Report 2018-129 All Recommendation Responses

Report 2018-129: Employment Development Department: Its Practice of Mailing Documents Containing Social Security Numbers Puts Californians at Risk of Identity Theft (Release Date: March 2019)

Recommendation for Legislative Action

Because other state agencies may mail full SSNs to Californians, and because this practice—regardless of the agency involved—exposes individuals to the risk of identity theft, the Legislature should amend state law to require all state agencies to develop and implement plans to stop mailing documents that contain full SSNs to individuals by no later than December 2022, unless federal law requires the inclusion of full SSNs. To ensure that state agencies sufficiently prepare to implement this new law, the Legislature should also require that, by September 2019, they submit to it a report that identifies the extent to which their departments mail any documents containing full SSNs to individuals.

If any agency determines that it cannot reasonably meet the December 2022 deadline to stop including full SSNs on mailings to individuals, the Legislature should require that, starting in January 2023, the agency submit to it and post on the agency's website an annual corrective action plan that contains, at a minimum, the following information:

- The steps it has taken to stop including full SSNs on mailed documents.

- The number of documents from which it has successfully removed full SSNs and the approximate mailing volume that corresponds to those documents.

- The remaining steps that it plans to take to remove or replace full SSNs it includes on mailed documents.

- The number of documents and approximate mailing volume that it has yet to address.

- The expected date by which it will stop mailing documents that contain full SSNs to individuals.

Finally, if a state agency cannot remove or replace full SSNs that it includes on documents that it mails to individuals by January 2023, the Legislature should require the agency to provide access to and pay for identity theft monitoring for any individual to whom it mails documents containing SSNs.

Description of Legislative Action

AB 499 (Chapter 155, Statutes of 2020) prohibits a state agency, by January 1, 2023, from sending to an individual any outgoing United States mail that contains the individual's full SSN unless, except in limited circumstances, federal law requires inclusion of the full SSN. This statute also requires each state agency, on or before September 1, 2021, to report to the Legislature when and why it mails documents that contain individuals' full SSNs. Finally, this statute requires a state agency that, by January 1, 2023, is unable to comply with the prohibition to submit an annual corrective action plan to the Legislature until it is in compliance.

AB 56 (Chapter 510, Statutes of 2021) additionally requires a state agency that is unable to comply with the prohibition to submit an annual corrective action plan to the Legislature by December 15 each year until it is in compliance. The statute further specifies that the annual corrective plan shall include the following:

1) The steps the agency has taken to stop including full social security numbers on outgoing United States mail.

2) The number of documents sent as outgoing United States mail from which the agency has successfully removed full social security numbers and the approximate mailing volume corresponding with those documents.

3) The remaining steps that the agency plans to take to remove or replace full social security numbers it includes on documents sent as outgoing United States mail.

4) The number of documents and approximate mailing volume associated with those documents that the agency has yet to address.

5) The expected date by which the agency will stop sending documents that contain full social security numbers as outgoing United States mail to individuals.

AB 12 (Chapter 509, Statutes of 2021) also required a state agency to stop sending any outgoing United States mail containing full SSNs to an individual as soon as feasible, but no later than January 1, 2023.

California State Auditor's Assessment of Annual Follow-Up Status: Legislation Enacted

Description of Legislative Action

AB 499 (Chapter 155, Statutes of 2020) prohibits a state agency, by January 1, 2023, from sending to an individual mail that contains the individual's full SSN unless, except in limited circumstances, federal law requires inclusion of the full SSN. This statute also requires each state agency, on or before September 1, 2021, to report to the Legislature when and why it mails documents that contain individuals' full SSNs. Finally, this statute requires a state agency that, by January 1, 2023, is unable to comply with the prohibition to submit an annual corrective action plan to the Legislature until it is in compliance.

Additionally, AB 12 (Seyarto), AB 56 (Salas), and SB 58 (Wilk) would variously would prohibit EDD from sending any outgoing U.S. mail to an individual that contains the individual's social security number (SSN) with specified conditions.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Description of Legislative Action

AB 499 (Mayes) would:

1) Prohibit a state agency from sending any outgoing mail that contains an individual's full social security number unless, under the particular circumstances, federal law requires inclusion of the full social security number.

