Report 2018-129: Employment Development Department: Its Practice of Mailing Documents Containing Social Security Numbers Puts Californians at Risk of Identity Theft (Release Date: March 2019)
Recommendation #2 To: Employment Development Department
To reduce the risk of identity theft for its claimants before it completes its modernization project, EDD should, by December 2021, implement one or more of our proposed solutions or another viable solution to discontinue its use of full SSNs as unique identifiers on all documents that it mails to claimants. Further, it should prioritize addressing documents with the highest mail volumes, and it should make changes to these documents by March 2020. When providing us with the status of its implementation of this recommendation at 60 days, six months, and one year after the issuance of this report, and annually thereafter, EDD should note which documents it has addressed since the release of our report, how it has addressed them, and the dates by which it expects to address the remaining documents containing full SSNs that it mails to claimants.
Annual Follow-Up Agency Response From June 2023
The EDD confirms that the CSA recommendation to discontinue its use of full SSNs as unique identifiers on all documents that it mails to claimants has been met. Please see artifacts.
- Completion Date: January 2022
California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented
EDD provided documentation indicating that it has discontinued its use of full SSNs on all documents that it mails to claimants. We reviewed a selection of forms, including forms with the highest mail volumes, to verify that EDD discontinued the use of full SSNs. Therefore, we find that this recommendation has been implemented.
Annual Follow-Up Agency Response From October 2022
The Employment Development Department (EDD) has mitigated all the forms identified as part of this effort. Originally, only 10 highest volume parent forms were in scope, but EDD added an additional parent form set to the scope, thus, making it a total of 11 parent form sets. The attached Enclosure_Oct_2022_Final provides details of all the forms included in these form sets. Also attached are the pre and post mitigation versions of the top 5 (by volume) English forms. Please note that due to the high number of forms, we are providing the pre and post migration versions of only 5 sample forms. We can provide additional sample forms, if needed.
- Completion Date: January 2022
California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented
Although EDD provided evidence that it discontinued the use of full SSNs on 11 high-volume forms, it should discontinue the use of full SSNs on all forms. We look forward to EDD's update on its progress next year.
- Auditee did not address all aspects of the recommendation
Annual Follow-Up Agency Response From October 2021
A Social Security Number (SSN) mitigation technology was implemented in June 2020, allowing the EDD to prioritize removing or mitigating the SSN from the eleven highest volume parent form sets that are mailed to an individual. During unprecedented volumes of Unemployment Insurance Claims during the pandemic, the EDD added an additional parent form set to the SSN removal or mitigation list due to its high volume nature. Nine of the eleven highest volume form sets have been mitigated to date.
As of October 2021:
- 20 English forms and 20 Spanish forms have been mitigated across nine parent form sets
- 3 English forms and 3 Remaining Spanish forms across two parent form sets are on track to be mitigated by April 2022
- 5 English forms, 5 Spanish forms and 1 Chinese form do not contain SSN and do not require mitigation
Please see Enclosure 1A for additional details on form mitigation.
- Estimated Completion Date: 04/30/2022
California State Auditor's Assessment of Annual Follow-Up Status: Pending
EDD provided us with documentation showing that it discontinued the use of full SSNs on nine of the highest volume forms, including the three highest volume forms. We will continue to follow up with EDD on the status of this recommendation annually.
1-Year Agency Response
The EDD completed the planning phase for all identified forms in December 2019, and completed business requirements in February 2020. A phased approach has been created to design, develop, test, and implement a new SSN methodology on identified Unemployment Insurance (UI) and Disability Insurance (DI) forms. The EDD anticipates completing the new SSN methodology testing in May 2020. The updated forms will be implemented in four distinct groups beginning June 2020, and completed in May 2021. Please see Enclosure 1 for the phased roll-out schedule for each group of forms.
For the next 10 highest-volume forms which would cost an estimated $3.3 million to mitigate, the EDD was unable to secure funding to implement the new SSN methodology. This was due to the fact that EDD is currently addressing a majority of the forms and, that once the Benefit Systems Modernization Project is implemented, it will have the ability to eliminate the use of SSNs as unique identifiers.
The Benefit Systems Modernization Project continues to move forward with an updated schedule indicating that the EDD will have a vendor contract executed in Fiscal Year 2020-21.
- Estimated Completion Date: FY 2020/2021
- Response Date: March 2020
California State Auditor's Assessment of 1-Year Status: Pending
6-Month Agency Response
EDD is making good progress on the Claimant Privacy Measure Project to replace SSNs with a modified unique identifier on the top-10 mailed documents with the highest volumes. Project planning and development of the business requirements are underway. EDD began developing business requirements ahead of schedule on 6/1/2019. A new SSN replacement methodology has been developed to alleviate the need to display SSNs on these mailed documents, while enabling EDD to uniquely identify documents. The top-10 mailed documents break into 52 different document versions based on language and other programmatic variables that need to be communicated. Enclosure 1 lists individual document versions that will be addressed in this effort.
EDD also completed the analysis of an additional 302 forms that utilize SSNs to determine the cost/effort to expand the SSN replacement methodology to them; it would cost $20.2 million and take three years to complete. In working towards this goal, EDD is looking to replace SSNs on the next 10 highest-volume forms costing $3.3 million starting on 7/1/2020.
As EDD moves forward in the procurement process for the Benefit Systems Modernization (BSM) Project, we'll continue to evaluate the necessity to keep or replace the SSN with a unique identifier. In working with Labor and Workforce Development Secretary Julie Su, the Labor Agency, and the Department of Technology, EDD's expedited this procurement process with plans to be in contract with a vendor by the end of FY 2019-20.
- Estimated Completion Date: Update pending 1-year status
- Response Date: December 2019
California State Auditor's Assessment of 6-Month Status: Pending
60-Day Agency Response
Action 1: EDD is implementing this recommendation. SSNs will be replaced with a modified unique identifier on the top-10 mailed documents with the highest volume that currently display an SSN. EDD prepared/submitted a Budget Change Proposal (BCP), which was approved by Department of Finance and included in the Governor's revised budget released on May 9, 2019. The BCP, titled Claimants' Privacy Measure (Enclosure 1—sent separately), requests $4 million covering FYs 2019/20-2021/22.
Anticipating BCP approval, EDD began this project's initiation phase on May 1, 2019. The timeline for completing the 10 high-volume documents is two years and two months (8/31/21), which extends beyond the March 2020 target date set forth in CSA's recommendation. As we progress through requirements/design, we will seek opportunities to shorten the timelines.
EDD also began analyzing all forms that utilize SSNs to expand the removal of SSNs to additional forms. EDD has identified 302 forms containing SSNs that need to be obfuscated. An initial review of them is complete. The next phase includes finalizing the costs and plan. EDD will provide an update in the six-month status.
Action 2: EDD is developing the Benefits System Modernization Project (BSMP) to replace SSNs with unique identifiers on all documents including the nine high-volume in this Proposed Action. Given this, and that these nine documents are included under Action 1, we were unable to secure additional funding to accomplish Action 2. Therefore, EDD's limited resources have been redirected back to the BSMP.
- Estimated Completion Date: Update pending 6-month status
- Response Date: June 2019
California State Auditor's Assessment of 60-Day Status: Pending
