This webpage provides updates and answers questions regarding an unauthorized posting of Admissions confidential data recently discovered by the State Bar.
Background
On December 20, 2022, the State Bar learned that a confidential spreadsheet used by the State Bar to administer the February 2021 California Bar Exam was appearing on a commercial subscription-based website (the website) and in public search engines. Our review thus far has confirmed that the spreadsheet has since been removed from the public posting. The State Bar is investigating the incident further.
This page will be updated when there is further information to share.
When did the State Bar first learn about the posting of confidential admissions information on another website?
The State Bar learned of the unauthorized posting of the spreadsheet on December 20, 2022.
The spreadsheet, which was dated March 4, 2021, listed the names of individuals registered for the February 2021 exam and whether they were approved to sit, had withdrawn, had abandoned their application, and whether they attended each session. The document also contained codes that could indicate whether an applicant was allotted extra time as a testing accommodation. It’s unclear how or when the document was accessed and posted.
While applicant information is confidential under the State Bar Act, none of the disclosed information meets the legal definition of “personal information” under California’s Information Practices Act or any other state data privacy law.
Who first notified the State Bar about the spreadsheet?
An applicant for admission first notified the State Bar that the information was available on the website and requested that their information be removed.
What has the State Bar done since learning about the posting?
The State Bar is taking all necessary steps to address and correct this matter. Staff contacted the website and requested removal of the spreadsheet. Staff confirmed on December 27, 2022, that the document is no longer publicly accessible on the website.
We commenced an investigation, which is still ongoing, and have requested any information from the website to help trace the document. We are engaging a cybersecurity forensics team to investigate how the document was accessed and posted.
How did this happen?
We are investigating the incident further to understand how the document was accessed and posted.
How long were the records available?
We have requested this information from the website.
How many records were posted?
The spreadsheet listed the names of 4,211 individuals.
How many views did the file receive?
What should anyone concerned that their name appears on this website do?
It’s important to know that, as of December 27, 2022, the list has been removed from the website. We are committed to transparency and will be directly notifying those affected by the unauthorized posting after we get more information about what happened.