2) Require each state agency, on or before September 1, 2021, to report to the Legislature when and why it mails documents that contain individuals' full social security numbers.

3) Require a state agency that, in its own estimation, is unable to comply with the prohibition to submit an annual corrective action plan to the Legislature until it is in compliance.

4) Require a state agency that is not in compliance with the prohibition to offer to provide appropriate identity theft prevention and mitigation services to any individual, at no cost to the individual, to whom it sent outgoing United States mail that contained the individual's full social security number.

As of January 2020 this bill is pending in the Senate.

California State Auditor's Assessment of 1-Year Status: Legislation Introduced

Description of Legislative Action

AB 499 (Mayes) would have:

1) Prohibited a state agency from sending any outgoing mail that contains an individual's full social security number unless, under the particular circumstances, federal law requires inclusion of the full social security number.

2) Required each state agency, on or before September 1, 2020, to report to the Legislature when and why it mails documents that contain individuals' full social security numbers.

3) Required a state agency that, in its own estimation, is unable to comply with the prohibition to submit an annual corrective action plan to the Legislature until it is in compliance.

4) Required a state agency that is not in compliance with the prohibition to offer to provide appropriate identity theft prevention and mitigation services to any individual, at no cost to the individual, to whom it sent outgoing United States mail that contained the individual's full social security number.

This bill was not acted upon in the Assembly.

California State Auditor's Assessment of 6-Month Status: Legislation Proposed But Not Enacted

Recommendation #2 To: Employment Development Department

To reduce the risk of identity theft for its claimants before it completes its modernization project, EDD should, by December 2021, implement one or more of our proposed solutions or another viable solution to discontinue its use of full SSNs as unique identifiers on all documents that it mails to claimants. Further, it should prioritize addressing documents with the highest mail volumes, and it should make changes to these documents by March 2020. When providing us with the status of its implementation of this recommendation at 60 days, six months, and one year after the issuance of this report, and annually thereafter, EDD should note which documents it has addressed since the release of our report, how it has addressed them, and the dates by which it expects to address the remaining documents containing full SSNs that it mails to claimants.

Annual Follow-Up Agency Response From June 2023

The EDD confirms that the CSA recommendation to discontinue its use of full SSNs as unique identifiers on all documents that it mails to claimants has been met. Please see artifacts.

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

EDD provided documentation indicating that it has discontinued its use of full SSNs on all documents that it mails to claimants. We reviewed a selection of forms, including forms with the highest mail volumes, to verify that EDD discontinued the use of full SSNs. Therefore, we find that this recommendation has been implemented.

Annual Follow-Up Agency Response From October 2022

The Employment Development Department (EDD) has mitigated all the forms identified as part of this effort. Originally, only 10 highest volume parent forms were in scope, but EDD added an additional parent form set to the scope, thus, making it a total of 11 parent form sets. The attached Enclosure_Oct_2022_Final provides details of all the forms included in these form sets. Also attached are the pre and post mitigation versions of the top 5 (by volume) English forms. Please note that due to the high number of forms, we are providing the pre and post migration versions of only 5 sample forms. We can provide additional sample forms, if needed.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Although EDD provided evidence that it discontinued the use of full SSNs on 11 high-volume forms, it should discontinue the use of full SSNs on all forms. We look forward to EDD's update on its progress next year.

Annual Follow-Up Agency Response From October 2021

A Social Security Number (SSN) mitigation technology was implemented in June 2020, allowing the EDD to prioritize removing or mitigating the SSN from the eleven highest volume parent form sets that are mailed to an individual. During unprecedented volumes of Unemployment Insurance Claims during the pandemic, the EDD added an additional parent form set to the SSN removal or mitigation list due to its high volume nature. Nine of the eleven highest volume form sets have been mitigated to date.

