Implements all recommendations to strengthen data security
SACRAMENTO — The California Department of Justice (DOJ) today released the results of an independent investigation of the exposure of confidential personal data associated with the update of DOJ’s 2022 Firearms Dashboard. The investigation was conducted by independent legal and forensic cyber experts. The investigation found that some confidential personal data of roughly 192,000 individuals who applied for a concealed carry weapons (CCW) permit from approximately 2012-2021 was unintentionally disclosed due to the incident, which, as previously reported by DOJ, occurred on June 27 and June 28, 2022.
“This unauthorized release of personal information was unacceptable. This was more than an exposure of data, it was a breach of trust that falls far short of my expectations and the expectations Californians have of our department,” said Attorney General Bonta. “I remain deeply angered that this incident occurred and extend my deepest apologies on behalf of the Department of Justice to those who were affected. I thank the outside experts for this independent report, which is an important step in our work to build trust and transparency. While the report found no ill intent, this incident was unacceptable, and DOJ must be held to the highest standard. This failure requires immediate correction, which is why we are implementing all of the recommendations from this independent report.”
In response to the data exposure, DOJ retained the law firm of Morrison Foerster to lead an independent investigation, with the assistance of FTI, an outside cyber expert. The investigation found that this improper exposure on the Firearms Dashboard, while unacceptable, was unintentional, and due to a number of deficiencies within DOJ including lack of training, expertise, and professional rigor; insufficient documentation, policies, and procedures; and inadequate oversight. The investigation provides the public and DOJ with an overview of the incident, as well as recommendations for the Department to improve its ongoing data security practices.
DOJ has committed to implementing all recommendations from the independent investigation: