November 19, 2020
The Governor of California
President pro Tempore of the Senate
Speaker of the Assembly
Sacramento, California 95814
Dear Governor and Legislative Leaders:
In March 2019, my office issued an audit report related to the Employment Development Department’s (EDD) practice of mailing documents that contain individuals’ social security numbers (SSNs).Employment Development Department: Its Practice of Mailing Documents Containing Social Security Numbers Puts Californians at Risk of Identity Theft, Report 2018-129, March 2019. This letter provides an update on EDD’s efforts to address the concerns we raised in that report. Specifically, EDD has not yet removed SSNs from some of the most commonly mailed documents as we recommended, meaning that EDD has continued to place Californians at risk of identity theft. The recent surge in unemployment insurance (unemployment) claims resulting from the COVID-19 pandemic has further revealed the dangers of EDD’s practices. As millions more Californians filed unemployment benefit claims, the number of pieces of mail that EDD sent with SSNs printed on them increased dramatically. EDD must take swift action to end its potentially harmful practice and better safeguard the identities of the residents it serves. At the request of the Joint Legislative Audit Committee as well as through separate statutory authority, my office is also conducting an emergency audit of EDD’s response to the COVID-19 pandemic, including its backlog of unemployment claims, its call center performance, and the adequacy of its information technology infrastructure. We plan to release the results of that review in early 2021.
EDD mails millions of documents each year as part of administering the unemployment benefit and disability insurance benefit programs, and many of these documents contain claimants’ full SSNs. Californians can apply to receive partial wage replacement benefits through the unemployment and disability insurance programs and, generally, individuals must be unemployed, disabled, or caring for new children or ill family members to receive benefits. In March 2019, we reported that in fiscal year 2017–18, EDD sent nearly 40 million total pieces of mail from its central printing and mass mailing facility (mailing facility) on behalf of the unemployment and disability insurance benefit programs. Of those mailings, 13 million presented a continuing risk to claimants: they were documents that contained claimants’ full SSNs, which put claimants at risk of identity theft, and EDD had no short-term plan to remove the SSNs. Because of that risk, we recommended that EDD discontinue its use of full SSNs on documents it mails to claimants and that EDD prioritize altering some of its most commonly mailed documents by March 2020. Although EDD generally agreed with our recommendations when we issued our report in early 2019, it has not fully implemented them in the time since.
EDD Has Sent at Least 38 Million Pieces of Mail Containing Claimants’ Full Social Security Numbers Since the Start of the COVID-19 Pandemic
EDD’s claims dashboard indicates that it received almost six million online applications for unemployment benefits between early March and mid-October 2020. This represents a historically high number of claims and is directly related to the COVID-19 pandemic. Over this same period—because it had failed to fully implement our recommendations—EDD mailed a large volume of documents containing SSNs associated with these claims. As Figure 1 shows, that volume was at least 38 million mailings—almost three times more than the total we reported in March 2019. Further, the true number of documents mailed with full SSNs is likely even higher than the total shown in Figure 1 because our calculation of 38 million mailings is based on only a selection of ten high-volume forms—the same forms we focused on in our March 2019 report. However, in March 2019 we reported that EDD had several other forms that also contain full SSNs, which it mails to claimants of unemployment or disability insurance benefits.
EDD’s Failure to Fully Implement Our Recommendation Put Millions of Claimants at Risk of Identity Theft
Source: California State Auditor report 2018-129 and analysis of forms and form volumes from EDD’s mailing facility.
* The three highest-volume forms accounted for about 10 million of the 13 million mailings we identified in fiscal year 2017–18, and these forms accounted for nearly 34 million of the 38 million mailings we identified from March 1, 2020 through October 20, 2020.
Although EDD made progress in removing SSNs from some of the forms we reviewed, it has not removed them from the three that it most frequently mails. In March 2019, we recommended that EDD prioritize amending those three forms, which together accounted for nearly 10 million of the 13 million problematic mailings we identified. During our original audit, EDD stated its preferred method of addressing the SSN issue was to complete a systems modernization project that would take more than five years to complete. Because of that delay, we presented EDD with several solutions that were intended to be lower-cost, interim measures that EDD could take to address the SSN issue. At the time of our audit, EDD agreed to immediately implement one of our suggested solutions: replacing full SSNs with a modified unique identifier. However, EDD has updated only two of the 10 forms we reviewed, neither of which were among the three forms we recommended it prioritize and, combined, accounted for fewer than 1.3 million—or 10 percent—of the 13 million mailings we identified in our original audit. By contrast, had EDD modified the three highest-volume documents as we recommended, it would have avoided sending full SSNs on nearly 34 million—or close to 90 percent—of the 38 million mailings it sent from March 2020 through mid-October 2020.
When we asked EDD why it modified two other forms in advance of the three more frequently mailed forms that we recommended it adjust first, EDD’s application services division chief explained that EDD replaced SSNs on those two forms as part of a broader set of changes to those forms that it made in response to a state expansion of the paid family leave program (which is part of the disability insurance program) that was set to take effect in July 2020. However, this explanation does not address why EDD did not also change the three most frequently mailed unemployment forms. The division chief indicated that EDD had started work on the unemployment forms but that the disability insurance forms were simpler than the more frequently mailed unemployment forms. However, he acknowledged that EDD had not planned to complete our recommended changes to the more frequently mailed forms until at least May 2021—more than a year after our recommended completion date.