As of October 2021:

- 20 English forms and 20 Spanish forms have been mitigated across nine parent form sets

- 3 English forms and 3 Remaining Spanish forms across two parent form sets are on track to be mitigated by April 2022

- 5 English forms, 5 Spanish forms and 1 Chinese form do not contain SSN and do not require mitigation

Please see Enclosure 1A for additional details on form mitigation.

California State Auditor's Assessment of Annual Follow-Up Status: Pending

EDD provided us with documentation showing that it discontinued the use of full SSNs on nine of the highest volume forms, including the three highest volume forms. We will continue to follow up with EDD on the status of this recommendation annually.

1-Year Agency Response

The EDD completed the planning phase for all identified forms in December 2019, and completed business requirements in February 2020. A phased approach has been created to design, develop, test, and implement a new SSN methodology on identified Unemployment Insurance (UI) and Disability Insurance (DI) forms. The EDD anticipates completing the new SSN methodology testing in May 2020. The updated forms will be implemented in four distinct groups beginning June 2020, and completed in May 2021. Please see Enclosure 1 for the phased roll-out schedule for each group of forms.

For the next 10 highest-volume forms which would cost an estimated $3.3 million to mitigate, the EDD was unable to secure funding to implement the new SSN methodology. This was due to the fact that EDD is currently addressing a majority of the forms and, that once the Benefit Systems Modernization Project is implemented, it will have the ability to eliminate the use of SSNs as unique identifiers.

The Benefit Systems Modernization Project continues to move forward with an updated schedule indicating that the EDD will have a vendor contract executed in Fiscal Year 2020-21.

California State Auditor's Assessment of 1-Year Status: Pending

6-Month Agency Response

EDD is making good progress on the Claimant Privacy Measure Project to replace SSNs with a modified unique identifier on the top-10 mailed documents with the highest volumes. Project planning and development of the business requirements are underway. EDD began developing business requirements ahead of schedule on 6/1/2019. A new SSN replacement methodology has been developed to alleviate the need to display SSNs on these mailed documents, while enabling EDD to uniquely identify documents. The top-10 mailed documents break into 52 different document versions based on language and other programmatic variables that need to be communicated. Enclosure 1 lists individual document versions that will be addressed in this effort.

EDD also completed the analysis of an additional 302 forms that utilize SSNs to determine the cost/effort to expand the SSN replacement methodology to them; it would cost $20.2 million and take three years to complete. In working towards this goal, EDD is looking to replace SSNs on the next 10 highest-volume forms costing $3.3 million starting on 7/1/2020.

As EDD moves forward in the procurement process for the Benefit Systems Modernization (BSM) Project, we'll continue to evaluate the necessity to keep or replace the SSN with a unique identifier. In working with Labor and Workforce Development Secretary Julie Su, the Labor Agency, and the Department of Technology, EDD's expedited this procurement process with plans to be in contract with a vendor by the end of FY 2019-20.

California State Auditor's Assessment of 6-Month Status: Pending

60-Day Agency Response

Action 1: EDD is implementing this recommendation. SSNs will be replaced with a modified unique identifier on the top-10 mailed documents with the highest volume that currently display an SSN. EDD prepared/submitted a Budget Change Proposal (BCP), which was approved by Department of Finance and included in the Governor's revised budget released on May 9, 2019. The BCP, titled Claimants' Privacy Measure (Enclosure 1—sent separately), requests $4 million covering FYs 2019/20-2021/22.

Anticipating BCP approval, EDD began this project's initiation phase on May 1, 2019. The timeline for completing the 10 high-volume documents is two years and two months (8/31/21), which extends beyond the March 2020 target date set forth in CSA's recommendation. As we progress through requirements/design, we will seek opportunities to shorten the timelines.

EDD also began analyzing all forms that utilize SSNs to expand the removal of SSNs to additional forms. EDD has identified 302 forms containing SSNs that need to be obfuscated. An initial review of them is complete. The next phase includes finalizing the costs and plan. EDD will provide an update in the six-month status.

Action 2: EDD is developing the Benefits System Modernization Project (BSMP) to replace SSNs with unique identifiers on all documents including the nine high-volume in this Proposed Action. Given this, and that these nine documents are included under Action 1, we were unable to secure additional funding to accomplish Action 2. Therefore, EDD's limited resources have been redirected back to the BSMP.

