Skip Repetitive Navigation Links
California State Auditor Logo COMMITMENT • INTEGRITY • LEADERSHIP

Employment Development Department
Its Practice of Mailing Documents Containing Social Security Numbers Puts Californians at Risk of Identity Theft

Report Number: 2018-129

Introduction

Background

Types of Personal Information

Personal Information: Any information that identifies or describes an individual such as an individual’s name, SSN, physical description, home address, home telephone number, education information, financial information, medical history, and employment history.

Notice-Triggering Information: A subcategory of personal information, it includes an individual’s first name or first initial and last name in combination with any of the following: SSN, driver’s license number, account numbers and codes that would permit access to financial accounts, medical information, or health insurance information.

Source: State law and Statewide Information Management Manual.

Californians have a right to privacy under state law and state agencies have a responsibility to protect personal information that they use in the course of their work. State law imposes specific requirements for the protection of individuals’ information and declares that there should be strict limits on the dissemination of personal information. For instance, state law and policy require agencies to notify affected individuals if the agencies improperly disclose certain spsecified types of personal information (notice‑triggering information). Examples of notice‑triggering information include an individual’s first name or first initial and last name in combination with a Social Security number (SSN), a driver’s license number, a medical record, or other specified data. The text box lists the types of personal information that are defined under state law and further clarified under state policy.

The Employment Development Department (EDD) collects personal information for a variety of administrative purposes. In addition to collecting payroll taxes for the State and assisting job seekers, EDD provides billions of dollars in partial wage replacement benefits each year to Californians who seek or receive such benefits and are unemployed, disabled, or caring for new children or ill family members (claimants). EDD collects claimants’ personal information—including SSNs, driver’s license numbers, and medical information—to verify that they are eligible for benefits and to fulfill other business needs and legal requirements. For instance, federal law requires states to use SSNs when verifying eligibility for unemployment insurance benefits. In addition, federal law requires states to administer their unemployment insurance programs in such a manner as to pay benefits promptly and properly and to enable the states to associate claimants’ records with their SSNs. In accordance with this directive, EDD requires claimants to provide their SSNs when they apply for benefits. EDD uses SSNs to administer unemployment insurance benefits by relying on SSNs to associate claimants with their wages, which determine the benefits that claimants receive.

The Use of SSNs Increases the Risk of Identity Theft

The use of SSNs poses an innate risk of identity theft, which affects millions of Americans and costs billions of dollars each year. Because the Social Security Administration assigns each individual a unique SSN, it is an effective piece of information that refers to only one person (unique identifier). Many organizations use SSNs as unique identifiers to reference individuals for administrative purposes and for communication with other organizations. Consequently, the State’s Office of the Attorney General and other entities have declared that SSNs are the key to identity theft. Identity thieves can use other individuals’ SSNs to fraudulently open financial accounts, obtain tax refunds, and amass medical bills. Identity thieves can gain access to SSNs using a variety of methods, including by breaching data systems and perpetrating Internet scams.

Identity thieves can also access SSNs by stealing physical documents, such as mail. For example, thieves can take documents with SSNs from other individuals’ mailboxes, can receive mail that senders incorrectly address, and can obtain mail from trash receptacles after recipients discard it. In 2003 a Federal Trade Commission (FTC) survey reported that stolen mail was the cause of identity theft for 4 percent of all victims, which at that time totaled 400,000 individuals. However, a 2008 FTC report states that it is difficult to know how often identity theft is caused by mail theft or another method, largely because identity theft victims frequently do not know how their information was compromised.

To address the risks of identity theft, several federal agencies have initiated efforts to reduce the number of mailings that unnecessarily contain full SSNs. As early as 2007, the President’s Identity Theft Task Force sought to reduce governmental use of SSNs on mailed documents. It noted that some entities had already made progress in this area—for instance, the Veterans Health Administration stopped printing SSNs on its identification cards in 2004—but concluded that more must be done to eliminate unnecessary uses of SSNs. To this end, a 2015 law prohibited federal and state agencies from printing SSNs on any checks they issued for payment. More recently, a 2017 law required certain federal agencies, including the Department of Labor, the Social Security Administration, and the Internal Revenue Service (IRS), to develop plans to eliminate unnecessary mailings of SSNs and to report to Congress on all mailed documents still containing full SSNs. In response, the Social Security Administration reported in 2017 that it had replaced full SSNs with truncated SSNs—displaying only the last four digits—or with other unique identifiers on two of its highest‑volume notices, and that it planned to replace full SSNs on additional documents it mails millions of times. In addition, the IRS stated that it had either truncated or completely removed SSNs on notices that it sent nearly 50 million times by mail in fiscal year 2015–16.

EDD Mails Millions of Documents Each Year

EDD mails millions of documents each year to send or request information related to four of its programs: Disability Insurance (Disability), which includes the Paid Family Leave program; Unemployment Insurance (Unemployment); Tax; and Workforce Services.1 Disability and Unemployment together processed claims for a total of more than a million claimants in 2017 and accounted for most of EDD’s outgoing mail in fiscal year 2017–18. Figure 1 details the volumes of mail that each of EDD’s programs sent from its central printing and mass mailing facility (mailing facility) in fiscal year 2017–18. Although Disability and Unemployment have more than 40 field offices that also mail documents, about 93 percent of the two programs’ total postage costs were from the mailing facility in fiscal year 2017–18.

Figure 1
Disability and Unemployment Sent More Than 37 Million Documents From EDD’s Mailing Facility
in Fiscal Year 2017–18

A graphic describing four of EDD’s programs, including the volume of mail those programs send and to whom they primarily send it.

Source: EDD program descriptions and mailing facility volumes.

As Figure 1 shows, Disability and Unemployment mail documents primarily to claimants, whereas EDD’s Tax and Workforce Services programs mail documents primarily to employers and job seekers. EDD sends all Disability and Unemployment claimants documents in the mail. EDD sends claimants documents with general information and other documents with personal information, which may include SSNs. Some of these documents require responses from claimants: for example, EDD mails a form that claimants use to verify that they are eligible for benefits. EDD also sends notices that provide information to claimants but do not always require responses: for instance, it mails a notice with claimants’ wages and pending benefit amounts and requests that claimants contact EDD if they identify inaccuracies. In addition, the four EDD programs we discuss earlier include SSNs on certain documents that they mail to employers or other third parties, generally to ensure that those entities can accurately identify the referenced individuals. However, this report focuses on documents containing personal information that EDD mails to Disability and Unemployment claimants, and specifically on documents that contain or previously contained SSNs.

The information technology (IT) systems that EDD uses to handle its claims and generate its mailings are disparate, complex, and based on antiquated technology. These systems automatically generate mailings to claimants, and because of the systems’ technological limitations, altering physical documents that EDD sends to claimants requires significant IT programming effort and resources. EDD plans to replace and unify these aging systems through its benefit systems modernization project (modernization project), which includes both the Disability and Unemployment systems.







Footnotes

1 For the purposes of this report, we use documents to refer to physical versions of any correspondence, letters, or other communications.
Go back to text

 




Back to top