable, was unintentional and not connected to any nefarious purpose. The investigation found that the data exposure was due to a lack of DOJ personnel training, requisite technical expertise, and professional rigor; insufficiently documented and implemented DOJ policies and procedures; and inadequate oversight by certain supervisors. This combination of factors resulted in errors, poor judgment, and missed opportunities by certain DOJ personnel, and ultimately, in DOJ’ failure to meet the responsibilities with which it was entrusted as the custodian of confidential personal information, To help restore the community’s trust and confidence in DOI’s continued ability to manage and protect confidential personal data, this Report sets forth: (1) factual findings regarding the circumstances of the data exposure, and (2) recommendations to improve DOJ’s handling of such data to avoid improper exposure in the future, I. EXECUTIVE SUMMARY A. Background On June 27, 2022, as part of its commitment to publicly share criminal justice data in a transparent manner, DOJ published on its public-facing OpenJustice! website an interactive dashboard containing firearms-related data (the Firearms Dashboard). DOJ's intent was to publish only aggregated, anonymized data; DOJ personnel did not intend for confidential information that could be associated with or used to identify individuals, and that should not be publicly disclosed (confidential personal data’), to be accessible to the public on OpenJustice. 1 An Appendix of Key Terms is attached to this Report; certain of these key terms are bolded and/or abbreviations of them are repeated herein for ease of reference. 2 For purposes ofthis Report, the data that was never intended tobe publicly disclosed in the dataset underlying the Firearms Dashboard, some of which could be used to identify individuals, is refered to herein as “confidential personal data.” This description of “confidential personal data” is not, nor should it be understood as, the legal ‘definition of “Personal Identifiable Information” (PII), as that term i used in other contexts. A more detailed

You might also like