Report 2018-129 Recommendations
When an audit is completed and a report is issued, auditees must provide the State Auditor with information regarding their progress in implementing recommendations from our reports at three intervals from the release of the report: 60 days, six months, and one year. Additionally, Senate Bill 1452 (Chapter 452, Statutes of 2006), requires auditees who have not implemented recommendations after one year, to report to us and to the Legislature why they have not implemented them or to state when they intend to implement them. Below, is a listing of each recommendation the State Auditor made in the report referenced and a link to the most recent response from the auditee addressing their progress in implementing the recommendation and the State Auditor's assessment of auditee's response based on our review of the supporting documentation.
Recommendations in Report 2018-129: Employment Development Department: Its Practice of Mailing Documents Containing Social Security Numbers Puts Californians at Risk of Identity Theft (Release Date: March 2019)
|Recommendations to Employment Development Department|
To reduce the risk of identity theft for its claimants before it completes its modernization project, EDD should, by December 2021, implement one or more of our proposed solutions or another viable solution to discontinue its use of full SSNs as unique identifiers on all documents that it mails to claimants. Further, it should prioritize addressing documents with the highest mail volumes, and it should make changes to these documents by March 2020. When providing us with the status of its implementation of this recommendation at 60 days, six months, and one year after the issuance of this report, and annually thereafter, EDD should note which documents it has addressed since the release of our report, how it has addressed them, and the dates by which it expects to address the remaining documents containing full SSNs that it mails to claimants.
To ensure that it eliminates any unnecessary uses of personal information in its external communications and to ensure that it fully protects its claimants' privacy, EDD should, by May 2019, implement its recently developed plan for reviewing new, revised, and existing documents. EDD should provide documents to us indicating the progress it has made to implement this recommendation at 60 days, six months, and one year following the release of this report. Finally, it should, by December 2021, complete its full review of existing documents and remove any unnecessary instances of personal information.
|Recommendations to Legislature|
Because other state agencies may mail full SSNs to Californians, and because this practice—regardless of the agency involved—exposes individuals to the risk of identity theft, the Legislature should amend state law to require all state agencies to develop and implement plans to stop mailing documents that contain full SSNs to individuals by no later than December 2022, unless federal law requires the inclusion of full SSNs. To ensure that state agencies sufficiently prepare to implement this new law, the Legislature should also require that, by September 2019, they submit to it a report that identifies the extent to which their departments mail any documents containing full SSNs to individuals.
If any agency determines that it cannot reasonably meet the December 2022 deadline to stop including full SSNs on mailings to individuals, the Legislature should require that, starting in January 2023, the agency submit to it and post on the agency's website an annual corrective action plan that contains, at a minimum, the following information:
- The steps it has taken to stop including full SSNs on mailed documents.
- The number of documents from which it has successfully removed full SSNs and the approximate mailing volume that corresponds to those documents.
- The remaining steps that it plans to take to remove or replace full SSNs it includes on mailed documents.
- The number of documents and approximate mailing volume that it has yet to address.
- The expected date by which it will stop mailing documents that contain full SSNs to individuals.
Finally, if a state agency cannot remove or replace full SSNs that it includes on documents that it mails to individuals by January 2023, the Legislature should require the agency to provide access to and pay for identity theft monitoring for any individual to whom it mails documents containing SSNs.