Audit Highlights . . .
Our audit regarding EDD’s privacy protection practices revealed the following:
- » EDD sent its Disability and Unemployment claimants more than 17 million pieces of mail containing full SSNs in fiscal year 2017–18.
- » Despite concerns about privacy protection from EDD’s claimants and members of the Legislature, EDD still sends every Disability and Unemployment claimant documents containing full SSNs.
- » Since 2015 EDD has undertaken efforts that have reduced the number of mailings that contain full SSNs that it sends to claimants, but those efforts have been insufficient.
- It exposed nearly 300 claimants to the risk of identity theft when it inappropriately disclosed their personal information—including SSNs—to others.
- » EDD’s reasons for continuing to print full SSNs on documents it mails to claimants do not outweigh the risks.
- » EDD intends to replace SSNs with a unique identifier as part of its benefit systems modernization project; however, this project will take at least five and a half years to complete.
- » Given the timeline for its benefit systems modernization project and the fact that it does not offer claimants an alternative to receiving mailed documents containing SSNs, EDD needs to take interim measures to better protect its claimants.
Results in Brief
Identity theft affects millions of Americans and costs billions of dollars each year. For example, identity thieves can use other individuals’ Social Security numbers (SSNs) to fraudulently open financial accounts, obtain tax refunds, and amass medical bills. To combat the risk of identity theft, state agencies have an ongoing responsibility to protect Californians’ personal information, such as their SSNs. The Employment Development Department (EDD) is responsible for, among other things, the State’s Disability Insurance program (Disability), which includes the Paid Family Leave program, and Unemployment Insurance program (Unemployment). In administering these programs, EDD collects individuals’ personal information for a variety of purposes. Although EDD’s information security policies are generally consistent with federal and state requirements, EDD puts Californians at risk of identity theft when it mails documents containing SSNs to individuals who seek or receive benefits because they are unemployed, disabled, or caring for new children or ill family members (claimants). Our review determined that at least half of the mail Disability and Unemployment sent to claimants from EDD’s mailing facility in fiscal year 2017–18 included full SSNs. In that fiscal year alone, we estimate that EDD sent its claimants more than 17 million pieces of mail that contained full SSNs.
EDD has undertaken efforts since 2015 that have reduced by at least 10 million the number of mailings that contain full SSNs that it sends annually to claimants, but its efforts have been insufficient to fully address privacy concerns. Several of the security incidents that we reviewed from 2015 through 2018 showed that EDD exposed nearly 300 claimants to the risk of identity theft when it inappropriately disclosed their personal information—including SSNs—to others. Although the number of affected claimants we identified is small relative to the millions of documents that EDD mails to claimants, such disclosures could have a significant impact on those claimants if they were to become victims of identity theft. Members of the Legislature and some of EDD’s claimants have expressed concerns about EDD’s practice of mailing documents that contain SSNs. Nonetheless, EDD still sends every Disability and Unemployment claimant documents that include full SSNs.
EDD has offered a number of reasons for including full SSNs on documents that it mails to claimants, but these reasons do not outweigh the risks of identity theft when alternatives to using SSNs exist. EDD can lawfully print SSNs on documents it mails to claimants, and in limited instances it may be necessary for EDD to communicate with a claimant about that claimant’s SSN. However, we identified no federal or state law that expressly requires EDD to print SSNs on such documents. In fact, several federal agencies have initiated efforts to reduce their use of SSNs on mailed documents, including by replacing SSNs with alternative pieces of information that refer to only one person (unique identifiers). EDD management explained that EDD prints SSNs on documents that it mails to claimants to ensure that it can process those documents if it receives them back. Even so, EDD has included SSNs in these instances because of its own limitations: it has not yet implemented another method to guarantee that it can reliably locate claimants in certain information technology (IT) systems it uses.
At the time of our audit, EDD did not have a short‑term plan for removing remaining SSNs from the high‑volume documents that we reviewed. Instead, it intends to incorporate a unique identifier as part of its benefit systems modernization project (modernization project)—which will fully replace its aging IT infrastructure with a unified system. This project will allow EDD to remove SSNs from these remaining documents. However, EDD’s planning documents and vendor responses to a December 2017 Request for Information indicate that EDD will not complete its modernization project any earlier than September 2024. In the interim five and a half years, EDD will likely continue to mail millions of documents annually that put claimants at risk of identity theft.
Given the timeline for when EDD plans to complete its modernization project, we believe it needs to take interim measures to better protect its claimants. The tangible risk to claimants’ privacy, and the fact that EDD does not currently offer a means for claimants to opt out entirely from receiving mailed documents that contain SSNs, emphasize the need for EDD to take action in the near term. We identified possible solutions that EDD could use to replace full SSNs on each of the types of documents we reviewed. For example, one solution we proposed involves replacing full SSNs with a modified unique identifier. EDD management indicated that this solution would be the least disruptive to its existing systems, policies, and procedures, and that EDD supports this solution compared to the others we identified. Further, by implementing its recently developed plan for reviewing other types of personal information on new, revised, and existing documents, and eliminating any unnecessary uses of that information, EDD could ensure that it protects its claimants’ privacy.
Summary of Recommendations
To better protect the Californians whom state agencies serve from the risk of identity theft, the Legislature should amend state law to require all state agencies to develop and implement plans to stop mailing documents that contain full SSNs to individuals by no later than December 2022, unless federal law requires the inclusion of full SSNs. To ensure that state agencies sufficiently prepare to implement this new law, the Legislature should also require that, by September 2019, they submit to it a report that identifies the extent to which they mail documents containing full SSNs to individuals.
If any agency determines that it cannot reasonably meet the December 2022 deadline to stop including full SSNs on mailings to individuals, the Legislature should require that, starting in January 2023, the agency submit to it and post on the agency’s website an annual corrective action plan. Finally, if a state agency cannot remove or replace full SSNs that it includes on the documents it mails to individuals by January 2023, the Legislature should require the agency to provide access to and pay for identity theft monitoring for any individual to whom it mails documents containing SSNs.
To reduce the risk of identity theft for its claimants, EDD should, by December 2021, implement one or more of our proposed solutions or another viable solution to discontinue its use of full SSNs as unique identifiers on all documents that it mails to claimants. Further, it should prioritize addressing documents with the highest mail volumes and should make changes to those documents by March 2020.
To ensure that it fully protects its claimants’ privacy, EDD should, by May 2019, implement its recently developed plan for reviewing new, revised, and existing documents. By December 2021, EDD should complete its full review of existing documents and remove any unnecessary instances of personal information.
EDD agreed with our recommendations and indicated it would implement them.