I wonder what laws are in place if any to cover this.
At the federal level it would be the Privacy Act of 1974 (https://www.justice.gov/archives/opcl/policy-objectives
Shortly after this was put into place at the federal level, states passed their own laws to mirror this one. For CA it would be the Information Practices Act of 1977 (https://www.ftb.ca.gov/tax-pros/procedures/disclosure-manual-4000-information-practices-act.html
I'm not a lawyer but a couple classes I've had to take recently for cybersecuity had us learn about the various laws relating to the legal and ethical requirements for the collection, maintenance, storage and protection of sensitive and personal information.
I wouldn't think this incident was intentional but it's clear that they didn't have a appropriate safeguards in place to prevent it.
“The California Department of Justice’s 2022 Firearms Dashboard Portal went live on Monday with publicly-accessible files that include identifying information for those who have concealed carry permits. The leaked information includes the person’s full name, race, home address, date of birth, and date their permit was issued. The data also shows the type of permit issued, indicating if the permit holder is a member of law enforcement or a judge.”
All of this information is considered Personally Identifiable Information per the US General Services Administration and most other government departments with NIST establishing the standards. (https://csrc.nist.gov/glossary/term/PII
"- Personally Identifiable Information; Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
- Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
- Any information about an individual that can be used to distinguish or trace an individual's identify and any other information that is linked or linkable to an individual.
- Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.)."
There are strict rules and laws on how agencies must handle and protect this information from being released.
Someone really screwed the pooch on this data breach.