SCOPE AND METHODOLOGY
The Joint Legislative Audit Committee (Audit Committee) directed the California State Auditor to perform an audit related to EDD’s privacy protection practices when mailing documents to its customers, as well as other audit objectives. The table below outlines the Audit Committee’s objectives and our methods for addressing them.
|1||Review and evaluate the laws, rules, and regulations significant to the audit objectives.||Researched and reviewed relevant laws, rules, regulations, and policies.|
|2||Determine whether EDD’s policies and procedures for protecting customers’ personal information comply with applicable state and federal laws and state policy.||Obtained and reviewed EDD’s information security policies and its policy and procedures manuals for Disability and Unemployment.|
|3||Determine whether EDD has been mailing documents to its customers since 2015 that contain personal information and, if so, determine the following:||
|a. EDD’s reasons for mailing documents to its customers that contained full SSNs or other personal information rather than using other alternative methods, such as redacting the SSNs.|
|b. To the extent possible, the number of individuals who requested to receive information online only but were mailed documents containing full SSNs or other personal information.|
|4||Determine whether EDD provides, or plans to provide, alternatives to mailed documents, including providing online communication. If so, to the extent possible, evaluate the effectiveness of those alternatives to increase customer privacy.||We did not identify any additional issues that are significant to the audit.|
|5||Determine the number of complaints EDD has received from its customers about receiving documents through the mail that contain SSNs, including any complaints related to identity theft. Determine whether EDD adequately responded to those complaints.||
|6||Evaluate EDD’s efforts since 2015 and plans to better protect personal information of its customers and determine the costs and timelines of these efforts. Determine whether any other resources or low-tech or temporary options are available to resolve this issue.||
|7||Review and assess any other issues that are significant to the audit.||Did not identify any additional issues that are significant to the audit.|
Source: Analysis of the Audit Committee’s audit request number 2018-129, as well as information and documentation identified in the column titled Method.
Assessment of Data Reliability
In performing this audit, we obtained electronic data from EDD related to its metered mail and online communications, including complaints. The U.S. Government Accountability Office, whose standards we are statutorily required to follow, requires us to assess the sufficiency and appropriateness of any computer‑rocessed information we use to support our findings, conclusions, or recommendations. We found the data related to metered mail to be reasonable; however, we found limitations with the online communications data, which we describe in the Scope and Methodology table. To evaluate these data, we performed electronic testing of the data and interviewed key staff knowledgeable about the data. We did not perform accuracy or completeness testing of these data so they are of undetermined reliability for our audit purposes. Although these determinations may affect the precision of the numbers we present, there is sufficient evidence in total to support our findings, conclusions, and recommendations.