California Department of Justice Releases Results of Independent Investigation of Firearms Dashboard Data Exposure

Implements all recommendations to strengthen data security 

SACRAMENTO — The California Department of Justice (DOJ) today released the results of an independent investigation of the exposure of confidential personal data associated with the update of DOJ’s 2022 Firearms Dashboard. The investigation was conducted by independent legal and forensic cyber experts. The investigation found that some confidential personal data of roughly 192,000 individuals who applied for a concealed carry weapons (CCW) permit from approximately 2012-2021 was unintentionally disclosed due to the incident, which, as previously reported by DOJ, occurred on June 27 and June 28, 2022. 

“This unauthorized release of personal information was unacceptable. This was more than an exposure of data, it was a breach of trust that falls far short of my expectations and the expectations Californians have of our department,” said Attorney General Bonta. “I remain deeply angered that this incident occurred and extend my deepest apologies on behalf of the Department of Justice to those who were affected. I thank the outside experts for this independent report, which is an important step in our work to build trust and transparency. While the report found no ill intent, this incident was unacceptable, and DOJ must be held to the highest standard. This failure requires immediate correction, which is why we are implementing all of the recommendations from this independent report.”

In response to the data exposure, DOJ retained the law firm of Morrison Foerster to lead an independent investigation, with the assistance of FTI, an outside cyber expert. The investigation found that this improper exposure on the Firearms Dashboard, while unacceptable, was unintentional, and due to a number of deficiencies within DOJ including lack of training, expertise, and professional rigor; insufficient documentation, policies, and procedures; and inadequate oversight. The investigation provides the public and DOJ with an overview of the incident, as well as recommendations for the Department to improve its ongoing data security practices. 

DOJ has committed to implementing all recommendations from the independent investigation:

• Conduct a thorough review of all DOJ policies and procedures regarding the handling of confidential personal data and the supervision of personnel handling such data.
• Provide enhanced trainings regarding the handling of confidential personal data as appropriate, taking into account the specific roles and responsibilities of DOJ personnel. 
• Evaluate security risks for IT solutions used for projects that involve personal data and provide formal training for DOJ personnel regarding the use of these solutions.  
• Centralize and improve DOJ’s organizational structure to enhance oversight and supervision of organization-wide risk management, data security, and related functions. To improve its oversight over risk management, data security, and related functions, DOJ will hire a chief information security officer to lead a team of specialists and have ultimate responsibility for data security across all DOJ components.
• Develop a detailed data incident action plan for use in case of any future reports of exposure of confidential or sensitive data. 
• Review and revise its approval process for any project involving confidential personal data to ensure that such review is sufficiently documented, systematic, and rigorous.

A copy of the report can be found here. Additional information and updates may be found at https://oag.ca.gov/dataexposure.