California State Auditor's Assessment of 60-Day Status: Pending

Recommendation #3 To: Employment Development Department

To ensure that it eliminates any unnecessary uses of personal information in its external communications and to ensure that it fully protects its claimants' privacy, EDD should, by May 2019, implement its recently developed plan for reviewing new, revised, and existing documents. EDD should provide documents to us indicating the progress it has made to implement this recommendation at 60 days, six months, and one year following the release of this report. Finally, it should, by December 2021, complete its full review of existing documents and remove any unnecessary instances of personal information.

Annual Follow-Up Agency Response From October 2022

As recommended by the CSA, the EDD completed its full review of Unemployment Insurance (UI) and Disability Insurance (DI) programs' external forms to remove unnecessary personally identifiable information (PII) as of December 31, 2021. Subsequently, the EDD completed its full review of remaining Department forms for PII on June 30, 2022.

As of June 30, 2022, a total of 3,150 forms have been reviewed and the following are the outcomes of the reviews:

- 1,200 - Contained no PII

- 877 - Deemed obsolete

- 84 - Removed all PII

- 989 - Retained some element of PII. These forms went through the Forms Governance Committee (FGC) for review and approval.

The enclosures included in Recommendation Three are as follows:

- Enclosure 1 provides more details related to the above numbers and provides a high-level summary of all forms reviewed for PII by program. It includes a summary of AB 499 (Chapter 155, Statutes of 2020) and highest volume mailed (also known as Claimant's Privacy Measures [CPM]) forms.

- Enclosure 2 provides a detailed list of AB 499 in scope forms mitigated as of June 30, 2022. (UI and DI program forms.)

- Enclosure 3 provides a detailed list of CPM in scope forms mitigated as of June 30, 2022. (UI and DI program forms.)

- Enclosure 4 provides a detailed list of remaining forms reviewed for PII as of June 30, 2022. (Remaining UI and DI forms; and other EDD program and administrative forms.)

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

EDD provided documentation showing that it completed its review and noted whether it removed PII. EDD should continue to evaluate and eliminate any unnecessary use of PII to continue implementing our recommendation.

Annual Follow-Up Agency Response From October 2021

In 2019, EDD established a Forms Governance Committee (FGC) which has authority over all EDD forms. In 4/2019, EDD formalized an EDD-wide standardized Forms Governance Policy & Process (FGPP) which limits the display of SSN & other PII. In 5/2019, the FGC outlined the FGPP & a schedule to review all EDD forms & remove unnecessary instances of PII by 12/2021. This effort continues to meet the 12/2021 timeframe. EDD also completed an EDD Forms & Publications Manual, Master Forms List, & calendaring system to track document governance clearance for any new forms created or revised. EDD is committed to review existing forms & remove any unnecessary PII in forms that are mailed to claimants with SSNs. As of 10/1/2021, a total of 2,532 forms have been reviewed: 1,175 contained no PII; 726 deemed obsolete; 64 removed all PII; 567 retained some element of PII & FGC reviewed & approved.

Enclosure 1 details a summary of all forms reviewed for PII by program. Also included is a summary of AB 499 & highest volume mailed forms. Of the 2,532 forms reviewed, 200 were mitigated to remove the full SSN. EDD is committed to comply with AB 499 provisions to remove SSNs from all external forms as soon as feasible, by 1/1/2023. In addition to the 20* highest volume forms mitigated, 20* AB 499 in scope forms were mitigated which are included in the 200 forms. Enclosures: 2 - List of AB 499 in scope Unemployment Insurance [UI] & Disability Insurance [DI] forms mitigated to date; 3 - List of CPM in scope UI &DI forms mitigated to date; 4 - List of remaining forms reviewed for PII to date (non-AB 499 & CPM forms for UI & DI; Tax; Workforce Services; other administrative forms.)

EDD is on track to complete its full review of existing external forms for PII by 12/31/2021.

*Number represents English forms reviewed & mitigated. When an English form is reviewed & mitigated, any other non-English version of the form is also reviewed & mitigated.