EDD’s failure to change its business practices in a timely manner has unnecessarily put claimants at increased risk of identity theft. Figure 2 displays three key ways in which mailing full SSNs puts claimants at risk of identity theft. Of particular note during the last eight months are reports of individuals receiving mail from EDD that is not addressed to them. Often these reports describe individuals who received stacks of mail from EDD that were addressed to people who did not live at that location. For example, an individual who had recently moved into a new home reported receiving more than 65 pieces of mail from EDD addressed to at least 15 different people. In fact, as we show in Figure 3, we observed a significant amount of mail that was returned to EDD because it was undeliverable, including mail that individuals received erroneously and returned to EDD (returned mail). Such mailings may be linked to attempts to fraudulently collect unemployment benefits.
EDD’s Mailing Practices Expose Individuals’ SSNs in Multiple Ways
Source: California State Auditor report 2018-129; information from EDD’s website and security incident reports; and reports from individuals, law enforcement, and news organizations.
With respect to this follow-up audit, EDD’s practice of including full SSNs on certain mailed documents has resulted in many individuals’ SSNs being delivered to strangers who may choose to exploit the inappropriate mailings. We inspected a small amount of the returned mail shown in Figure 3 and found multiple examples of mailings containing full SSNs. In one case, an individual had written on the envelope, “this person does not live at this address”—and the envelope contained two of the three highest-volume forms we recommended EDD change, both of which displayed an individual’s full SSN.
We Observed Significant Volumes of Mail That Had Been Returned to EDD, Some of Which Contained SSNs
Source: California State Auditor photos taken October 29, 2020.
EDD’s Long-Term Solution for Replacing SSNs on Its Mailed Documents Is No Longer Viable
In our March 2019 report, we noted that our recommended solutions for EDD to replace SSNs on its documents were interim solutions—largely because EDD shared that its longer-term solution for updating its documents was an information technology (IT) project called Benefit Systems Modernization (BSM). At the time of our audit, EDD indicated that BSM would result in the full replacement of the department’s aging IT infrastructure. EDD asserted that doing so would allow it to remove SSNs from the remaining mailed documents by instead using a different unique identifier for claimants. EDD’s planning documents and vendor responses to a December 2017 Request for Information indicated that EDD would not complete the BSM project until at least September 2024. However, a team the Governor created recently to set a path for reforms at EDD (strike team) recommended that the department re-start BSM with a new approach and, according to EDD’s application services division chief, EDD has put BSM on hold.
With the BSM project on hold, significant questions remain about EDD’s ability to meet a new deadline in state law related to the use of SSNs on mailed documents. In response to one of our recommendations in our previous report, California recently adopted new requirements that, by January 2023, prohibit state agencies—including EDD—from sending to an individual mail that contains the individual’s full SSN, except in limited circumstances. State agencies that are unable to comply with these requirements at that time will be required to submit annual corrective action plans to the Legislature until they are in compliance. Although EDD plans to discontinue its use of SSNs on the three highest-volume forms between March 2021 and August 2021 and on the rest of the 10 high-volume forms we identified by April 2022, it still mails many other documents to claimants that contain full SSNs. When we asked EDD about its plan to meet the January 2023 deadline, the application services division chief stated that EDD’s goal is to meet the statutory deadline, but he acknowledged that EDD is still developing its plan to do so and that the effort will likely involve at least 200 of its forms. To meet the deadline, EDD will need to use our suggested solutions or another approach to change its forms at a rate much faster than it has in the year and a half since we issued our original report. Doing so will be imperative, not just for meeting statutory requirements, but to protect the identities of the people it serves.
We met with EDD to share the results of our review and obtain its perspective. EDD provided the following response:
EDD is committed to protecting the confidentiality of our claimants’ information and protecting them and our programs from fraud. One of EDD’s priorities is to replace claimants’ SSNs from the top three high-volume unemployment forms with another unique identifier. We acknowledge and appreciate the urgency of the Auditor’s timeline, and although we are admittedly behind schedule, we continue to diligently work to protect the identities of those we serve.
Scope and Methodology
The objectives of this audit were to determine EDD’s progress in addressing selected recommendations we made in our March 2019 report on mailing SSNs and to determine the extent to which EDD has sent pieces of mail with SSNs since the start of the COVID-19 pandemic. In conducting this audit, we interviewed staff at EDD, reviewed public documents related to EDD’s efforts to serve its claimants, and collected documentation from EDD pertaining to its mailing process. To determine the number of documents EDD mailed that contain individuals’ SSNs, we reviewed copies of the same forms we analyzed in our March 2019 audit and obtained data on volumes from the metered mail system EDD uses at its mailing facility, which we found to be sufficiently reliable for our purposes.
We conducted this audit under the authority vested in the California State Auditor by Government Code section 8543 et seq. and according to generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives specified in the Scope and Methodology section of the report. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
ELAINE M. HOWLE, CPA
California State Auditor