March 28, 2019
2018-129
The Governor of California
President pro Tempore of the Senate
Speaker of the Assembly
State Capitol
Sacramento, California 95814
Dear Governor and Legislative Leaders:
As requested by the Joint Legislative Audit Committee, the California State Auditor presents this audit report regarding the Employment Development Department’s (EDD) privacy protection practices when mailing documents to its customers. Based on our determination that EDD likely sent more than 17 million pieces of mail containing full Social Security numbers (SSNs) to a total of more than a million people in fiscal year 2017–18, this report concludes that EDD’s practice of including full SSNs on mail continues to put its customers at risk of identity theft.
The recipients of these mailings are individuals who seek or receive benefits from two programs that EDD administers: the State’s Disability Insurance program (Disability) and Unemployment Insurance program (Unemployment). These programs provide wage replacement benefits to eligible workers who are unemployed, disabled, or caring for new children or ill family members (claimants). Some of EDD’s claimants and members of the Legislature have expressed concerns about EDD’s practice of mailing documents to claimants that contain SSNs, yet EDD still sends every Disability and Unemployment claimant documents containing full SSNs.
Although EDD has undertaken efforts since 2015 to reduce the amount of mail it sends to claimants that include full SSNs, its efforts have been insufficient. Several of the security incidents that we reviewed from 2015 through 2018 showed that EDD exposed nearly 300 claimants to the risk of identity theft when it inappropriately disclosed their personal information, including SSNs, to other mail recipients.
EDD intends to incorporate a unique identifier that will replace its need for printing full SSNs as part of its benefit systems modernization project (modernization project). However, EDD will not complete its modernization project—which includes replacing its aging IT infrastructure—any earlier than September 2024. At the time of our audit, EDD did not have a short-term plan for removing remaining SSNs from the high-volume documents that totaled more than 13 million mailings in fiscal year 2017–18.
We believe that EDD needs to take near-term measures to better protect its claimants, and that it cannot wait to address these identity theft risks for the at least five and a half years it will take to complete its modernization project. To that end, we identify in this report interim solutions that EDD could implement to replace full SSNs on each of the types of documents we reviewed during our audit.
Respectfully submitted,
ELAINE M. HOWLE, CPA
California State Auditor