This webpage provides updates and answers questions regarding an unauthorized posting of Admissions confidential data discovered by the State Bar in December 2022.
March 28, 2023, update
In keeping with the State Bar’s commitment to transparency, we are implementing a notification plan for the 4,211 applicants whose names appeared in the Admissions confidential spreadsheet posted on Justanswer.com from approximately March 4, 2021, to late December 2022. All affected applicants will receive an email that summarizes the same information available on this webpage.
Although the State Bar is not legally required to do so, it has committed to notifying those whose names and other information appeared in the confidential spreadsheet. “We are taking these steps because we believe it’s the right thing to do,” said Leah Wilson, Executive Director. “The State Bar is committed to transparency, and maintaining the public’s trust in our agency is of paramount importance.”
January 7, 2023
Background
On December 20, 2022, the State Bar learned that a confidential spreadsheet used by the State Bar to administer the February 2021 California Bar Exam was appearing on a commercial subscription-based website, JustAnswer.com, and in public search engines. Staff confirmed on December 27, 2022, that the spreadsheet had been removed from their website.
When did the State Bar first learn about the posting of confidential admissions information on another website?
The State Bar learned of the unauthorized posting of the spreadsheet on December 20, 2022.
The spreadsheet, which was dated March 4, 2021, listed the names of individuals registered for the February 2021 exam and whether they were approved to sit, had withdrawn, had abandoned their application, and whether they attended each session. The document also contained codes that could indicate whether an applicant was allotted extra time as a testing accommodation.
While applicant information is confidential under the State Bar Act, none of the disclosed information meets the legal definition of “personal information” under California’s Information Practices Act or any other state data privacy law.
What information was in the spreadsheet?
The confidential spreadsheet contained the following nonpublic information regarding individuals who applied to sit for the February 2021 California Bar Exam: full name; applicant number; National Conference of Bar Examiners number; exam enrollment ID; application status; test center information; attendance at specific sessions of the Bar Exam; and a code that represents which format of the exam and which schedule was granted for each exam session. To be clear, the spreadsheet did not contain Bar Exam scores, Social Security number, home address, or other similarly sensitive personal information.
Who first notified the State Bar about the spreadsheet?
An applicant for admission first notified the State Bar that the information was available on the website and requested that their information be removed.
Why has it taken the State Bar so long to issue notices/go public?
The State Bar provided an initial notice via this webpage, which was first posted on January 7, 2023, shortly after we learned of the incident. We wanted to make sure we had as much information as possible before providing an additional update and commencing notices to those affected. It was necessary to allow time for a complete investigation to avoid interfering with that process. Disclosing details prematurely, particularly before we knew how the confidential document was accessed and posted, posed the risk of exposing further confidential information.
What is JustAnswer.com and why was the spreadsheet posted there?
The JustAnswer.com website is a subscription-based question and answer forum. Customers with questions can connect with experts in various categories, who serve as independent contractors on the platform, for information. JustAnswer.com informed the State Bar that it does not control the information or content users post. Each user is responsible for the information they upload.
What has the State Bar done since learning about the posting?
The State Bar is taking all necessary steps to address and correct this matter. Staff contacted the website and requested removal of the spreadsheet. Staff confirmed on December 27, 2022, that the document is no longer publicly accessible on the website.
We commenced an investigation and requested any information from JustAnswer.com to help trace the document.
We engaged a cybersecurity forensics team to investigate how the document was accessed and posted.
We are working with a third party to notify those whose data appeared on the spreadsheet, even though none of the disclosed information meets the legal definition of “personal information” under California’s Information Practices Act or any other state data privacy law.
How did this happen?
The State Bar’s investigation determined that this disclosure was the result of an isolated employee action and was not the result of any data breach or security vulnerability of State Bar systems. The State Bar is also confident that no other confidential information was disclosed in connection with this incident and there is no risk of additional confidential information being disclosed.
What actions are being taken as a result of this accidental disclosure?
We cannot disclose the specifics, but appropriate action has been taken with respect to the employee at issue.
How long were the records available?
Justanswer.com informed us that the spreadsheet was posted on March 4, 2021. Staff confirmed on December 27, 2022, that the document had been removed from the website.
How many records were posted?
The spreadsheet listed the names of 4,211 individuals.
How many views did the file receive?
Justanswer.com was unable to provide this information, so we don’t know.
What should anyone concerned that their name appears on this website do?
It’s important to know that, as of December 27, 2022, the list was removed from the website. Those affected by the unauthorized posting will receive an email notification, which will provide an email address for further questions, but both this webpage and the email notification contain all information currently available about this incident.
This page will be updated when there is further information to share.