Several Pennsylvania bar exam applicants published a letter to the Pennsylvania Bureau of Consumer Protection Wednesday requesting an investigation into ExamSoft, the software being used to administer the upcoming October bar exam. The applicants expressed concerns that recent data breaches resulted from fundamental security flaws within the ExamSoft site.
The applicants also allege that ExamSoft has made material misrepresentations in its security policies that violate the Pennsylvania Unfair Trade Practices and Consumer Protection Law:
We request that the Bureau of Consumer Protection investigate whether ExamSoft made material misrepresentations in its customer-facing privacy policy concerning its safeguarding of users’ personal information by failing to be in full compliance with its stated policies while Pennsylvania bar applicants use its platform. Users’ data appear to have been stolen; data may continue to be stolen during the month of September as bar applicants download ExamSoft products, and applicants’ data may be at great risk during the actual exam in a few short weeks. Despite these security concerns, bar applicants in Pennsylvania and across the country must consent to use of this software if we want to take the bar exam during our last opportunity to do so this year. Your office has been a leader in protecting the public against data breaches and we hope that you will choose to be a leader once again.
In the letter, multiple applicants reported that they had passwords breaches and fraudulent charges on financial accounts in the days following their downloading of the ExamSoft software. The letter expresses concern regarding ExamSoft’s storage of applicants’ Social Security numbers and video and audio data after the Association for Software Testing remarked that a “cursory examination of the ExamSoft website finds very intrusive ‘features’ that grant device access a hacker would dream of. […] Software with this level of control over an examinee’s computer represents a significant security risk to examinees.”
ExamSoft has become the exclusive bar exam platform for twenty jurisdictions throughout the United States. Applicants are seeking an injunction to ensure that ExamSoft follows appropriate policies for data security for the bar exam.
The Pennsylvania Consumer Protection Bureau has not yet responded to the letter.