California State Auditor's Assessment of Annual Follow-Up Status: Pending

1-Year Agency Response

Program areas continue to assess where unnecessary Personally Identifiable Information (PII) can be eliminated, and the Forms Governance Committee (FGC) continues reviewing revisions of each form containing PII. The FGC has reviewed and approved a total of 58 forms through February 14, 2020. Please see Enclosure 2 detailing the first 23 forms that were discussed in the six-month status report, and Enclosure 3 detailing the status of the next 35 forms.

Of the 35 forms that were reviewed since the six-month status report:

- 4 forms had the SSN removed or replaced with the last four digits.

- 6 forms will have the SSN replaced (3 of these forms are referenced in the response to Recommendation One).

- 5 forms will continue to list PII for proper identification and/or proper program administration.

- 19 forms do not have PII displayed when mailed. The forms require PII when they are returned to EDD for program administration purposes.

- 1 form contained no PII when mailed to customers or returned to EDD.

The Document Governance Group (formerly the Document Governance Unit), which coordinates the FGC's review of EDD's forms containing PII, is close to being fully staffed. To ensure EDD meets its goals, staff are focusing their efforts on the Forms Publications Manual, Master Forms List, and a Master Schedule Calendar. The EDD remains on track to complete its full review of existing documents to remove unnecessary instances of PII by December 2021.

California State Auditor's Assessment of 1-Year Status: Pending

6-Month Agency Response

Programs completed reviews of their forms. They're assessing whether unnecessary PII can be eliminated. Enclosure 2 is a tool compiled by EDD's Document Management Division (DMD) in 5/2019 for the Forms Governance Committee (FGC) and EDD program areas' use to define PII. Also, as of 8/28/19, the FGC approved 23 forms' revisions. Enclosure 3 is the form list with: form number, name, utilizing program, and outcome from the review/revision of PII. Also attached are the reviewed 23 forms.

Our initial results show we were able to remove the full SSN or limit its display to the last four digits on 11 forms. We're proposing to replace the SSN on two additional forms; they're included in the 52 forms referenced in Recommendation 1's status. For the remaining 10 forms, we'll continue to display the SSN, as it was necessary for various business reasons. Moving towards BSM implementation, we'll further evaluate the necessity to keep the SSN or remove it. EDD's DMD is analyzing five additional form revisions, which will be submitted to FGC for review.

As part of the overall plan, EDD established the Document Governance Unit (DGU) in 7/2019 that's responsible for:

- creating/maintaining a publications manual to reinforce forms/publications standards;

- creating/maintaining a master Forms List and Schedule Calendar for forms design/development;

- coordinating clearance of forms containing PII through the FGC.

We anticipate a fully staffed DGU by 1/2020. EDD's on track to complete its full review of existing documents to remove unnecessary instances of PII by 12/2021.

California State Auditor's Assessment of 6-Month Status: Pending

60-Day Agency Response

The EDD established a Forms Governance Committee on November 9, 2018, which has authority over the creation, revision, and obsolescence of all EDD forms and publications. Further, to ensure that uniform design and content standards are applied to all EDD forms and publications, the Forms Governance Committee issued an Executive Notice 19-01 (Enclosure 2—sent separately) to all EDD employees on April 15, 2019, which announced a standardized Forms Governance Policy and Process. This policy addresses limiting the display of personally identifiable information to prevent unauthorized individuals from inadvertently accessing our customers' identities.

The Forms Governance Committee met with the Document Management Division, EDD Executives, and program staff on May 23, 2019. During this meeting, we discussed the new Forms Governance Policy and Process and creation of a schedule to review all existing forms. The program areas had already been assigned the task of reviewing forms based on usage during a prior meeting convened on January 29, 2019. EDD remains committed to eliminating the use of SSNs in documents mailed to claimants. We thank the CSA for its continued professionalism during this review and will provide the required six-month status by September 27, 2019.

California State Auditor's Assessment of 60-Day Status: Pending

All Recommendations in 2018-129

Agency responses received are posted verbatim.